Associate Director, Information Security & Compliance

The Associate Director, Information Security & Compliance is a security engineering leader who enables our teams to ship quickly and safely and ensures the integrity of our deployed products. You will build paved roads and guardrails – codified as Infrastructure as Code (IaC), Policy as Code, and automated controls – so MCG’s SaaS products meet HIPAA/HITRUST while improving developer velocity. Partnering with Product, Engineering, and IT, you’ll integrate security into CI/CD, automate audit evidence, and turn security into an accelerator for frequent, reliable releases.  

You Will:    

• Build secure-by-default platforms 
• Define and own “paved roads” (golden paths) for service creation, deployment, and runtime with embedded controls 
• Express controls as code: IaC (Terraform), Policy-as-Code (Rego, Azure Policy as Code), Compliance-as-Code (automated evidence collection) 
• Embed security in the software lifecycle 
• Partner with engineering to shift left via CI/CD: SAST, SCA, container scanning, IaC scanning, DAST, SBOM, break-glass processes with audit trails 
• Integrate lightweight threat modeling into backlog/PRs; maintain secure coding standards and reference implementations 
• Automate compliance & audit readiness 
• Maintain HIPAA & HITRUST through continuous controls monitoring and automated evidence pipelines; reduce manual audit work with repeatable proofs 
• Create and maintain relevant documentation to support FedRAMP certification efforts 
• Harden cloud & runtime 
• Own CSPM/CNAPP baselines, least-privilege access IAM, network isolation, KMS/secret stores, container hardening, supply-chain security 
• Operational resilience 
• Define vulnerability SLAs risk-based by asset criticality; drive time to patch with automation and safe rollout patterns 
• Lead incident response readiness: playbooks, tabletop exercises, automated detections, and post-incident learning loops 
• AI & Data Protections 
• Govern data use and model safety for AI features (prompt/response logging controls, PII/PHI handling, third-party risk reviews) without slowing delivery 
• Partnership & Leadership 
• Coach engineers; measure and report outcomes (DORA + security KPIs). Foster a blameless, data-driven culture where secure choices are the easiest choices 

What We're Looking For: 

• Bachelor’s degree in Information Security, Computer Science, or related field required. 
• 6+ years of experience in product/application security, compliance, or risk management for SaaS. 
• 2+ years of team or functional leadership experience required. 
• Demonstrated success enabling frequent deployments in regulated environments (HIPAA/HITRUST/FedRAMP) and proven experience HIPAA and HITRUST controls required. 
• Practical experience integrating security into CI/CD and operating SAST/SCA/DAST, and container/IaC scanners 
• Excellent judgment, communication, and stakeholder management. 
• Proven collaborator with Product/Engineering/IT with a track record of delivering automation 

Licensure/Certifications/Registrations/Permits:    

• Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), or equivalent certification required.  

Preferred Qualifications:   

• Demonstrated ability to earn and maintain customer trust preferred. 
• Experience with Policy as Code (OPA/Conftest/Sentinel) and compliance/automation pipelines preferred. 
• Familiarity with SBOM/signing,  
• FedRAMP (Medium) compliance experience preferred. 

This role prioritizes Seattle based talent with the expectation to come into the Seattle office on a monthly basis.

Pay Range: $162,200 - $227,000

Other compensation: Bonus Eligible

Perks & Benefits: