About Us

TherapyNotes is the go-to superhero for behavioral health Practice Management and EHR software! Our top-notch SaaS solution handles scheduling, billing, documenting, telehealth, and more so clinicians can focus on awesome patient care.

We're a dynamic team of pros who love to innovate and push the envelope, keeping our software cutting-edge. Join us, and let's revolutionize behavioral health software together while making a real difference!

About The Position

TherapyNotes is seeking an experienced cyber security professional to join our team of technology enthusiasts.  The right candidate should have a focus on cybersecurity compliance, security control implementation, risk/vulnerability management, continuous monitoring, and security awareness training. The role will serve as the liaison for external audits, oversee an internal cybersecurity audit program, and lead a team of GRC Analysts. This role requires a strong understanding of regulatory requirements, risk management frameworks, and industry best practices.

What You'll Do

• Architect, implement, and continuously mature the organization’s Governance, Risk, and Compliance (GRC) program, aligning it with HIPAA-HITECH, HITRUST CSF, state privacy regulations, GDPR, and other applicable regulatory frameworks.
• Lead organization-wide risk identification, analysis, and treatment processes using structured methodologies to conduct risk assessment, identify gaps, and develop mitigation plans.
• Lead end-to-end third-party risk management activities, including structured vendor security assessments, evaluation of assurance artifacts (SOC 2, ISO 27001, penetration tests), risk impact analysis and residual risk determination.
• Conduct formal risk assessments across infrastructure, application, vendor, and business process domains.
• Collaborate with cross-functional teams to integrate GRC principles into business processes and systems.
• Monitor evolving regulatory requirements, enforcement trends, and industry best practices to proactively adjust the organization’s compliance program.
• Provide guidance and training to employees on GRC policies, procedures, and best practices.
• Oversee the execution of audits, assessments, and compliance activities to validate adherence to compliance standards.
• Ensure documentation artifacts support evidentiary requirements for regulatory examinations and certification audits.
• Act as a liaison with external auditors, regulators, and stakeholders on GRC-related matters.
• Develop and maintain key performance indicators (KPIs) and metrics to measure the effectiveness of GRC initiatives.
• Mentor and coach GRC analysts, fostering their professional development and growth within the organization.
• Drive continual improvement of the organization’s information security program, ensuring alignment with HITRUST CSF, HIPAA, GDPR, ISO 27701, and other frameworks as required.
• Identify and document cyber risks and manage mitigation, follow up on open security risks, and report issues to leadership.
• Assist with ad-hoc compliance reporting and follow up with customers and/or support partners to ensure all identified vulnerabilities are being addressed.
• Provide support to Information Security Incident Response team during cyber/privacy incidents.
• Review architectural designs and new technology initiatives to validate alignment with regulatory and internal security requirements.
• Ensures the running application and developing codebase protects the confidentiality, integrity, and availability of our customer's data.
• Evaluate the technical security posture of newly proposed third-party solutions.

What We're Looking For

• BS degree in Information Security, Risk Management, Business Administration, or related field
• 5+ years of experience in GRC, risk management, or related fields, with demonstrated leadership experience
• Certified Information Systems Security Professional (CISSP), Certified Information Security Auditor (CISA), Certified Information Security Manager (CISM) or Certified in Risk and Information Systems Control (CRISC) strongly preferred
• Strong knowledge of regulatory requirements (e.g., GDPR, HIPAA, PCI-DSS, CPRA) and industry standards (e.g., ISO 27001, NIST).
• Expert in designing, implementing, and maintaining security solutions
• Understanding of modern approaches to GRC such as Policy-as-Code and Compliance-as-Code
• Experience developing and implementing GRC frameworks, policies, and procedures
• Excellent analytical skills with the ability to assess complex risks and develop effective mitigation strategies
• Exceptional communication and interpersonal skills, with the ability to effectively collaborate with stakeholders at all levels of the organization
• Proven ability to lead and manage projects, including coordinating cross-functional teams and delivering results on time
• Ability to adapt to a fast-paced and dynamic environment, with a focus on continuous improvement and innovation
• Proficiency with security standards and secure configuration baselines such as CIS or OWASP
• Proficiency with cloud-based solutions and web related technologies

What We Offer

• Competitive salary - $125,000-$165,000
• Employer sponsored health, dental, vision, life, and disability insurance
• Retirement plan with company contribution
• Annual company profit sharing
• Personal development/training budget
• Open, collaborative work environment
• Extensive 2-week onboarding plan
• Comprehensive mentorship program

Equal Opportunity Employer Statement & Applicant Rights
TherapyNotes LLC is an Equal Opportunity Employer and does not discriminate based on race, color, religion, sex, national origin, age, disability, genetic information, or any other protected status under federal, state, or local law. We are committed to providing a workplace free of discrimination and harassment.For more information about your rights under federal employment laws, please review the following:

• Know Your Rights: Workplace Discrimination is Illegal
• Family and Medical Leave Act (FMLA): Employee Rights Under FMLA

If you require a reasonable accommodation during the application process, please contact humanresources@therapynotes.com.

#LI-Remote
3/5/2026