Title: Chief Information Security Officer (CISO)

Location: Austin, TX / Morristown, NJ (hybrid)

Reports To: Chief Technology Officer

About Hippo:

Hippo exists to protect the joy of homeownership. We believe that insurance should protect the things you treasure through an intuitive, modern experience. We provide tailored insurance coverage and preventative maintenance plans that keep you protected throughout your homeowner journey. We’ll also help you find coverage for everything life brings—from auto to flood—reimagining how you care for your home.

About the Role: 

Hippo is hiring a Chief Information Security Officer to lead cybersecurity strategy, security operations, and governance, risk, and compliance across the enterprise. You will be responsible for protecting Hippo's systems, data, and customers against an evolving threat landscape while ensuring the company meets its regulatory and compliance obligations as a publicly traded, multi-state insurance carrier. 

This role owns Hippo's SOC 2 program, leads security operations, and drives compliance with applicable state and federal cybersecurity regulations. You will also own identity governance, privacy and data protection strategy, and third-party risk management. This is a high-visibility leadership role that requires equal fluency in security engineering, regulatory compliance, and executive communication. 

About You: 

You are a seasoned cybersecurity leader who has built and run security programs at a publicly traded, regulated company. You have navigated regulatory examinations and SOX audit cycles, and you can move seamlessly between a technical incident response scenario and a board presentation. You think in terms of risk, you quantify what you can, and you communicate what you can't with intellectual honesty. 

You bring a builder's mindset to security. You understand that a great security program enables the business rather than slowing it down, and you know how to embed security into engineering culture without creating friction. Whether your background is in Insurtech, fintech, healthcare, or another heavily regulated sector, you understand multi-regulator environments and lead with clarity and high standards. 

What You'll Do: 

• Further develop and execute Hippo's enterprise cybersecurity strategy, aligned with business risk appetite and regulatory requirements
• Build and lead the security operations function, including threat detection, incident response, vulnerability management, and threat intelligence
• Own Hippo's SOC 2 program end-to-end, including control design, evidence collection, readiness assessments, and auditor engagement
• Lead the governance, risk, and compliance function, maintaining the cybersecurity risk register, policy framework, standards, and control library
• Drive compliance with applicable state and federal cybersecurity and insurance regulations
• Support SEC cybersecurity disclosure obligations in coordination with Legal and Finance
• Lead identity governance, including access certification, privileged access management policy, and separation of duties enforcement
• Own privacy and data protection compliance strategy, partnering with Legal on data handling, breach notification, and policyholder data protection
• Manage the third-party and vendor cybersecurity risk management program
• Report to the Board of Directors and Audit and Risk Committee on cybersecurity posture, risk trends, and incident activity
• Provide second-line oversight and security control design input to the SOX ITGC program
• Build and lead the security engineering function, owning secure design standards and threat modeling practices that ensure security is embedded from architecture through to deployment
• Build, mentor, and develop the cybersecurity team and drive a culture of security awareness across the organization
• Lead cybersecurity budgeting, roadmap planning, and technology rationalization
• Own disaster recovery and business continuity planning across the enterprise, working closely with the CIO and CTO to drive regular testing, validate recovery capabilities, and ensure organizational resilience is aligned to business and cybersecurity risk
• Own the enterprise Incident Response Plan, lead the Security Incident Response Team (SIRT) across the full incident lifecycle from detection and containment through recovery and post-incident review, define severity classifications and escalation paths, and ensure cross-functional stakeholders (Legal, Compliance, IT, and executive leadership) are engaged appropriately during active incidents
• Drive a continuous improvement program with outcomes tracked to remediation and reported to the Audit and Risk Committee
• Lead the enterprise response to supply chain vulnerabilities across open-source dependencies and third-party service providers, owning risk assessment, mitigation, and remediation 

Must Haves: 

• 10+ years of progressive experience in cybersecurity or information security, with at least 5 years in a senior security leadership role (CISO, VP of Security, or Head of Information Security)
• Experience at a regulated, publicly traded company, including direct involvement in SOX audit cycles
• Track record of building and managing security operations capabilities
• End-to-end ownership of a SOC 2 program, including control design, audit preparation, and remediation
• Experience with cybersecurity regulations in a regulated industry (financial services, insurance, or healthcare preferred)
• Strong GRC background with experience maintaining risk registers, policy frameworks, and control libraries
• Proven ability to present cybersecurity risk and incident information to boards of directors, audit committees, and regulators
• Experience managing third-party and vendor cybersecurity risk programs
• Excellent cross-functional leadership skills with a track record of partnering effectively with Legal, Finance, Internal Audit, and Engineering 

Nice to Have: 

• Experience in the insurance, Insurtech, or fintech industry
• Familiarity with privacy frameworks and data protection requirements (CCPA/CPRA, state breach notification laws)
• Relevant certifications such as CISSP, CISM, CRISC, or CISA
• Background in security engineering or application security in addition to GRC and security operations
• Experience managing cybersecurity programs across multi-entity corporate structures1 

Benefits and Perks:

Hippo treats its team members with the same level of dedication and care as we do our customers, which is why we’re fortunate to provide all of our Hippos with: 

• Healthy Hippos Benefits - Multiple medical plans to choose from and 100% employer covered dental & vision plans for our team members and their families. We also offer a 401(k)-retirement plan, short & long-term disability, employer-paid life insurance, Flexible Spending Accounts (FSA) for health and dependent care, and an Employee Assistance Program (EAP) 
• Equity - This position is eligible for equity compensation  
• Training and Career Growth - Training and internal career growth opportunities 
• Flexible Time Off - You know when and how you should recharge 
• Little Hippos Program - We offer 12 weeks of parental leave for primary and secondary caregivers 
• Hippo Habitat - Snacks and drinks available and catered lunches for onsite employees
  

Hippo is an equal opportunity employer, and we are committed to building a team culture that celebrates diversity and inclusion. Hippo’s applicants are considered solely based on their qualifications, without regard to an applicant’s disability or need for accommodation. Any Hippo applicant who requires reasonable accommodations during the application process should contact the Hippo’s People Team to make the need for an accommodation known. 

Title: Chief Information Security Officer (CISO)

Location: Morristown, NJ / Austin, TX(hybrid)

Reports To: Chief Technology Officer

About Hippo:

Hippo exists to protect the joy of homeownership. We believe that insurance should protect the things you treasure through an intuitive, modern experience. We provide tailored insurance coverage and preventative maintenance plans that keep you protected throughout your homeowner journey. We’ll also help you find coverage for everything life brings—from auto to flood—reimagining how you care for your home.

About the Role: 

Hippo is hiring a Chief Information Security Officer to lead cybersecurity strategy, security operations, and governance, risk, and compliance across the enterprise. You will be responsible for protecting Hippo's systems, data, and customers against an evolving threat landscape while ensuring the company meets its regulatory and compliance obligations as a publicly traded, multi-state insurance carrier. 

This role owns Hippo's SOC 2 program, leads security operations, and drives compliance with applicable state and federal cybersecurity regulations. You will also own identity governance, privacy and data protection strategy, and third-party risk management. This is a high-visibility leadership role that requires equal fluency in security engineering, regulatory compliance, and executive communication. 

About You: 

You are a seasoned cybersecurity leader who has built and run security programs at a publicly traded, regulated company. You have navigated regulatory examinations and SOX audit cycles, and you can move seamlessly between a technical incident response scenario and a board presentation. You think in terms of risk, you quantify what you can, and you communicate what you can't with intellectual honesty. 

You bring a builder's mindset to security. You understand that a great security program enables the business rather than slowing it down, and you know how to embed security into engineering culture without creating friction. Whether your background is in Insurtech, fintech, healthcare, or another heavily regulated sector, you understand multi-regulator environments and lead with clarity and high standards. 

What You'll Do: 

• Further develop and execute Hippo's enterprise cybersecurity strategy, aligned with business risk appetite and regulatory requirements
• Build and lead the security operations function, including threat detection, incident response, vulnerability management, and threat intelligence
• Own Hippo's SOC 2 program end-to-end, including control design, evidence collection, readiness assessments, and auditor engagement
• Lead the governance, risk, and compliance function, maintaining the cybersecurity risk register, policy framework, standards, and control library
• Drive compliance with applicable state and federal cybersecurity and insurance regulations
• Support SEC cybersecurity disclosure obligations in coordination with Legal and Finance
• Lead identity governance, including access certification, privileged access management policy, and separation of duties enforcement
• Own privacy and data protection compliance strategy, partnering with Legal on data handling, breach notification, and policyholder data protection
• Manage the third-party and vendor cybersecurity risk management program
• Report to the Board of Directors and Audit and Risk Committee on cybersecurity posture, risk trends, and incident activity
• Provide second-line oversight and security control design input to the SOX ITGC program
• Build and lead the security engineering function, owning secure design standards and threat modeling practices that ensure security is embedded from architecture through to deployment
• Build, mentor, and develop the cybersecurity team and drive a culture of security awareness across the organization
• Lead cybersecurity budgeting, roadmap planning, and technology rationalization
• Own disaster recovery and business continuity planning across the enterprise, working closely with the CIO and CTO to drive regular testing, validate recovery capabilities, and ensure organizational resilience is aligned to business and cybersecurity risk
• Own the enterprise Incident Response Plan, lead the Security Incident Response Team (SIRT) across the full incident lifecycle from detection and containment through recovery and post-incident review, define severity classifications and escalation paths, and ensure cross-functional stakeholders (Legal, Compliance, IT, and executive leadership) are engaged appropriately during active incidents
• Drive a continuous improvement program with outcomes tracked to remediation and reported to the Audit and Risk Committee
• Lead the enterprise response to supply chain vulnerabilities across open-source dependencies and third-party service providers, owning risk assessment, mitigation, and remediation 

Must Haves: 

• 10+ years of progressive experience in cybersecurity or information security, with at least 5 years in a senior security leadership role (CISO, VP of Security, or Head of Information Security)
• Experience at a regulated, publicly traded company, including direct involvement in SOX audit cycles
• Track record of building and managing security operations capabilities
• End-to-end ownership of a SOC 2 program, including control design, audit preparation, and remediation
• Experience with cybersecurity regulations in a regulated industry (financial services, insurance, or healthcare preferred)
• Strong GRC background with experience maintaining risk registers, policy frameworks, and control libraries
• Proven ability to present cybersecurity risk and incident information to boards of directors, audit committees, and regulators
• Experience managing third-party and vendor cybersecurity risk programs
• Excellent cross-functional leadership skills with a track record of partnering effectively with Legal, Finance, Internal Audit, and Engineering 

Nice to Have: 

• Experience in the insurance, Insurtech, or fintech industry
• Familiarity with privacy frameworks and data protection requirements (CCPA/CPRA, state breach notification laws)
• Relevant certifications such as CISSP, CISM, CRISC, or CISA
• Background in security engineering or application security in addition to GRC and security operations
• Experience managing cybersecurity programs across multi-entity corporate structures1 

Benefits and Perks:

Hippo treats its team members with the same level of dedication and care as we do our customers, which is why we’re fortunate to provide all of our Hippos with: 

• Healthy Hippos Benefits - Multiple medical plans to choose from and 100% employer covered dental & vision plans for our team members and their families. We also offer a 401(k)-retirement plan, short & long-term disability, employer-paid life insurance, Flexible Spending Accounts (FSA) for health and dependent care, and an Employee Assistance Program (EAP) 
• Equity - This position is eligible for equity compensation  
• Training and Career Growth - Training and internal career growth opportunities 
• Flexible Time Off - You know when and how you should recharge 
• Little Hippos Program - We offer 12 weeks of parental leave for primary and secondary caregivers 
• Hippo Habitat - Snacks and drinks available and catered lunches for onsite employees
  

The Morristown, NJ base pay range for this role is $237,500 - $390,000. Exact compensation may vary based on several job-related factors that are unique to each candidate, including but not limited to: skill set, experience, education/training, location, business needs and market demands.

Hippo is an equal opportunity employer, and we are committed to building a team culture that celebrates diversity and inclusion. Hippo’s applicants are considered solely based on their qualifications, without regard to an applicant’s disability or need for accommodation. Any Hippo applicant who requires reasonable accommodations during the application process should contact the Hippo’s People Team to make the need for an accommodation known. 

Position Overview
Vectra is looking for an Manager of Audit & Compliance to plan and execute internal audits of the company’s IT processes, systems, and controls, helping ensure effective risk management and regulatory compliance. The position reports directly to the Sr. Director of IT Security and can be based in Austin, Boston, or Remote US.

Responsibilities

• Audit Planning & Execution: Develop and carry out a risk-based internal audit plan for IT operations, security controls, and compliance processes. Conduct audits from planning through reporting, evaluating the effectiveness of IT controls, policies, and procedures.

• Risk Identification & Remediation: Identify control gaps and IT-related risks during audits and recommend actionable improvements. Prepare clear audit findings reports and work with stakeholders on remediation plans. Track audit findings and drive remediation efforts to closure with accountable owners.

• Cross-Functional Collaboration: Work closely with IT, Security, Engineering, and other teams to gather evidence and facilitate audit processes. Serve as a liaison with external auditors and internal teams for any audit inquiries or compliance assessments. Ensure security controls and processes are well documented and demonstrated during audits.

• Compliance Support: Support external compliance audits and certifications (e.g. ISO 27001, SOC 2) by providing required documentation and coordinating audit logistics. Partner with compliance and GRC functions to align internal audit activities with regulatory requirements and company policies.

• Process Improvement & Documentation: Maintain comprehensive audit workpapers and documentation repositories using a modern GRC tool in order to meet quality and retention standards. Help build audit playbooks and improve audit workflows (e.g. automating evidence collection) to increase efficiency. Stay up-to-date on industry best practices and emerging regulations to continually enhance the IT audit program.

Qualifications

• Education & Certification: University degree in Information Systems, Computer Science, MIS, or a related field. Professional certification such as CISA (Certified Information Systems Auditor) or CIA is strongly preferred.

• Experience: 5+ years of experience in IT auditing, IT risk, or related compliance fields. Demonstrated experience leading or executing multiple IT audits end-to-end, including working with external or third-party auditors. Experience in a high-growth or technology-driven environment is a plus.

• Technical Knowledge: Strong understanding of IT governance, security, and compliance frameworks – e.g. ISO 27001, SOC 2, NIST 800-53, Sarbanes-Oxley (SOX), GDPR – and how they apply to enterprise environments. Familiarity with cloud platforms and enterprise IT controls (AWS, Azure, O365, etc.) and with IT general controls and processes.

• Tools: Experience with GRC or audit management tools (e.g. AuditBoard, Drata, Vanta) is a plus for streamlining compliance evidence and audit tracking.

• Soft Skills: Excellent communication skills, with the ability to clearly report findings and recommendations to both technical and non-technical stakeholders. Strong organizational and project management skills to handle multiple audits simultaneously. A collaborative, integrity-driven approach and a problem-solving mindset are essential.

The GRC Engineer is a role within SpyCloud’s Governance, Risk, and Compliance (GRC) department, part of the Legal & Compliance organization. This position plays a critical role in strengthening SpyCloud’s compliance posture by driving audit readiness, scaling continuous control testing, and embedding compliance requirements into cloud-native systems and workflows.

This role partners closely with Engineering, Security, IT, Product, and Legal teams to ensure compliance requirements are implemented effectively within cloud environments. The GRC Engineer leads complex compliance initiatives while leveraging automation and scripting to improve efficiency, accuracy, and scalability.

What You'll Do:

• Compliance Program & Framework Management
• Lead and support compliance programs including SOC 2, ISO 27001, and CMMC, with a strong focus on cloud-native environments. 
• Coordinate internal and external audits, ensuring accurate evidence collection and alignment with technical stakeholders. 
• Support customer security reviews and questionnaires by clearly articulating SpyCloud’s cloud security controls and compliance posture.
• Audit Readiness & Continuous Controls
• Own continuous audit readiness across cloud platforms such as AWS, GCP, and Azure.
• Design and execute continuous control testing using automation and scripting (preferably Python). 
• Partner with Engineering and Security teams to ensure compliance is embedded into system design and change management processes.
• GRC Automation & Tooling 
• Build, maintain, and enhance automated evidence collection workflows using Vanta. 
• Integrate Vanta with cloud environments, identity systems, and CI/CD pipelines to support continuous compliance. 
• Collaborate with Engineering to implement automated compliance checks within cloud deployments.
• Governance, Policies & Standards 
• Develop and maintain security and compliance policies, standards, and procedures aligned with cloud architecture and operational practices. 
• Ensure governance documentation supports SOC 2, ISO 27001, and CMMC requirements while remaining practical for technical teams. 
• Translate complex technical requirements into clear, actionable controls.
• Risk Management 
• Lead risk assessments across cloud services, systems, and business processes.
• Identify, assess, and drive remediation of cloud security and compliance risks. 
• Partner with stakeholders to ensure risks are understood, prioritized, and addressed.
• Vendor Risk Management 
• Enhance vendor risk management workflows through automation and integration, including integration audits of third-party cloud services.
• Cross-Functional Collaboration 
• Work closely with Engineering, IT, Security, Product, and Legal teams to embed compliance into architecture and design decisions. 
• Serve as a subject matter expert for cloud compliance, control validation, and compliance automation.

Requirements:

• Experience
• 5+ years of experience in Governance, Risk & Compliance (GRC), security compliance, auditing, or related roles. 
• Demonstrated experience applying SOC 2, ISO 27001, and/or CMMC requirements to cloud environments. 
• Experience leading audit readiness activities and working directly with auditors.
• Strong collaboration experience with engineering and cloud operations teams.
• Education 
• Bachelor’s degree in Information Security, Computer Science, Engineering, or equivalent professional experience.
• Technical Skills Required: 
• Ability to understand and write code, preferably Python, to automate evidence collection and validate cloud controls. 
• Strong knowledge of cloud architectures, IAM, logging, monitoring, and cloud security best practices. 
• Hands-on experience using Vanta for compliance automation and integrations.
• Familiarity with SOC 2, ISO 27001, CMMC, NIST 800-53, and CIS Benchmarks.
• Soft Skills 
• Strong written and verbal communication skills. 
• Ability to work independently and manage multiple priorities. 
• Strong analytical, problem-solving, and collaboration skills.

Nice to Have:

• Certifications such as CISA, CISSP, CCSK, CCAK, or ISO 27001 Lead Auditor/Implementer.
• Experience with CI/CD pipelines, secure development practices, or cloud security engineering. 
• Experience conducting integration audits or third-party cloud risk assessments.