Back to jobs
New

Vice President, Information Security

Remote

Our mission: eliminating every barrier to mental health.

Spring Health is a global mental health company on a mission to eliminate every barrier to mental health. We're building a world where getting support is simple, personal, and built around the person, so care can continue through every job, move, health plan, and life stage.

Our AI-native platform helps us deliver personalized support across self-guided tools, coaching, therapy, medication management, and specialty care. With outcomes independently validated by JAMA Network Open and the Validation Institute, Spring Health reaches more than 170 million people worldwide through leading employers, health plans, and partners.

As an AI-native company, we believe technology should expand the reach, quality, and humanity of care. Every Spring Health team member is expected to use AI tools thoughtfully, apply human judgment to AI outputs, and keep building AI fluency in ways that support their role and our mission.

The Vice President, Information Security is responsible for defining, leading and advancing the organization's enterprise-wide information security strategy, ensuring the protection of company assets, customer data, and critical systems while enabling business growth and innovation. The leader provides strategic direction across cybersecurity, risk management, compliance, security operations, cloud and application security, identity and access management, third-party risk, and incident response.

The VP, Information Security partners closely with executive leadership, technology, legal, compliance, and business stakeholders to strengthen the organization's security posture, maintain regulatory compliance, and embed security into business and product decision-making. The leader will build and scale a high-performing security organization, drive security program maturity, and ensure the company remains resilient against evolving cyber threats while supporting operational excellence and organizational objectives.

What You'll Do

Security Strategy & Leadership

  • Develop and execute the enterprise information security vision, strategy, and multi-year roadmap.
  • Serve as a trusted advisor to executive leadership and the Board on cybersecurity risks, trends, and investments.
  • Establish security objectives, metrics, and reporting mechanisms aligned with business priorities.
  • Drive a security culture across the organization that enables innovation while maintaining appropriate risk controls, including effectively communicating risks and changes in the risk landscape to leadership, the Board, and key stakeholders in clear, business-relevant terms.

Governance, Risk & Compliance

  • Own the enterprise information security risk management program, including formal risk assessments, risk registers, and risk treatment plans.
  • Ensure compliance with applicable frameworks and regulations, including SOC 2, ISO 27001, HIPAA, HITRUST, PCI DSS, GDPR, and CCPA.
  • Oversee security audits, risk assessments, policy development, and remediation initiatives.
  • Manage the Business Associate Agreement (BAA) program across the customer and vendor ecosystem.
  • Maintain and test the enterprise Incident Response and Business Continuity programs.
  • Drive continuous improvement of security controls and risk management practices.

Security Operations & Incident Response

  • Oversee security operations, threat detection, vulnerability management, and incident response functions.
  • Own the security operations center (SOC) function, including SIEM strategy, threat intelligence, and endpoint detection and response.
  • Lead the organization's response to security incidents, including executive communication, regulatory notification obligations, and post-incident review
  • Direct penetration testing, security assessments, and resilience exercises.

Cloud, Infrastructure & Product Security

  • Partner with Engineering and Product leadership to embed security throughout the software development lifecycle (SDLC), including threat modeling, secure code review, and automated security testing.
  • Provide strategic direction for the design and implementation of secure enterprise and cloud infrastructure, ensuring security architecture principles are embedded in platform design, data flows, and technology decisions across the organization.
  • Provide security architecture review and guidance for new products, features, and third-party integrations.
  • Oversee vulnerability management, penetration testing, and remediation programs across the platform and infrastructure.

Team & Program Leadership

  • Build, mentor, and develop high-performing security teams.
  • Manage security budgets, technology investments, and vendor relationships.
  • Lead third-party risk management and vendor security assessment programs.
  • Demonstrated ability to work closely with leadership across the organization, including Engineering, Legal, Privacy, Product, Sales, IT, HR, and others, serving as a trusted partner who enables the business rather than a barrier to it.
  • Serve as the executive point of contact for cyber insurance underwriters, external auditors, and regulatory examiners.

What Success Looks Like

  • A documented, board-approved information security strategy is in place with defined milestones, KPIs, and accountability.
  • Strong regulatory and compliance outcomes, including successful audits and certifications.
  • Reduced organizational risk through proactive threat management, vulnerability remediation, and security controls.
  • High levels of security resilience demonstrated through effective incident response and crisis management.
  • Security is embedded in the SDLC, development teams have clear security requirements, tooling, and a consistent process for security review.
  • Enterprise client security questionnaires and audits are handled efficiently, with documented repeatable processes that reduce friction for the Sales and Customer Success teams.
  • Meaningful improvements in security awareness and accountability across the organization.
  • Executive leadership, customers, partners, and regulators have confidence in the company's security posture.
  • A highly engaged, high-performing security team with strong retention

What You'll Bring

  • 12+ years of progressive experience in Information Security, with at least 5 years in a senior leadership role.
  • Demonstrated experience building and leading multi-functional security teams, including risk/compliance, application security, and/or security operations disciplines.
  • Demonstrated ability to communicate security risk to executive and board-level audiences, translating technical issues into business and financial impact.
  • Deep working knowledge of HIPAA and hands-on experience managing compliance programs in a covered entity or business associate environment.
  • Experience with HITRUST CSF, SOC 2, ISO 27001, and other comparable third-party security certification programs.
  • One or more recognized industry certifications relevant to a role at this level (CISSP, CISM, CCISO, CRISC, or CISA).
  • Experience building partnerships across the organization, enabling innovation in a safe and risk-aware way — a track record of being a business enabler, not a gatekeeper.
  • Experience managing client-facing security responsibilities, including enterprise security reviews, vendor assessments, and RFP responses.
  • Experience owning or contributing to incident response programs, including regulatory breach notification obligations.
  • Strong working knowledge of cloud security principles and modern SaaS architecture security requirements.
  • Track record of partnering effectively with executive leadership, boards, auditors, regulators, and customers.
  • Deep knowledge of security operations, threat management, vulnerability management, and incident response.
  • Strong expertise in cloud security, application security, identity and access management, and security architecture.
  • Strategic mindset with strong business and risk management acumen.
  • Ability to balance security requirements with customer experience, innovation, and business objectives.

The target base salary range for this position is $250,000 - $288,500, and is part of a competitive total rewards package including equity and benefits. Individual pay may vary from the target range and is determined by a number of factors including experience, location, internal pay equity, and other relevant business considerations. We review all employee pay and compensation programs annually using Radford Global Compensation Database at minimum to ensure competitive and fair pay. 

Benefits provided by Spring Health:

Note: We have even more benefits than listed here and below, your recruiter will provide more in-depth information as you continue in the interview process. Benefits are subject to individual plan requirements and eligibility criteria.

  • Health, Dental, Vision benefits start on your first day at Spring. You and your dependents also receive access to One Medical accounts HSA and FSA plans are also available, with Spring contributing up to $1K for HSAs, depending on your plan type.
  • Employer sponsored 401(k) match of up to 2% for retirement planning
  • A yearly allotment of no cost visits to the Spring Health network of therapists, coaches, and medication management providers for you and your dependents.
  • We offer competitive paid time off policies including vacation, sick leave and company holidays.
  • At 6 months tenure with Spring, we offer parental leave of 18 weeks for birthing parents and 16 weeks for non-birthing parents.
  • Access to Noom, a weight management program—based in psychology, that’s tailored to your unique needs and goals. 
  • Access to fertility care support through Carrot, in addition to $4,000 reimbursement for related fertility expenses.
  • Access to Wellhub,  which connects employees to the best options for fitness, mindfulness, nutrition, and sleep in one subscription
  • Access to BrightHorizons, which provides sponsored child care, back-up care, and elder care
  • Up to $1,000 Professional Development Reimbursement a year.
  • $200 per year donation matching to support your favorite causes.

Not sure if you meet every requirement? Research shows that women and people from historically underrepresented communities often hesitate to apply for roles unless they meet every qualification compared to other similarly-qualified candidates. At Spring Health, we are committed to fostering a workplace where everyone feels valued, empowered, and supported to Thrive. If this role excites you, we encourage you to apply.

Our privacy policy: https://springhealth.com/privacy-policy/

Spring Health is proud to be an equal opportunity employer. We do not discriminate in hiring or any employment decision based on race, color, religion, national origin, age, sex, marital status, ancestry, disability, genetic information, veteran status, gender identity or expression, sexual orientation, pregnancy, or other applicable legally protected characteristic. We also consider qualified applicants regardless of criminal histories, consistent with applicable legal requirements. Spring Health is also committed to providing reasonable accommodations for qualified individuals with disabilities and disabled veterans. If you have a disability or special need that requires accommodation, please let us know.

Create a Job Alert

Interested in building your career at Spring Health? Get future opportunities sent straight to your email.

Apply for this job

*

indicates a required field

Phone
Resume/CV*

Accepted file types: pdf, doc, docx, txt, rtf

Cover Letter

Accepted file types: pdf, doc, docx, txt, rtf


Education

Select...
Select...
Select...

Select...
Select...
How did you hear about us? *

Voluntary Self-Identification

For government reporting purposes, we ask candidates to respond to the below self-identification survey. Completion of the form is entirely voluntary. Whatever your decision, it will not be considered in the hiring process or thereafter. Any information that you do provide will be recorded and maintained in a confidential file.

As set forth in Spring Health’s Equal Employment Opportunity policy, we do not discriminate on the basis of any protected group status under any applicable law.

Select...
Select...
Race & Ethnicity Definitions

If you believe you belong to any of the categories of protected veterans listed below, please indicate by making the appropriate selection. As a government contractor subject to the Vietnam Era Veterans Readjustment Assistance Act (VEVRAA), we request this information in order to measure the effectiveness of the outreach and positive recruitment efforts we undertake pursuant to VEVRAA. Classification of protected categories is as follows:

A "disabled veteran" is one of the following: a veteran of the U.S. military, ground, naval or air service who is entitled to compensation (or who but for the receipt of military retired pay would be entitled to compensation) under laws administered by the Secretary of Veterans Affairs; or a person who was discharged or released from active duty because of a service-connected disability.

A "recently separated veteran" means any veteran during the three-year period beginning on the date of such veteran's discharge or release from active duty in the U.S. military, ground, naval, or air service.

An "active duty wartime or campaign badge veteran" means a veteran who served on active duty in the U.S. military, ground, naval or air service during a war, or in a campaign or expedition for which a campaign badge has been authorized under the laws administered by the Department of Defense.

An "Armed forces service medal veteran" means a veteran who, while serving on active duty in the U.S. military, ground, naval or air service, participated in a United States military operation for which an Armed Forces service medal was awarded pursuant to Executive Order 12985.

Select...

Voluntary Self-Identification of Disability

Form CC-305
Page 1 of 1
OMB Control Number 1250-0005
Expires 04/30/2026

Why are you being asked to complete this form?

We are a federal contractor or subcontractor. The law requires us to provide equal employment opportunity to qualified people with disabilities. We have a goal of having at least 7% of our workers as people with disabilities. The law says we must measure our progress towards this goal. To do this, we must ask applicants and employees if they have a disability or have ever had one. People can become disabled, so we need to ask this question at least every five years.

Completing this form is voluntary, and we hope that you will choose to do so. Your answer is confidential. No one who makes hiring decisions will see it. Your decision to complete the form and your answer will not harm you in any way. If you want to learn more about the law or this form, visit the U.S. Department of Labor’s Office of Federal Contract Compliance Programs (OFCCP) website at www.dol.gov/ofccp.

How do you know if you have a disability?

A disability is a condition that substantially limits one or more of your “major life activities.” If you have or have ever had such a condition, you are a person with a disability. Disabilities include, but are not limited to:

  • Alcohol or other substance use disorder (not currently using drugs illegally)
  • Autoimmune disorder, for example, lupus, fibromyalgia, rheumatoid arthritis, HIV/AIDS
  • Blind or low vision
  • Cancer (past or present)
  • Cardiovascular or heart disease
  • Celiac disease
  • Cerebral palsy
  • Deaf or serious difficulty hearing
  • Diabetes
  • Disfigurement, for example, disfigurement caused by burns, wounds, accidents, or congenital disorders
  • Epilepsy or other seizure disorder
  • Gastrointestinal disorders, for example, Crohn's Disease, irritable bowel syndrome
  • Intellectual or developmental disability
  • Mental health conditions, for example, depression, bipolar disorder, anxiety disorder, schizophrenia, PTSD
  • Missing limbs or partially missing limbs
  • Mobility impairment, benefiting from the use of a wheelchair, scooter, walker, leg brace(s) and/or other supports
  • Nervous system condition, for example, migraine headaches, Parkinson’s disease, multiple sclerosis (MS)
  • Neurodivergence, for example, attention-deficit/hyperactivity disorder (ADHD), autism spectrum disorder, dyslexia, dyspraxia, other learning disabilities
  • Partial or complete paralysis (any cause)
  • Pulmonary or respiratory conditions, for example, tuberculosis, asthma, emphysema
  • Short stature (dwarfism)
  • Traumatic brain injury
Select...

PUBLIC BURDEN STATEMENT: According to the Paperwork Reduction Act of 1995 no persons are required to respond to a collection of information unless such collection displays a valid OMB control number. This survey should take about 5 minutes to complete.