Head of Infosec & GRC

About Us

At Benepass we're making benefits easy. We believe people are the most important asset to any company. Traditional one-size-fits-all benefits packages no longer cut it in today's hybrid and remote-first environment. With Benepass, companies can tailor their benefits to the unique needs of their workforce.

Through our easy-to-use and highly customizable fintech platform, People teams can implement, administer, and track the benefits that meet employees where they are. Employers design their benefits and perks plan by setting a contribution amount and eligible spend categories. Every employee has their own individual definition of wellness and needs different things to help them be their most productive, fulfilled self.

Our Mission

Helping companies reimagine how companies take care of their people.

Our Investors

We are backed by leading investors, including Portage Ventures, Threshold Ventures, Gradient Ventures, Workday Ventures, and Clocktower Technology Ventures. To date, the company has raised $35 million of equity capital.

Articles

• Founder Story - Jaclyn Chen

• Benepass Raises $20M

Candidate Resources

• Benepass | Candidate Resource Page

• Benepass Listed on Inc. Magazine's Best Workplaces of 2023

ABOUT THE ROLE 

This role will have a broad remit and spearhead technology, policy, and communication to ensure that Benepass manages risks appropriately and ultimately, that customers feel safe entrusting their sensitive data to us. Below are the responsibilities for this role along with an expected breakdown of how much time will be spent on each.

IT Security
Expected allocation: 20% of time

• Develop and oversee implementation of a comprehensive information security strategy aligned with business objectives

• Build out, maintain, and monitor Benepass systems to ensure the integrity and safety of day to day business operations, including:

  • Device management and monitoring

  • Access control and management

  • Authentication

  • Network segregation and ZTNA

  • Threat monitoring and response

  • Phishing or social engineering monitoring and response

• Architect these systems to ensure that Benepass data and operations are robust against all relevant threat classes (including malware, ransomware, insider threats, etc.) without imposing undue burden on operations 

• Continuously monitor and maintain the above to ensure that any potential threats to the company or its operations are prevented or mitigated to the greatest extent possible.

• Develop and operate threat mitigation processes and systems

• Manage and implement security training for employees as appropriate

• Work with vendors and/or managed services providers as required to accomplish the above.

Governance, Risk & Compliance
Expected allocation: 30% of time

• Establish, maintain, and enforce company-wide policies and procedures to ensure Benepass operations meet or exceed the relevant standards, including regulatory requirements and industry standards. These will include:

  • On and offboarding processes

  • Access management and review

  • Vendor risk management

  • Security and risk awareness training

  • Internal and external penetration testing

• Own the Benepass compliance “portfolio” end-to-end, ensuring that:

  • The set of certifications maintained (currently SOC2 Type 2 and HITRUST E1) is sufficient for current and anticipated business needs as Benepass expands its offerings and works with continuously larger and more security/privacy conscious clients

  • An audit timetable is maintained and audits are conducted at the appropriate cadence

  • Evidence gathering and fieldwork proceed per schedule and without significant impact on the business

  • Policies, procedures and controls incorporated into day to day business operations are sufficient to meet the requirements of all certifications maintained

  • Cross functional efforts to attain compliance are streamlined and limited in scope

  • Benepass attains all certifications it seeks, without significant exceptions or failings noted in reports 

  • Any control failures are remediated within the relevant SLA

• Maintain an up to date register of relevant laws and regulations, track the company’s obligations under the same as well as the controls that serve to fulfill them, and close any gaps found.

• Conduct risk assessments and develop risk mitigation strategies

• Implement security/GRC reporting to internal stakeholders, including reports on GRC metrics and KPIs to executive leadership and the board

Infrastructure Security
Expected allocation: 10% of time

• Work with the CTO  to develop an infrastructure security strategy aligned with business objectives

• Maintain up to date knowledge of AWS security guidelines, capabilities, and best practices, including an understanding of the AWS shared responsibility model and specific guarantees provided by various AWS services, and update the infrastructure security strategy as these evolve

• Ensure that employee access to AWS is appropriate and appropriately managed

• Ensure that “platform” level infrastructure is managed by infrastructure as code, per relevant baselines, and is maintained inline with the same.

• Ensure that services have appropriate access to infrastructure resources to enable rapid development while maintaining strong security guarantees.

• Inventory, oversee, and manage other miscellaneous cloud infrastructure (e.g. GCP/Firebase) and ensure it is appropriately managed and accounted for in the infrastructure security strategy.

Go to Market
Expected allocation: 20% of time

• Respond to security and compliance related questions in RFPs

• Own customer/prospect information security reviews

• Own customer/prospect data privacy/compliance reviews

• Join calls or otherwise work with customer/prospect personnel to address security and GRC concerns as needed

• Ensure that our security and compliance programs are robust and present favorably in commercial conversations, enabling us to win increasingly sophisticated customers 

• Review and redline security/compliance related language in contracts (e.g. DPAs, additional control requirements) and advise leadership on the risks, benefits, and reasonableness of the customer/prospect requests.

• Ensure leadership is aware of emerging market pressures and demands related to security and compliance and is able to proactively respond (e.g. by further investment, product development) as deemed appropriate, with an understanding of the relevant costs and benefits.

Product & Software Development Security
Expected allocation: 10% of time

• Work with engineering and product leadership to ensure that the Benepass platform is appropriately secured. This includes: 

  • Helping build out appropriate secure development processes

  • Helping build out secure coding practices and automated checks or manual review requirements for the same

  • Reviewing security relevant/higher risk PRs

  • Advising on the design and implementation of security relevant features or features with significant potential risks

In addition to the above, a successful candidate in this role will

• Collaborate cross functionally on security and compliance initiatives

• Advise executive leadership on security and risk management strategy

• Manage information security and GRC budgets and resources

• Stay current on emerging threats, technologies and best practices

ROLE LOCATION & TRAVEL

• This role is 100% Remote in the U.S.  You will be expected to attend company-wide on-site events three times per year.

REQUIREMENTS

• Bachelor's degree in computer science, information systems or related field or equivalent work experience

• 10+ years of experience in information security, with at least 5 years in senior roles

• Deep knowledge of information security frameworks, standards and regulations

• Strong understanding of information security, risk management, and compliance

• Fluency in program management, including developing roadmaps, execution timelines, and stakeholder management

• Excellent communication, leadership and strategic planning skills

BONUS SKILLS

• Previous start-up experience

• Familiarity with healthcare, benefits, and/or fintech

COMPENSATION

Base salary of $180,000 to $200,000.

Range(s) is subject to change. Benepass takes a number of factors into account when determining individual starting pay, including market comparables, interview performance, peer compensation, and years of experience.What We Offer

• 95% coverage of medical, dental, and vision

• Fantastic benefits (of course 😃), including:

  • $250 WFH setup

  • $150/month cell phone + internet

  • $100/month Wellness

• No Meeting Wednesday!

• We offer several team onsites a year

• Flexible PTO

At Benepass, we are working towards reimaging how companies take care of their people. We are committed to creating an inclusive environment for all our employees and are seeking to build a team that reflects the diversity of the people we hope to serve with our revolutionary products. Benepass is proud to be an equal-opportunity employer.