Senior Manager, Security Governance, Risk, and Compliance

Hi, we're Oscar. We're hiring a Senior Manager, Security Governance, Risk, and Compliance to join our Security team.

About the role

In this role, you will be responsible for leading and managing a cross-functional team charged with the development and maintenance of Oscar’s Information Security policies, cybersecurity risk management, and compliance efforts in a highly regulated industry. You will identify opportunities to automate processes critical to meeting and exceeding Oscar’s compliance obligations to our regulators across a variety of frameworks. The GRC team works across a wide variety of stakeholders across the Oscar organization, and serves as an interpreter of technical controls for those various teams to identify effective means of implementing and demonstrating compliance.  You will be involved in shaping and driving Oscar’s GRC strategies through proactive measures and continuous improvement, and a demonstrated curiosity on continuously evolving our approaches. 

You will report into the Chief Information Security Officer. 

Work Location:

Oscar is a blended work culture where everyone, regardless of work type or location, feels connected to their teammates, our culture and our mission. 

If you live within commutable distance to our New York City office (in Hudson Square), our Tempe office (off the 101 at University Dr), or our Los Angeles office (in Marina Del Rey), you will be expected to come into the office at least two days each week. Otherwise, this is a remote / work-from-home role.  

You must reside in one of the following states: Alabama, Arizona, California, Colorado, Connecticut, Florida, Georgia, Illinois, Iowa, Kansas, Kentucky, Maine, Maryland, Massachusetts, Michigan, Minnesota, Missouri, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, Ohio, Oregon, Pennsylvania, Rhode Island, South Carolina, Tennessee, Texas, Utah, Vermont, Virginia, Washington, or Washington, D.C. Note, this list of states is subject to change. #LI-Remote

Pay Transparency:

The base pay for this role is: $158,400 - $207,900 per year. You are also eligible for employee benefits, participation in Oscar’s unlimited vacation program, company equity grants, and annual performance bonuses.

Responsibilities

• Lead a team of cross-functional Governance, Risk, and Compliance (GRC) experts including guiding, mentoring and coaching the team
• Develop medium and long term strategies to improve the effectiveness and efficiency of the GRC program
• Lead collaboration across engineering and governance functions to ensure common awareness and understanding of the what and why of various GRC requirements
• Act as the primary liaison between other risk management and compliance teams at Oscar and interpret their needs of the cybersecurity program
• Lead compliance efforts providing guidance and technical expertise in relation to the cybersecurity requirements related to SOX (Sarbanes-Oxley), MAR (Market Abuse Regulation), PCI (Payment Card Industry Data Security Standard), CMS EDE (Centers for Medicare & Medicaid Services Enhanced Direct Enrollment), HIPAA (Health Insurance Portability and Accountability Act), NYDFS (New York Department of Financial Services), SOC2, HITRUST, and other relevant security and regulatory frameworks
• Manage and lead maturity assessments against cybersecurity requirements and Oscar’s current control inventory to identify areas of deficiency and potential GAPs to achieve certification or to successfully complete the audit cycle
• Manage the team responsible for Oscar’s Security inventory for audit artifacts to ensure continuity in audits and efficient response to client and regulator requests. Manage and coordinate periodic assessments, audits, and reviews to assess compliance with regulatory requirements with a focus on Cybersecurity controls and artifacts. 
• Stay up to date on the latest cybersecurity regulations, policy and news to ensure Oscar’s security program documents upcoming requirements and areas in which enhancements to process are required for alignment with the standard.
• Design, develop, and manage third-party risk management processes, including vendor assessments, due diligence, and ongoing monitoring to identify inherent and residual cybersecurity risks for tracking, monitoring and corrective action planning.
• Manage and lead the development and maintenance of cybersecurity governance, risk, and compliance policies, procedures, and standards in alignment with industry best practices and regulatory requirements with the ability to discern Oscar’s technical operations to align with the requirements dictated in policy in an effort to flag areas of deficiency or areas which require enhancement to align with current operating practices.
• Create and deliver cybersecurity training programs and awareness campaigns to educate employees and stakeholders about relevant topics and concepts related to key cybersecurity risks (i.e. Insider Threats, Data Handling and Phishing).
• Compliance with all applicable laws and regulations
• Other duties as assigned

Qualifications

• Bachelor's degree or years of equivalent experience
• 5+ years of experience related to risk management
• 4+ years of experience related to project management
• Experience developing GRC programs  in a cloud and SaaS environment.

Bonus Points

• Prior work experience in or understanding of security challenges specific to the healthcare or health insurance industries
• Prior experience managing individual contributors.