Security and Compliance Manager
Opala develops healthcare products that tackle the most complex data challenges faced by payers and providers. As a startup originating from a major healthcare plan in the Northwest, we combine deep health-tech expertise with top-tier data and software engineering talent to create products that our customers find meaningful and valuable. These data products empower payers and their partners to find timely insights and take action to intervene in areas like value-based care analytics, interoperability compliance, and real-time streaming of clinical data. In this remote position, we are seeking a Security & Compliance Managerto lead Opalas compliance and risk management program in a fast-moving healthcare data startup environment. This role owns our audit roadmap (SOC 2, HIPAA, HITRUST), ensures compliance with regulatory frameworks, and drives customer trust by managing security reviews, vendor assessments, and evidence collection. This role is two-fold. As a strategic leader, you will be guiding our compliance roadmap, managing our MSP (IT + SOC/MDR), and interfacing with auditors. As a hands-on contributor, you will be partnering with engineering squads and our Security & Compliance Team to operationalize evidence gathering and process maturity. Responsibilities
Own and maintain the companys Information Security Management System (ISMS).
Lead annual and recurring compliance certifications (SOC 2, HIPAA, HITRUST).
Respond to customer security questionnaires and due diligence requests.
Oversee vendor risk management, including contracts, reviews, and security posture assessments.
Manage MSP performance (IT and SOC/MDR) and ensure evidence feeds align with audit requirements.
Mentor and guide other Engineers and Stakeholders in evidence collection, reporting, and process maturity.
Define, implement, and maintain security policies, standards, and procedures.
Serve as the main point of contact for auditors, regulators, and external security partners.
Report compliance and risk posture to leadership and the board.
Competencies
Bachelors degree in information security, risk management, or related field (or equivalent experience).
6+ years of experience in security, compliance, or risk management roles, with 3+ years in a leadership capacity.
3+ years of vendor management experience.
Experience working with SOC 2, HIPAA, and HITRUST frameworks.
Experience working in a Cloud-based SaaS Platform
Familiarity with healthcare data security and PHI handling.
Experience with Drata's GRC and compliance automation platform
Strong organizational skills and ability to manage multiple audit and certification workstreams.
Excellent written and verbal communication skills, with the ability to translate compliance requirements into clear actions for engineering and business teams.
Hands-on experience modernizing segregation of duties in a highly regulated environment
Hands-on experience integrating Drata with external services: Entra ID, Azure, AWS, etc.
Experience working in sprint-based Agile Development Methodology
Preferred Qualifications
Security certifications such as CISA, CISM, or CISSP.
Experience with NIST 800-53, Cloud Security Alliance (CSA), and Center for Internet Security (CIS)
Experience working in healthcare or other regulated industries.
Exposure to enterprise architecture frameworks such as TOGAF.
Experience building compliance roadmaps in early-stage startups
Exposure to Containerization platforms like Docker, Kubernetes, or VMware Tanzu
Exposure to Serverless platforms like Azure Functions, AWS Lambda
Exposure to Big Data platforms like Hadoop, Databricks, Snowflake, Kafka, Cloudera
Exposure to DevSecOps
Exposure to DevOps Squad Organization Model
Benefits
The Seattle base salary range for this full-time position is $163k-$192k.Within the range, individual pay is determined by work location and additional factors, including job-related skills, experience, and relevant education or training.
Benefits include medical, dental, vision, life and AD&D insurance, EAP, short-term and long-term disability, 16 days PTO, 8 paid holidays, fully paid holiday closure, parental and family medical leave, 401k, stock options and annual bonuses and salary increases based on merit.
Diversity and Inclusivity Statement
At Opala, we believe that diversity and inclusivity are critical to our success. We encourage and value diverse perspectives and experiences, and we believe that they are essential for driving innovation and creating products that meet the needs of our diverse customer base.
Opala is an equal opportunity employer and makes employment decisions on the basis of merit. We are committed to providing a workplace free from harassment and discrimination. We celebrate the unique differences of our employees because that is what drives curiosity, innovation, and the success of our business. We do not discriminate on the basis of race, religion, color, national origin, gender, sexual orientation, gender identity or expression, age, marital status, veteran status, disability status, pregnancy, parental status, genetic information, political affiliation, or any other status protected by the laws or regulations in the locations where we operate. Accommodations are available for applicants with disabilities.
About the job
Apply for this position
Security and Compliance Manager
Opala develops healthcare products that tackle the most complex data challenges faced by payers and providers. As a startup originating from a major healthcare plan in the Northwest, we combine deep health-tech expertise with top-tier data and software engineering talent to create products that our customers find meaningful and valuable. These data products empower payers and their partners to find timely insights and take action to intervene in areas like value-based care analytics, interoperability compliance, and real-time streaming of clinical data. In this remote position, we are seeking a Security & Compliance Managerto lead Opalas compliance and risk management program in a fast-moving healthcare data startup environment. This role owns our audit roadmap (SOC 2, HIPAA, HITRUST), ensures compliance with regulatory frameworks, and drives customer trust by managing security reviews, vendor assessments, and evidence collection. This role is two-fold. As a strategic leader, you will be guiding our compliance roadmap, managing our MSP (IT + SOC/MDR), and interfacing with auditors. As a hands-on contributor, you will be partnering with engineering squads and our Security & Compliance Team to operationalize evidence gathering and process maturity. Responsibilities
Own and maintain the companys Information Security Management System (ISMS).
Lead annual and recurring compliance certifications (SOC 2, HIPAA, HITRUST).
Respond to customer security questionnaires and due diligence requests.
Oversee vendor risk management, including contracts, reviews, and security posture assessments.
Manage MSP performance (IT and SOC/MDR) and ensure evidence feeds align with audit requirements.
Mentor and guide other Engineers and Stakeholders in evidence collection, reporting, and process maturity.
Define, implement, and maintain security policies, standards, and procedures.
Serve as the main point of contact for auditors, regulators, and external security partners.
Report compliance and risk posture to leadership and the board.
Competencies
Bachelors degree in information security, risk management, or related field (or equivalent experience).
6+ years of experience in security, compliance, or risk management roles, with 3+ years in a leadership capacity.
3+ years of vendor management experience.
Experience working with SOC 2, HIPAA, and HITRUST frameworks.
Experience working in a Cloud-based SaaS Platform
Familiarity with healthcare data security and PHI handling.
Experience with Drata's GRC and compliance automation platform
Strong organizational skills and ability to manage multiple audit and certification workstreams.
Excellent written and verbal communication skills, with the ability to translate compliance requirements into clear actions for engineering and business teams.
Hands-on experience modernizing segregation of duties in a highly regulated environment
Hands-on experience integrating Drata with external services: Entra ID, Azure, AWS, etc.
Experience working in sprint-based Agile Development Methodology
Preferred Qualifications
Security certifications such as CISA, CISM, or CISSP.
Experience with NIST 800-53, Cloud Security Alliance (CSA), and Center for Internet Security (CIS)
Experience working in healthcare or other regulated industries.
Exposure to enterprise architecture frameworks such as TOGAF.
Experience building compliance roadmaps in early-stage startups
Exposure to Containerization platforms like Docker, Kubernetes, or VMware Tanzu
Exposure to Serverless platforms like Azure Functions, AWS Lambda
Exposure to Big Data platforms like Hadoop, Databricks, Snowflake, Kafka, Cloudera
Exposure to DevSecOps
Exposure to DevOps Squad Organization Model
Benefits
The Seattle base salary range for this full-time position is $163k-$192k.Within the range, individual pay is determined by work location and additional factors, including job-related skills, experience, and relevant education or training.
Benefits include medical, dental, vision, life and AD&D insurance, EAP, short-term and long-term disability, 16 days PTO, 8 paid holidays, fully paid holiday closure, parental and family medical leave, 401k, stock options and annual bonuses and salary increases based on merit.
Diversity and Inclusivity Statement
At Opala, we believe that diversity and inclusivity are critical to our success. We encourage and value diverse perspectives and experiences, and we believe that they are essential for driving innovation and creating products that meet the needs of our diverse customer base.
Opala is an equal opportunity employer and makes employment decisions on the basis of merit. We are committed to providing a workplace free from harassment and discrimination. We celebrate the unique differences of our employees because that is what drives curiosity, innovation, and the success of our business. We do not discriminate on the basis of race, religion, color, national origin, gender, sexual orientation, gender identity or expression, age, marital status, veteran status, disability status, pregnancy, parental status, genetic information, political affiliation, or any other status protected by the laws or regulations in the locations where we operate. Accommodations are available for applicants with disabilities.