VP, Security (CISO)

The Role

Carrot is a high-growth tech-enabled health benefits company that has scaled rapidly. We have developed the Carrot Application to support our members through their fertility and family-building journeys. We have established ourselves as a leader in our space in security and compliance, achieving milestones such as SOC 2 Type II, HIPAA, HITRUST, and PCI-DSS compliance.

As VP of Security (CISO), you will be entrusted with taking our Security function to the next stage of maturity and helping us reach our goal of a successful exit event such as IPO. You will be critical in ensuring the security and privacy of the highly sensitive data of our members related to their fertility and family-building journeys. As our members reside across the globe, you will make sure we’re fully adhering to international laws and frameworks around privacy and data governance.

Responsibilities

• Oversee all the areas of Security at Carrot, including Corporate Security such as GRC, Incident Management, and Security Awareness, as well as Product Security such as Application Security, Infrastructure Security, and SDLC
• Implement and execute a comprehensive Security strategy for our organization, leveraging a robust maturity model such as C2M2 to prioritize strategic initiatives
• Directly collaborate with the executive leadership team, especially the CTO, CLO, and CIO, to align on and drive top-level business objectives, priorities, and requirements related to Security
• Be accountable to delivering the strategic initiatives that you prioritize for the Security organization
• Assess the Security needs at Carrot on an ongoing basis and be able to effectively grow the Security team as Carrot scales and matures
• Manage and coach a team of highly motivated and effective security professionals
• Collaborate with the Engineering organization, especially the Internal Platform team, to level up our Security Engineering practice at Carrot, making sure we go above and beyond compliance, and ensure we are prioritizing crucial changes to our systems related to Security
• Prioritizing internal risk assessments related to Application Security, Cloud Security, and Cyber Security as a whole at Carrot. You will use this assessment to prioritize technical changes and safeguards to the Carrot application, and our other internal systems
• Carrot operates as a primarily remote and distributed company while also maintaining physical offices. As such, you will be expected to tailor your security recommendations to align with industry standards for both remote-first and in-office work environments.
• Security is currently a small and mighty team at Carrot — you should be ready to take an active role in all Security functions while using sound judgment to strike the right balance between hands-on execution and strategic delegation

Minimum Qualifications

• Bachelor’s degree in a relevant field (e.g. Computer Science, Software Engineering, or  Information Technology)
• Minimum of 10+ years of Information Technology experience, including 5+ years of experience with Information Security
• CISSP, CISM, or other relevant security certification required
• Senior leadership experience overseeing the Security function of a late stage startup or public company
• Exceptional communication abilities, enabling effective collaboration with the executive leadership team to prioritize practical and secure solutions for strategic initiatives
• Experience and great confidence in engaging with strategic customers in the sales process, emphasizing Carrot’s high standard of security and working to understand their needs and requirements
• Deep experience in the healthcare industry, and great understanding of global data protection and privacy frameworks designed to protect health data such as HIPAA, GDPR, and CCPA/CPRA
• Experience overseeing implementation and ongoing compliance of enterprise security frameworks, including SOC 2 Type II, HITRUST, PCI DSS, and ISO 27001
• Experience with and understanding of application security frameworks and best practices, including NIST CSF and OWASP
• Great understanding of and experience with application security, network security, and cloud hosting providers such as AWS and Azure
• Experience running or overseeing Security initiatives and programs such as Incident Response, Risk Management, Data Privacy, Audits, Security Operations, Vulnerability Management, Penetration Testing, Security Awareness Training, Phishing Awareness Campaigns, and Bug Bounties
• Experience in budget management and resource allocation

Preferred Qualifications

• Experience leading a Security function through a company exit event such as an M&A or IPO
• Some experience at an early-stage startup, demonstrating experience moving quickly and pragmatically while ensuring the security of our members and our employees

Compensation: 

Carrot offers a holistic Total Rewards package designed to support our employees in all aspects of their life inside and outside of work, including health and wellness benefits, retirement savings plans, short- and long-term incentives, parental leave, family-forming assistance, and a competitive compensation package. The starting base salary for this position will range from $200,000.00 - $225,000.00. Actual compensation may vary from posted base salary depending on your confirmed job-related skills and experience.

Fraud and Security Notice: Please note that all communication regarding job opportunities at Carrot will come exclusively from an @get-carrot.com email address. If you receive messages from any other domain, please disregard them and report the incident to: securityreporting@get-carrot.com