Director, Security Operations & Infrastructure

Job Description: Position Summary  Phreesia is looking for a Director, Security Operations & Infrastructure to serve as a senior member of the CISO’s leadership team and own the operational backbone of our security program. This role provides leadership, oversight, and hands-on guidance for two critical sub-teams: Threat Response and Security Infrastructure.  The Threat Response team is responsible for enterprise-wide security incident detection, triage, containment, response, and forensics. The Security Infrastructure team owns all security and IT tooling across the company—endpoint management, identity infrastructure, SIEM/SOAR, network security appliances, cloud security tooling, and the platforms that keep every employee and system running in a dynamic, multi-cloud (AWS, Azure, GCP) and multi-OS (Windows, macOS, Linux) environment.  This role is ideal for a deeply technical security leader who has personally responded to and led security incidents, and who can also build and manage a team of senior engineers and architects capable of running a broad tool portfolio consistently and to high customer satisfaction. The successful candidate has a technical background but is ruthlessly diligent about process, standards, execution, and being right—someone who treats operational excellence as a discipline, not an afterthought.  A key objective of this role is to drive standardization, reliability, and security maturity across infrastructure and incident operations while enabling Phreesia’s continued growth. The Director will function as a key contributor to our target-state enterprise and security architecture, ensuring that security tooling and incident response capabilities are considered early in the design of new products, platforms, and integrations.  This position will be responsible for collaborating with the GRC, IAM, Security Architecture, Product & Engineering, and Phreesia leadership teams on emerging challenges and operational priorities. The Director will stay current on evolving threats, technologies, and operational best practices and will ensure our security operations program anticipates rather than reacts to changes.  Candidates must be comfortable leading through both direct management and influence in a highly matrixed environment. You will directly manage threat response and infrastructure managers, while also driving outcomes through collaboration with engineering, product, and infrastructure teams across the company. This individual has hands-on experience building, running, and improving security operations and infrastructure programs in regulated data environments such as healthcare and payments, and is comfortable working across multiple compliance frameworks (PCI DSS, HITRUST, SOC 2, SOX ITGC, HIPAA/NIST) simultaneously.  The ideal candidate demonstrates strong analytical, interpersonal communication skills, and operational management capabilities: able to triage complex incidents under pressure, design practical tooling strategies, oversee implementation and hardening, and present clear status and risk updates to senior executives. They should be equally comfortable leading a live incident bridge, reviewing a firewall change request, and walking a customer’s security team through Phreesia’s control environment.    Job Responsibilities  What you’ll do  Threat Response Leadership  Own enterprise-wide security incident response—ensure the team can detect, triage, contain, eradicate, and recover from incidents across cloud, on-prem, SaaS, and endpoint environments with speed and precision.  Maintain and continuously improve the incident response plan, playbooks, escalation procedures, and communication templates, ensuring they are tested, current, and aligned to NIST CSF 2.0.  Serve as incident commander or executive sponsor for high-severity incidents; make real-time decisions on containment and remediation under pressure.  Drive post-incident reviews that produce actionable findings, root-cause analysis, and measurable improvements—not just documentation.  Coordinate threat response across US and India teams, ensuring consistent coverage, quality, and process regardless of geography.  Partner with Legal & Privacy throughout the incident response lifecycle—ensuring timely notification assessments, evidence preservation, regulatory reporting obligations, and litigation hold requirements are met in coordination with response activities.  Think ahead of the curve—continuously assess the threat landscape, identify emerging risks and attack vectors likely to impact Phreesia before they materialize, and develop contingency plans, tabletop exercises, and pre-positioned response strategies so the organization is prepared, not surprised.  Security Infrastructure Leadership  Own the security and IT tooling portfolio across the company: endpoint management (MDM, EDR), identity infrastructure, SIEM/SOAR, network security, vulnerability scanning, email security, cloud security posture management, and related platforms.  Ensure all tools are operated consistently, reliably, and to high customer satisfaction—treat every employee and system as a customer of the infrastructure team.  Drive standardization and process discipline across tool administration: change management, patching, configuration baselines, and lifecycle management.  Partner with Security Architecture to translate architectural decisions into operational reality—ensuring new tools are deployed correctly and legacy tools are retired cleanly.  Manage vendor relationships and contracts for security tooling; own renewal timelines, license optimization, and performance accountability.  Operational & Strategic  Build and maintain operational metrics and dashboards that provide the CISO and leadership with clear visibility into incident trends, MTTD/MTTR, tool health, SLA performance, and infrastructure posture.  Establish and enforce operational standards across both sub-teams: runbooks, on-call rotations, escalation paths, change management, and documentation requirements.  Collaborate closely with GRC to ensure incident response and infrastructure operations satisfy audit and compliance requirements across PCI DSS, HITRUST, SOC 2, and SOX ITGC.  Act as a matrixed leader, influencing teams you don’t directly manage while providing clear, actionable guidance to executives, developers, and staff.  Function as the CISO’s functional backup for incident response and security infrastructure matters—represent the security program in customer meetings and partner with the Legal/Privacy team on litigation-related security matters. (The Director, GRC & Data Protection serves as CISO backup for auditor and regulator engagements.)  Recruit, develop, and retain high-performing talent; build a culture that values precision, accountability, continuous improvement, and teamwork.    What You’ll Bring Education  Bachelor’s degree required; advanced degree preferred.  Certifications  One or more preferred: CISSP, CISM, GIAC (GCIH, GCIA, GCFA), CCSP, or similar.  Incident response or forensics certifications (GCIH, GCFE, GCFA, EnCE) are a strong differentiator.  Experience, Knowledge & Skills  10+ years in information security, with 5+ years in leadership roles managing security operations, incident response, or infrastructure/engineering teams.  Prior role as a Director of Security Operations, Head of Incident Response, or Security Infrastructure lead for an organization of meaningful scale and complexity.  Hands-on incident response experience—you have personally led incident bridges, performed triage, coordinated containment, and driven remediation for significant security events. This is not a role for someone who has only managed from a distance.  Proven experience managing a team of senior engineers/architects responsible for running a broad portfolio of security and IT tools in a multi-cloud (AWS, Azure, GCP) and multi-OS (Windows, macOS, Linux) environment.  Experience in healthcare, health IT, payments, or other highly regulated data environments where PCI, HITRUST, SOX, and SOC 2 interact.  Significant experience in a product-driven, SaaS, or cloud-platform company, working closely with Product, Engineering, and Infrastructure organizations.  Ruthlessly process-oriented—demonstrated track record of building and enforcing standards, runbooks, change management, and operational discipline across distributed teams.  Forward-looking and proactive—demonstrated ability to anticipate emerging threats, technology shifts, and operational risks before they impact the business, and to develop contingency plans and preparedness exercises accordingly.  Strong technical fluency across: SIEM/SOAR platforms, EDR/XDR, network security, cloud security (AWS, Azure, GCP native controls), endpoint management (MDM, patching), identity infrastructure, and vulnerability management.  Exceptional written and verbal communication skills, including direct experience presenting to senior executives, boards, customers, and auditors on security posture, incident status, and operational metrics.  Proven effectiveness in a highly matrixed organization, influencing cross-functional stakeholders and resolving conflicting priorities.  Experience managing geographically distributed teams (US, Canada, India) with varying time zones and cultural contexts.  Technology  Deep familiarity with security and infrastructure tooling, including but not limited to:  AI/LLM Platforms (OpenAI, Anthropic, Google, LLM Gateways)  SIEM/SOAR (e.g., Splunk, Sentinel, Palo Alto XSIAM, Swimlane)  EDR/XDR (e.g., CrowdStrike, SentinelOne, Microsoft Defender)  Cloud security (AWS Security Hub, Azure Defender, GCP SCC, CSPM tools)  Network security (firewalls, IDS/IPS, DNS security, web gateways)  Endpoint management (Jamf, Intune, patch management solutions)  Identity infrastructure (Okta, Azure AD/Entra ID, PAM solutions)  Vulnerability management (Qualys, Tenable, Rapid7)  Email security and DLP platforms (Mimecast, Proofpoint, Cyera)  Total cash compensation for U.S.-based employees ranges from $245,000–$265,000, inclusive of base salary and variable incentive, and is dependent on qualifications. In addition, Phreesia offers a highly competitive and comprehensive Total Rewards package. Other  This position requires occasional travel for team meetings, incident response coordination, customer engagements, and audit support.  Must be able to participate in an on-call rotation for critical security incidents.  Who We Are: At Phreesia, we’re looking for smart and passionate people to help drive our mission of creating a better, more engaging healthcare experience. We’re committed to helping healthcare organizations succeed in an ever-evolving landscape by transforming the way healthcare is delivered. Our SaaS platform digitizes appointment check-in and offers tools to engage patients, improve efficiency, optimize staffing, and enhance clinical care. Phreesia cares about our employees by providing a diverse and dynamic work environment. We’re a five-time winner of Modern Healthcare Magazine’s Best Places to Work in Healthcare award and we’ve been recognized on the Bloomberg Gender Equality Index. We are dedicated to continuously improving our employee experience by launching new programs and initiatives. If you thrive in a culture of recognition, value inclusivity, professional development, and growth opportunities, Phreesia could be a great fit! Top-rated Employee Benefits: 100% Remote work + home office expense reimbursements Competitive compensation Flexible PTO + 8 company holidays Monthly reimbursement for cell phone + internet + wellness 100% Paid 12-week parental leave to our U.S. employees, as well as a generous parental benefit to our employees in Canada Variety of insurance coverage for people (and pets!) Continuing education and professional certification reimbursement Opportunity to join an Employee Resource Group. Learn more here: https://www.phreesia.com/workforce/ We strive to provide a diverse and inclusive environment and are an equal opportunity employer.