Security Compliance Manager

Legal Redwood City, California


The Security Compliance team has the task of ensuring HeartFlow customers and patients can use the FFRct Platform with confidence their data and information will always be safe and secure.

As a Security Compliance manager for HeartFlow, you assure our systems meet the highest security standards and conform to applicable security and government regulations so patient information remains safe and secure.

Job Responsibilities:

  • Audits security strategies, processes, and best practices for compliance with relevant security frameworks, ISO 27001, HITRUST, NIST 800-37, etc.
  • Maintains audit records and tracks security metrics for continuous reporting and monitoring requirements
  • Participate in monthly, quarterly, and annual audit programs to assert confidence over internal controls and driving IT solution
  • Manage projects and optimize solutions that result from audit findings and recommendations.
  • Research, identify, and consult with subject-matter experts to recommend risk mitigating solutions.
  • Collaborate on updating Security Risk Management and Global policy to influence organizational policy changes.
  • Consult with IT peers and leadership to improve control efficiencies and operating effectiveness
  • Driving remediation efforts and work with company stakeholders
  • Partner with staff from Finance, HR, Legal, and Sales (among others) to obtain and review evidence of compliance
  • Evangelize business owners to do the right thing using diplomacy and tact in all interactions
  • Track and report findings and work with teams to remediate and mitigate risks
  • Plan and perform internal audits to assess security controls design and effectiveness
  • Consult and assist audit efforts with key control owners including Engineering, IT, Finance, HR, Legal, etc.
  • Administer or assist in all security services and projects and act as Security Compliance point of contact for all Departments
  • Assists in the administration of the Security Information Response Plan and subsequent mitigation efforts
  • Promotes and supports company policies, procedures, mission, values, and standards of ethics and integrity

Minimum Qualifications

  • 2-3 years of audit leadership experience managing an active security compliance/audit program
  • 3-5 years as an active internal or external security auditor (e.g.- ISO/IEC 27001 Lead Auditor, HITRUST CSF Assessor, PCI ISA/QSA, etc.)
  • 3+ years of technical auditing experience in the Medical Device, Healthcare, or Lifesciences industries (experience in a similar highly regulated industry may be considered).
  • Experience in performing information security risks assessments, e.g. HIPAA Security Risk Assessments, HITRUST CSF, ISO 27005, NIST RMF 800-37.
  • Experience tracking and creating metrics from Enterprise security tools: SIEM, Splunk, Nessus, Security Center, etc.
  • Solid understanding of Information Security Standards and security frameworks such as ISO 27001, NIST 800-53, or HITRUST CSF

Educational Requirements & Work Experience: 

  • Foundational knowledge of Agile Software Development Lifecycle, security engineering, computer and network security, authentication, and security controls, especially as they pertain to Amazon Web Services.
  • Ability to work independently while supporting a highly diverse global organization
  • Ability to easily translate technology requirements into business-friendly discussions
  • Must have at least one of the following certifications: CISSP, CISA, CGEIT, CIPT CISA, ISO 27001 Lead Auditor/Implementer.  Other audit/compliance certifications will be reviewed for acceptability.
  • Bachelor's Degree in Computer Science, Life Sciences, or related field and 1 year experience building medical, healthcare, or Life Sciences products or services.

About HeartFlow, Inc.

HeartFlow, Inc. is a medical technology company redefining the way heart disease is diagnosed and treated. Our non-invasive HeartFlow FFRct Analysis leverages deep learning to create a personalized 3D model of the heart. By using this model, clinicians can better evaluate the impact a blockage has on blood flow and determine the best treatment for patients. Our technology is reflective of our Silicon Valley roots and incorporates decades of scientific evidence with the latest advances in artificial intelligence. The HeartFlow FFRct Analysis is commercially available in the United States, Canada, Europe and Japan. For more information, visit

HeartFlow, Inc. is an Equal Opportunity Employer. This company does not and will not discriminate in employment and personnel practices on the basis of race, sex, age, handicap, religion, national origin or any other basis prohibited by applicable law. Hiring, transferring and promotion practices are performed without regard to the above listed items.

Positions posted for HeartFlow are not intended for or open to third party recruiters / agencies. Submission of any unsolicited resumes for these positions will be considered to be free referrals.