Logo
SimplePractice

Director of Application Security

SimplePractice, Santa Monica

Save Job

Overview

At SimplePractice, we are improving access to quality care by equipping health and wellness clinicians with all the tools they need to thrive in private practice. More than 250,000 providers trust SimplePractice to build their business through our industry-leading software with powerful tools that simplify every part of practice management. From admin work to clinical care, our suite of innovative solutions work together to reduce administrative burden—empowering solo and small group practitioners to thrive alongside their clients. Recognized by MedTech Breakthrough as the Best Practice Management Solution Provider in 2024 and the Digital Health Awards in 2023, SimplePractice is proud to pave the future of health tech.

SimplePractice is a leading practice management platform for health & wellness professionals. We are dedicated to empowering practitioners to run their businesses more efficiently and securely. We are seeking a strategic and experienced Director of Application Security to lead, build, and scale our Application Security program across the entire organization. In this leadership role, you will be responsible for defining the application security strategy, managing a team (or scaling a team), setting technical direction, and ensuring robust security practices are integrated throughout the software development lifecycle (SDLC). You will be a key leader in mitigating risk, ensuring compliance with complex healthcare regulations, and advancing our mission of securely empowering health & wellness professionals.

Responsibilities

  • Application Security Program Leadership & Strategy: Define, communicate, and execute the long-term vision, strategy, and roadmap for the Application Security program, aligning it with business objectives and regulatory requirements (e.g., HIPAA, HITRUST, PCI).
  • Act as player/coach for our Application Security team, fostering a culture of ownership, continuous improvement, and deep technical partnership with engineering.
  • Develop and manage the Application Security budget, selecting and overseeing the deployment of essential security tools and technologies (SAST, DAST, SCA, IAST, etc.).
  • Drive the adoption of secure development practices, secure coding standards, and security design principles across all product and engineering teams.
  • Serve as the primary subject matter expert for application security across the organization, advising C-level and senior leadership on risks and mitigation strategies.
  • Application Security Architecture & Risk Management: Oversee and guide the application security architecture process, ensuring security is built into the design of web applications, APIs, and microservices from the ground up.
  • Establish and formalize the application-level threat modeling program to proactively identify and prioritize risks across the product portfolio.
  • Develop comprehensive metrics and reporting to track the organization's application security posture, vulnerability remediation progress, and program effectiveness for executive review.
  • Lead the application-focused incident response strategy, ensuring effective communication, root cause analysis, and the implementation of robust preventative controls post-incident.
  • Securing AI/ML Solutions: Lead threat modeling efforts for our AI product suite; define and enforce the security standards and controls tailored for AI/ML features to mitigate risks such as prompt injection, model poisoning, and data leakage; collaborate with Data Science and Engineering teams to integrate SecMLOps, ensuring secure data handling, model integrity verification, and secure deployment pipelines; implement and manage security testing methodologies (e.g., adversarial testing, data drift monitoring) specific to ML models and related APIs; partner with legal and compliance teams to ensure ethical and secure use of AI and compliance with healthcare security, privacy, and regulatory requirements for AI/ML applications.
  • SDLC Integration & Automation: Champion DevSecOps principles, overseeing the integration of automated security testing and controls directly into CI/CD pipelines and engineering workflows; partner with engineering leadership to implement tooling and educational initiatives that enable developers to efficiently write and deploy secure code at scale in the age of AI.
  • Governance, Risk, & Compliance: Ensure the Application Security program meets all applicable regulatory and contractual obligations (e.g., HIPAA, HITRUST, PCI); oversee third-party vendor security assessments, focusing on the security and data protection posture of integrated applications and services; act as the key liaison for all application security matters during customer security reviews, regulatory audits, and compliance activities.

Desired Skills & Experience

  • 8+ years of experience in Information Security, with at least 3+ years in a senior or leadership role establishing and running a modern Application Security program.
  • Proven ability to define, communicate, and execute a multi-year Application Security strategy and roadmap.
  • Demonstrated experience managing or mentoring security engineers and growing technical teams.
  • Deep technical understanding of application security architectures, secure development lifecycles (SDLC), and modern security automation/DevSecOps practices.
  • Expertise in common application vulnerabilities and threat modeling methodologies.
  • Demonstrated experience managing security in a regulated environment (e.g., healthcare, finance), with deep knowledge of compliance frameworks like HIPAA, HITRUST, PCI.
  • Strong background with cloud technologies (AWS, GCP, or Azure), containerization (Docker/Kubernetes), and serverless architectures.
  • Exceptional leadership, communication, and interpersonal skills, with the ability to influence technical and non-technical stakeholders up to the executive level.
  • Bonus Points: Bachelor’s or Master’s degree in Computer Science, Cybersecurity, or a related field; relevant industry certification (e.g., CISSP, CSSLP, CISM); direct experience leading Application Security in healthcare technology; experience selecting, negotiating, and managing complex third-party application security tools (SAST/DAST/SCA); experience with building security into AI security products.

This role offers a highly visible and impactful opportunity to build and mature the Application Security foundation for a leading platform in the healthcare technology space. The successful candidate will be critical in protecting sensitive client data, ensuring compliance, and driving a pervasive security culture across the entire engineering organization.

Compensation & Benefits

Base Compensation Range: $176,000 - $220,000 annually. Base salary is one component of total compensation. Employees may also be eligible for an annual bonus or commission. Some roles may also be eligible for overtime pay.

The above represents the expected base compensation range for this job requisition. Ultimately, in determining your pay, we’ll consider many factors including, but not limited to, skills, experience, qualifications, geographic location, and other job-related factors.

Benefits include a competitive program: Medical, dental, vision, life & disability insurance; 401(k) plan with company match; Flexible Time Off (FTO), wellbeing days, paid holidays, and summer Fridays; Mental health resources; Paid parental leave & Backup Care; Tuition reimbursement; Employee Resource Groups (ERGs).

California Job Applicant Privacy Notice: Thank you for your interest in opportunities at SimplePractice LLC. When you submit your resume or application materials, you are subject to the SimplePractice California Job Applicant Privacy Notice. For more information about our privacy practices, please contact

#J-18808-Ljbffr