Information Security Manager
Marathon Health

Marathon Health is a leading advanced primary care provider, partnering with employer and union plan sponsors to improve health for millions of Americans. With nationwide onsite, nearsite, and network health centers, and virtual primary care, Marathon delivers a value-based model that enhances the healthcare experience for members and providers, while driving meaningful cost savings for plan sponsors. Marathon is proud to be certified as a Great Place to Work®, reflecting the company's commitment to building an inclusive, high-trust culture where all employees can thrive. Learn more at marathon.health

ABOUT THE JOB

The Manager, Information Security, is responsible for leading a team of security analysts to protect enterprise systems and PHI, ensuring compliance with HITRUST, HIPAA, SOC 2 and related regulatory frameworks while maturing detection, response, and governance capabilities.

This role will handle day-to-day management of security operations and continuous compliance monitoring. The manager information security is a hands-on technical role that should be proficient in incident response, threat hunting, vulnerability management, creating automation, and integrating systems into SIEM.

ESSENTIAL DUTIES & RESPONSIBILITIES

Leadership & Strategy

• Driving cybersecurity maturity with continuous improvement of controls
• Continuously evaluating and managing the cyber and technology risk posture of the organization
• Lead Marathon Health's internal and outsourced security teams to execute on the roadmap defined by our CISO
• Lead the security team response to security incidents and breaches.
• Lead security awareness and training programs across the organization, with tailored content for clinical staff handling PHI

Technical Execution

• Manage the prospect, client and 3rd party security assessment fulfillment process.
• Identify and manage vulnerabilities
• Developing and implementing comprehensive risk treatment plans to protect Marathon's assets
• Monitoring compliance with the information security policies
• Keeping up to date with IT security standards and emerging threats
• Maintain up-to-date knowledge of emerging technologies and services that will help Marathon maintain its technical edge and evolution
• Architect, prioritize, coordinate, and communicate the choice of security technologies necessary to ensure a highly secure yet frictionless computing environment
• Assists in the evaluation of overall risk for IT systems and the data they contain and process, accounting for the people, processes, and technologies that provide security controls
• Maintain and continuously improve SOC2/HITRUST CSF certification; ensure security control ownership, evidence collection, and audit readiness are operationalized across all responsible domains
• Manage and enforce a comprehensive information security program covering identity and access management, vulnerability management, endpoint protection, network security, incident response, and third-party risk

Collaboration & Cross-Functional Delivery

• Work with cross-functional teams including Technology, Legal, Privacy, Finance, Internal and External Auditors to achieve corporate objectives relating to information and data security
• Partner with legal and compliance teams to create and support a security culture through education and awareness programs designed to reduce the risks to the enterprise while also engaging key business leaders to ensure business unit involvement
• Monitor compliance with HIPAA, SOC 2, state-level data privacy regulations, and contractual security requirements across all employer and health plan clients

Team Development

• Provide technical leadership, guidance and mentoring to Security Analysts.
• Conduct regular performance reviews, training, and career development planning.
• Promote knowledge sharing and best practices across the team.

QUALIFICATIONS

Bachelor's degree in computer science, information systems or cybersecurity or related field and a minimum of 2 years' experience in people leadership within security, including serving as the final decision-maker for hiring, development, and performance management, or equivalent combination of education and experience. Experience in healthcare technology, health systems, or digital health, with working knowledge of HIPAA, PHI governance, and clinical system dependencies.

• Experience owning or co-owning HITRUST CSF certification (or equivalent compliance framework such as SOC 2, ISO 27001).
• HITRUST Certified Common Security Framework Practitioner (CCSFP) or equivalent HITRUST training
• One or more professional security certifications: CISSP, CISM, or CISA.
• AWS Security Specialty or equivalent cloud security certification
• CRISC (Certified in Risk and Information Systems Control)
• AI governance or responsible AI certifications (e.g., ISACA AI Audit certificate, Certified AI Governance Professional)

Travel is required for up to 15%, team meetings, clinic visits, audit support

DESIRED ATTRIBUTES

• Demonstrated ability to translate technical infrastructure and security concepts into business risk and value narratives for executive and board audiences
• Experiencing driving vulnerability management across organizations.
• Experience in value-based care, employer-sponsored healthcare, or population health management organizations
• Proven track record operating in multi-site, distributed environments; ideally 500+ locations; with complex endpoint and network management needs.
• Hands-on experience deploying or governing AI tools in a healthcare or clinical environment, including PHI risk controls for AI systems
• Experience with AIOps platforms or AI-augmented IT operations tooling
• Familiarity with AWS (or comparable cloud) architecture, including security posture management in cloud-native environments

Pay Range: $115,000 - $145,000/yr

The actual offer may vary dependent upon geographic location and the candidate's years of experience and/or skill level. This position is also eligible for an annual incentive.

We are accepting applications for this position until a candidate has been selected. To apply to this position and learn more about open jobs at Marathon Health, visit our careers page.

---