This role is ideal for a deeply technical security leader who can move comfortably between audit rooms, architecture reviews, and executive updates—someone who can both design controls and roll up their sleeves to implement them.

The Director, GRC & Data Protection will have overall responsibility and ownership for the design and implementation of Phreesia’s security governance, risk, compliance, and data protection architecture and associated strategy. A key objective of this role is to drive simplification, standardization, and security maturity across our products, platforms, and data environments, while enabling Phreesia’s continued growth.

This individual’s primary responsibilities include leading, designing, and operationalizing security controls and processes across multiple regulatory and industry frameworks—such as PCI DSS (Level 1 service provider), HITRUST CSF, SOC 2, SOX ITGC, HIPAA, and NIST CSF—into a coherent, risk-based program.

The Director, GRC & Data Protection will function as a key contributor to our target-state enterprise and data architectures, ensuring that data security requirements are considered early in the design of new products, platforms, and integrations. This includes informing architecture decisions for cloud services, data platforms, and SaaS applications, with a particular focus on protecting sensitive healthcare and payment data in line with evolving regulatory and customer expectations.

This position will be responsible for collaborating with the Legal/Privacy, Product & Engineering, and Phreesia leadership on emerging challenges and opportunities. The Director, GRC & Data Protection will stay current on evolving regulations, security standards, and best practices in domains such as PCI DSS 4.0, HITRUST, SOC 2, and healthcare privacy/security, ensuring Phreesia’s governance program anticipates rather than reacts to changes. They will establish and maintain the governance processes, risk registers, and decision forums that guide business leaders toward informed, risk-aware choices about platforms, data usage, and third-party services.

Success in this role requires strong teamwork with our CISO, Legal, Privacy, enterprise architects, Security Engineering, IT, and Product & Engineering leadership. The Deputy CISO will help these teams understand how governance and data security requirements translate into practical, engineering-grade controls and will ensure that control designs, evidence strategies, and remediation plans are both technically sound and auditable.

Candidates for this role must be comfortable leading through both direct management and influence in a highly matrixed environment. You will lead GRC and data-security-focused personnel directly, while also driving outcomes through collaboration with engineering managers, product leaders, infrastructure teams, and internal/external audit stakeholders. This individual has hands-on experience designing, implementing, and communicating controls in restricted and regulated data environments, such as healthcare and payments, and is comfortable working across multiple frameworks and attestations simultaneously (PCI DSS, HITRUST, SOC 2, SOX ITGC, HIPAA/NIST).

The ideal candidate will demonstrate strong analytical, interpersonal communication skills, and program management capabilities: able to interpret complex requirements, design practical controls, oversee implementation and testing, and present clear risk and status updates to senior executives and boards. They should be equally comfortable discussing data encryption and segmentation with engineers, explaining audit findings, and walking a customer’s security team through Phreesia’s control environment.

Job Responsibilities

What you’ll do

• Lead and mature our governance, risk, and compliance program, aligned to NIST CSF 2.0 and our enterprise risk framework.

• Own overall strategy and execution for data security (encryption, backups, DSPM, data lifecycle controls) in close partnership with Product, Engineering, and Infrastructure.

• Serve as the primary infosec leader for PCI-DSS Level 1, HITRUST, SOC 2, and SOX ITGC coordination, ensuring evidence (including penetration testing), narratives, and controls are consistent and efficient.

• Partner with product and engineering teams to embed security into software development lifecycles, roadmap planning, and quarterly business reviews.

• Govern & guide Third Party Risk Management (TPRM) objectives.

• Act as a matrixed leader, influencing teams you don’t directly manage while providing clear, actionable guidance to executives, developers, and staff.

• Function as backup to the CISO for key decisions, stakeholders, and external meetings with customers, auditors, and regulators.

Qualifications

Education

Bachelor's Degree required, advanced degree preferred

Certifications

CISSP, CISM, CISA, CRISC, PCI ISA/QSA, or similar preferred

Experience, Knowledge & Skills

• Experience in healthcare, health IT, payments, or other highly regulated data environments where PCI, HITRUST, SOX, and SOC 2 interact.

• Prior role as Head of GRC, or Security & Compliance lead for a Level 1 service provider or HITRUST-certified organization.

• 12+ years in information security, with 7+ years in leadership roles across at least two of: GRC, data security, security architecture/engineering, or security assurance.

• Significant experience in a product-driven, software development company (e.g., SaaS, cloud platform, or software publisher), working closely with Product Management and Engineering organizations.

• Deep, hands-on experience leading multiple full cycles of all of the following in a cloud/SaaS or otherwise regulated environment:

• PCI DSS Level 1 service provider RoC with a QSA (scoping, control design, evidence strategy, remediation management).

• HITRUST CSF readiness and certification/validated assessment.

• SOX ITGC engagement in a consultative/coordination capacity with Finance/Internal Audit (not necessarily full program ownership).

• SOC 2 Type II audits against the Trust Services Criteria.

• Strong technical fluency in:

• Data security architectures (encryption at rest/in transit, tokenization, KMS/HSM, DLP, logging/monitoring).

• Cloud and SaaS security concepts relevant to PCI/HITRUST/SOC 2 environments.

• Demonstrated ability to design and evaluate controls, not just document them, and to work directly with engineers on implementation details.

• Exceptional written and verbal communication skills, including direct experience presenting to senior executives and boards on security posture, risk, and audit outcomes.

• Proven effectiveness in a highly matrixed organization, influencing cross-functional stakeholders and resolving conflicting priorities.