Information Security Officer

Information Security Officer- Remote (USA) Bloom, the insurance industry’s trusted growth partner, is looking for an Information Security leader to serve as Bloom's Information Security Officer—someone who builds security into the foundation of everything we do, not someone who sits back and watches alerts roll in. This is a hands-on leadership role for a security professional who believes the best incident is the one that never happens. The successful candidate will own our security program end-to-end: designing and implementing controls, architecting systems that prevent breaches before they occur, and driving a culture of proactive risk management across the organization. You'll use data and metrics to measure what matters, identify gaps before they become problems, and demonstrate continuous improvement to our leadership and compliance partners. If you're energized by building resilient systems, thrive on translating complex regulatory requirements into practical controls, and want to shape the security posture of a growing healthcare organization—we want to talk to you. Position Responsibilities: Build and Lead a Proactive Security Program • Design, implement, and continuously improve Bloom's information security program with a prevention-first mindset leveraging the strong foundation already constructed as the basis for continued success • Evaluate, refine, and enforce security policies, standards, and procedures that are practical, actionable, and aligned with business operations • Conduct regular risk assessments and threat modeling to identify vulnerabilities before exploitation, helping the organization deliver to our customers with maximum results • Lead tabletop exercises, penetration testing, and red team activities to stress-test our defenses • Build, operate, and monitor the security program to ensure our information security processes are in place and effectively educate all stakeholders on the practices, procedures, and policies, while ensuring the security processes meet or exceed our organizational requirements Own Compliance Across Multiple Frameworks • Serve as the primary owner for HIPAA, HITRUST, and SOC 2 Type II compliance oversight, filings, and assessor coordination • Maintain deep working knowledge of NIST standards (800-53, CSF), FedRAMP requirements, and emerging healthcare security regulations to anticipate changes needed to achieve excellence • Translate regulatory requirements into engineering specifications and operational procedures • Manage audit relationships, risk management, evidence collection, and remediation tracking • Keep us audit-ready year-round—not scrambling before assessments Implement Security Controls • Partner with Engineering, IT, and DevOps to embed security controls into infrastructure, applications, and workflows • Architect and deploy technical safeguards: access controls, encryption, network segmentation, endpoint protection, and monitoring systems • Automate security processes wherever possible—manual controls don't scale • Evaluate and implement security tools and technologies that fit our environment and risk profile Drive Decisions with Data • Define and track key security metrics and KPIs that measure program effectiveness, not just activity • Build dashboards and reporting mechanisms that give leadership visibility into our security posture • Use data to prioritize investments, justify resources, and demonstrate ROI on security initiatives • Benchmark against industry standards and drive continuous improvement through measurable goals Foster a Security-First Culture • Develop and deliver security awareness training that changes behavior, not just checks a box • Serve as an advisor and resource for teams across Bloom on secure design and operations • Lead incident response when needed—but measure success by how rarely we need to Qualifications: • Bachelor’s degree in information systems, Computer Science, Engineering, or a related technical field, or a minimum of four (4) years of experience in lieu of degree. • 7+ years of progressive experience in information security, with at least 3 years in a security program leadership role • Previous experience guiding an organization through successful assessments in SOC 2 and/or HITRUST R2 is required Required Skills and Abilities: • Deep expertise in healthcare security and privacy regulations, particularly HIPAA Security Rule requirements • Hands-on experience achieving and maintaining HITRUST CSF certification and SOC 2 Type II attestation • Strong working knowledge of NIST f