Staff Security Engineer - Governance, Risk, and Compliance (GRC)

About us:

Foodsmart is the leading telenutrition and foodcare solution, backed by a robust network of Registered Dietitians. Our platform is designed to foster healthier food choices, drive lasting behavior change, and deliver long-term health outcomes. Through our highly personalized, digital platform, we guide our 2.2 million members—including those in employer-sponsored health plans, regional and national Medicaid managed care organizations, Medicare Advantage plans, and commercial insurers—on a tailored journey to eating well while saving time and money.

Foodsmart seamlessly integrates dietary assessments and nutrition counseling with online food ordering and cost-effective meal planning for the entire family, optimizing ingredients both at home and on the go. We partner with national and regional retailers across the U.S., many of whom accept SNAP/EBT, making healthier food more accessible. Additionally, we assist members with SNAP enrollment and management, providing tangible access to nutritious food.In 2024, Foodsmart secured a $200 million investment from TPG’s Rise Fund, which supports entrepreneurs dedicated to achieving the United Nations’ Sustainable Development Goals. This investment will help us expand our reach, particularly to low-income workers who are disproportionately affected by diet-related diseases. 

At Foodsmart, our mission is to make nutritious food accessible and affordable for everyone, regardless of economic status. We are committed to a set of core values that shape our culture and work environment:

Measured: We make data-driven, truth-seeking decisions.

Impactful: We are fueled by achieving our mission and vision.

Collaborative: We help each other be better and create a positive environment.

Hungry: We maintain a healthy growth mindset, seeking to overcome challenges with courage.

Joyful: We take joy in each other, our work, and the privilege of doing this work.

Whether you're a dietitian, a commercial leader, or a technologist, working at Foodsmart means being part of a team that is passionate, supportive, and driven by a shared purpose. Join us in transforming the way people access and enjoy healthy food.

About the Role

Foodsmart seeks a Governance, Risk, and Compliance (GRC) Lead to independently manage compliance programs, respond to customer security inquiries, lead audit processes, and collaborate effectively with internal and external stakeholders. Reporting directly to the Chief Information Security Officer (CISO), this hands-on role requires a self-starter who can execute GRC initiatives with minimal supervision while serving as the primary interface for customer security/privacy audits and inquiries.

You will play a critical role in ensuring compliance with healthcare privacy regulations such as HIPAA, HITRUST CSF, CCPA, and other state-specific privacy laws. This position requires technical expertise combined with strong communication skills to balance regulatory requirements with business objectives.

• Conduct internal audits, risk assessments, and vulnerability scans to ensure compliance with HIPAA, HITRUST CSF, CCPA, and other privacy regulations.
• Own end-to-end management of external certifications (e.g., SOC 2, ISO 27001), including audit preparation, evidence collection, coordination with auditors, and remediation of findings.
• Respond to customer security questionnaires (e.g., SIG or CAIQ), audits, and due diligence requests, serve as the primary point of contact for external stakeholders regarding security/privacy inquiries.
• Collaborate with Sales, Legal, Product Development, and Engineering teams to address customer security concerns during contract negotiations or product development.
• Develop and maintain policies, procedures, controls, and training programs that align with regulatory requirements and industry standards.
• Perform risk assessments on cloud infrastructure (AWS), SaaS applications, and third-party vendors, implement actionable mitigation strategies.
• Monitor security incidents, support incident response activities including root cause analysis and corrective actions.
• Automate compliance workflows (e.g., evidence collection or control monitoring) to streamline processes.
• Stay updated on emerging threats and regulatory changes impacting healthcare privacy laws, proactively adapt policies to meet new requirements.

• A self-starter who thrives in a hands-on role with minimal supervision.
• A strong communicator with the ability to translate technical security concepts into actionable insights for non-technical stakeholders.
• Highly organized with exceptional attention to detail, able to manage multiple priorities in a fast-paced environment.
• Collaborative by nature, skilled at working across diverse teams including Sales, Legal, Product Development, Engineering, and external auditors/customers.
• Solution-oriented, focused on practical approaches that balance business needs with regulatory requirements.

• At least 5-8  years of experience in governance, risk management, compliance (GRC), privacy, or information security roles within regulated industries such as healthcare or technology.
• Proven expertise in managing enterprise risks and leading compliance initiatives such as SOC 2 or HITRUST certification processes.
• Deep knowledge of healthcare privacy regulations like HIPAA and HITRUST CSF as well as state-specific laws like CCPA.
• Experience responding to customer security questionnaires (e.g., SIG or CAIQ) and managing customer audits or inquiries.
• Technical familiarity with cloud infrastructure (AWS), SaaS security models, vulnerability management tools, and risk assessment methodologies.
• Exceptional written and verbal communication skills, able to engage effectively with internal teams and external stakeholders such as auditors or customers.

• Certified Information Systems Auditor (CISA)
• Certified Information Security Manager (CISM)
• Certified in Risk and Information Systems Control (CRISC)
• Certified Information Systems Security Professional (CISSP)
• HITRUST Certified CSF Practitioner (CCSFP)
• ISO 27001 Lead Implementer/Auditor

About our benefits and perks:

Remote-First Company

Unlimited PTO

Flexible & remote location

Healthcare Coverage (Medical, Dental, Vision)

401k, bonus, & stock options

Registered Dietitian Sessions 

Wellness  reimbursement 

Foodsmart  is an equal opportunity employer and values diversity. We do not discriminate on the basis of race, religion, color, national origin, gender, sexual orientation, age, marital status, veteran status, disability status, or any other protected class.