Director, IT & Security

About the Company:

Octave is a modern behavioral health practice creating a new standard for care delivery that’s both high-quality and accessible. With in-person and virtual clinics in multiple states, the company offers evidence-based individual, couples, and family therapy, while pioneering relationships with payers to make care more affordable through insurance. By raising the bar on how care is delivered and how providers are supported, we are building a sustainable system that values equity, affordability, and effectiveness.

Job Summary: 

As the Director of IT & Security, you are the primary architect of the company’s technological resilience and security posture. You provide the strategic vision for a scalable, secure corporate infrastructure that enables rapid business growth while maintaining rigorous compliance. You are not just managing systems; you are owning the overall strategy for risk mitigation, technical governance, and the evolution of the modern workplace.

Management Responsibilities: 

• Develops, coordinates, and implements  systems, policies, procedures, and productivity standards.
• Foster a positive and collaborative work environment.
• Oversee the planning, execution, and completion of projects and initiatives within the team.
• Establish and monitor operational processes and workflows to enhance efficiency and productivity.
• Implement best practices, monitor key performance indicators (KPIs), and develop strategies to achieve operational excellence.
• Ensures a safe, secure, and compliant work environment.
• Build and manage a high-performing team, including hiring, training, and development.
• Provide leadership to the team, including setting goals/objectives, providing guidance/feedback, and ensuring the team's overall success.
• Identify skill gaps within the team and develop strategies for filling those gaps. Support employee development through training, mentoring, and coaching. Identify high-potential employees and create succession plans.

Duties & Responsibilities: 

• Define and own the company IT and security strategy, aligning infrastructure, systems, and risk posture with company growth, product evolution, and regulatory requirements.
• Build, lead, and scale a high-performing IT and Security organization, establishing clear operating models, priorities, and accountability across IT and security operations.
• Oversee end-to-end IT operations and employee technology experience, including onboarding/offboarding, identity and access management, device lifecycle, and enterprise tooling.
• Own and mature the security program, including governance, risk management, security architecture, vulnerability management, and threat detection and response (SOC).
• Drive the management —in partnership with our compliance committee — of risk, compliance, and audit, leading HIPAA and SOC 2 readiness, managing audits, and ensuring continuous compliance through strong policies, controls, and documentation.
• Partner cross-functionally with Engineering, Product, Data, Legal, and People teams to embed security and IT best practices into systems, development lifecycles, and business operations.
• Drive company initiatives to enhance system reliability, scalability, security, and business continuity, including disaster recovery planning and resilience of critical systems.
• Own the IT vendor and partner strategy, including selection, negotiation, performance management, and cost optimization while maintaining high security and service standards.
• Establish and report on KPIs and metrics for IT performance, security posture, and risk, providing actionable insights to executive leadership.
• Act as a trusted advisor to leadership, guiding decisions on technology investments, emerging threats, and trade-offs between risk, cost, and speed.
• Own the company's AI governance framework, including acceptable use policies, tool evaluation processes, and an enterprise-wide AI inventory and risk register.
• Define standards for embedding AI tools into workflows and business processes, ensuring integration architecture, data flows, and security controls align with compliance obligations.
• Own data classification standards and data loss prevention strategy, ensuring sensitive data — including PHI — is identified, categorized, and protected in alignment with HIPAA and other regulatory requiremen