Security & Compliance Lead

Operations

Full-time

Hybrid

We’re looking for a hands-on security program operator to own GRC end-to-end. Drive SOC 2 Type II, HIPAA, and pragmatic governance as Ritten scales.

Apply

About Ritten

Ritten is building the next generation of Electronic Health Records (EHR) and practice management tools for Behavioral Health providers. We empower clinicians and admin teams with intuitive software that simplifies care delivery, improves outcomes, and supports sustainable growth. Backed by top-tier investors, we’re scaling quickly and on a mission to transform Behavioral Health.

Why We’re Hiring

Ritten has raised its Series B and is entering a scale phase (30+ → 60+ team members over 18–24 months). Security, compliance, and IT operations can no longer be managed as a side function of the CTO.

Over the next 12–18 months we plan to:

  • Complete SOC 2 (Type I → Type II)
  • Operationalize and harden our HIPAA Security Rule program
  • Prepare for HITRUST (staged approach)
  • Professionalize IT/device lifecycle, MDM, and identity governance as headcount grows

We need a senior operator to build and run this function end-to-end.

Mission

Build and operate a scalable security, compliance, and IT governance function that supports enterprise growth while remaining pragmatic and aligned to real business risk. This person will own the GRC program and oversee internal IT/device governance, partnering closely with Engineering, Product, and People.

What You’ll Do

1. Compliance & Audit Ownership

  • Own SOC 2 (Type I & II) end-to-end: scoping, control design, evidence management, auditor coordination.
  • Operationalize and maintain HIPAA Security Rule compliance.
  • Build and maintain the risk register; track remediation and exceptions.
  • Lead vendor security reviews and third-party risk management.
  • Develop a staged HITRUST roadmap.

2. Governance & Risk Management

  • Ensure access controls, change management, and security controls are embedded in real workflows.
  • Run quarterly access reviews and enforce least privilege.
  • Lead incident response coordination and tabletop exercises.
  • Act as primary contact for security questionnaires and enterprise diligence.

3. IT & Device Lifecycle Oversight

  • Own MDM enforcement, endpoint posture, and device inventory controls.
  • Oversee onboarding/offboarding access workflows (in partnership with People).
  • Ensure identity, SSO, and account lifecycle governance are clean and auditable.
  • Manage device procurement/retrieval processes (likely via vendor).
  • Oversee MDR and other security vendors.


What This Role Is

  • A hands-on security program operator.
  • A cross-functional driver who can influence engineering and operations.
  • A builder of durable systems, not just an audit facilitator.

What This Role Is Not

  • Not purely policy writing.
  • Not a helpdesk role.
  • Not an executive CISO role (though it may evolve into Head of Security/Trust over time).

What We’re Looking For

  • 7–12+ years in information security, GRC, or security program leadership.
  • Has owned SOC 2 end-to-end in a SaaS company (ideally Type II).
  • Experience with multiple frameworks (SOC 2, ISO 27001, PCI, NIST; HITRUST exposure a plus).
  • Experience overseeing IT/endpoint governance and identity lifecycle controls.
  • Comfortable in growth-stage environments.
  • Strong cross-functional execution ability.
  • Healthcare / HIPAA experience preferred.

Compensation

We offer competitive compensation packages that include meaningful equity and strong cash salaries, benchmarked against top startups at our stage.

Location / Work Policy

We’re a primarily hybrid company. Most of our engineering team works hybrid, with an expectation of ~1–2 days per week in-office for those based near Philadelphia, Denver, or New York City.

Interested? Send your resume to talent@ritten.io   

Apply