Director of IT & Security Operations
IT, Operations
Remote
“Be part of a company that is influential and the standard for a rapidly evolving industry!”
WHO ARE WE?
RealTime eClinical Solutions is a Global Leader and rapidly growing SaaS technology company that provides comprehensive Software Solutions to the clinical research industry.
Our Vision is to reshape the global clinical research industry with innovative solutions that help advance medicine and save lives. Our cloud-based solutions are dedicated to solving complex problems and simplifying clinical research processes to be more organized, efficient, and cost-effective. We are based out of San Antonio, TX, but are truly a remote and telecommuting company.
WHAT ARE WE LOOKING FOR?
RealTime’s Director of IT & Security Operations owns the security, availability, and compliance of the systems that run RealTime’s multi-tenant clinical-trial platform and corporate environment. The role is accountable for operating and evidencing the controls that keep RealTime HIPAA-compliant and SOC 2 Type 2 audit-ready. This covers protecting Protected Health Information (PHI) across per-customer databases, governing how infrastructure is provisioned as code, and controlling how AI systems access regulated data. The role leads corporate IT and helpdesk and is the subject-matter expert for system and security architecture, uptime, and security posture.
WHAT WILL YOU BE DOING?
Compliance & Security Governance (HIPAA / SOC 2 Type 2)
- Operate and evidence the controls required for SOC 2 Type 2 (Security, Availability, and Confidentiality) and the HIPAA Security, Privacy, and Breach Notification Rules.
- Act as day-to-day lead for external SOC 2 Type 2 and HIPAA audits. Maintain the control narrative, coordinate evidence, and close findings.
- Run continuous control monitoring (GRC) tooling such as Vanta or Drata so control status and evidence stay current.
- Maintain the risk register and run an annual risk assessment covering PHI systems, vendors, and infrastructure.
- Own the Business Associate Agreement (BAA) lifecycle and third-party risk. Execute and track BAAs with every vendor that touches PHI, including cloud and AI vendors, and review vendor security annually.
Data Protection & Access Management
- Enforce least privilege of access across corporate and production systems: role-based access control, MFA, and time-bound access to customer databases and PHI.
- Own the joiner-mover-leaver process and run quarterly access reviews, including privileged access, with evidence retained for audit.
- Deploy data-leakage controls: data classification, DLP, egress filtering, and database activity monitoring to detect and block unauthorized bulk access.
- Validate multi-tenant isolation as a standing control and confirm one customer’s data cannot be reached from another tenant. Manage encryption at rest and in transit, with keys held separately from the data.
- Own secrets management. No credentials, keys, or tokens in source code, container images, or infrastructure-as-code state.
Cloud Operations & Infrastructure as Code
- Manage cloud hosting vendors and environment changes. Maintain and improve the RTSS database infrastructure architecture in a cloud-hosted environment, including replication, federation, availability, and recoverability.
- Manage cloud infrastructure as code (Terraform) as the source of truth: peer-reviewed changes, drift detection, and policy-as-code enforced in CI/CD, with separation between the author and approver of a change.
- Detect and resolve infrastructure performance issues (CPU, memory, disk I/O, resource contention). Design and deploy infrastructure to meet the CIS Critical Security Controls.
- Own vulnerability and patch management with remediation SLAs by severity, recurring scanning, and annual third-party penetration testing, tracked to closure.
- Support the team on customer non-code issues such as email and SSO.
Security Operations & Incident Response
- Monitor the security of corporate and cloud environments. Identify detection gaps and expand log collection, detection, and analytics.
- Run centralized, tamper-evident logging (SIEM) with anomaly alerting and six-year retention aligned to HIPAA.
- Maintain and test a documented incident response plan with defined severity levels, escalation, and evidence retention. Run tabletop exercises.
- Investigate incidents, determine root causes, preserve evidence, and meet HIPAA breach-notification timelines within 60 days.
AI / LLM Governance
- Set and enforce controls for how AI and LLM systems access regulated data, including internal MCP services and cloud AI such as AWS Bedrock. Confirm BAA coverage of AI vendors, prevent PHI exposure to models, and audit AI usage.
- Set and enforce an acceptable-use policy covering unmanaged AI tools.
Internal Helpdesk
- Manage the team by providing technical support to employees.
- Manage corporate IT: desktop support, business applications, and procurement and asset management of hardware and software.
- Provide project management for internal IT deployments, migrations, and mergers.
Technology Leadership
- Develop and maintain IT, security, and systems architecture SOPs, and run security-awareness training for the workforce.
- Design and manage the disaster-recovery and business-continuity process with defined RTO and RPO targets and periodic recovery testing.
- Define and report security and reliability KPIs: access-review completion, patch and remediation SLA attainment, mean time to detect and respond, control pass rate, and uptime.
- Participate in technical solution and design discussions. Maintain compliance with company policies on the HIPAA Privacy Rule. This role may view PHI as part of daily duties.
WHAT DO YOU NEED?
- Deep understanding of operations, systems, network, and cloud security.
- Experience operating and evidencing controls for SOC 2 Type 2 and the HIPAA Security Rule in a production environment handling regulated data.
- Hands-on experience with identity and access management, least-privilege design, and privileged access management.
- Experience with infrastructure as code (Terraform) and change management in a CI/CD pipeline.
- Experience with SIEM and security monitoring of cloud environments. AWS preferred.
- Strong leadership and business judgment. Experience managing multiple projects across prioritization, planning, and execution.
- Experience troubleshooting production workloads using application and system monitoring tools.
- Experience with replication, federation, and relational databases.
WHAT SETS YOU APART?
- Security certification such as CISSP, CISM, or CCSP.
- Experience leading or coordinating a SOC 2 Type 2 examination or HIPAA audit. Two or more years of HIPAA compliance experience.
- Experience with DLP, database activity monitoring, and data-egress controls in a multi-tenant SaaS environment.
- Experience governing AI or LLM systems that process regulated data.
- Experience managing remote employees and supporting corporate IT globally.
- Working knowledge of Git and source control (GitHub or Subversion). Experience with Kanban or other agile methods.
- Bachelor’s degree in computer science, software engineering, or equivalent experience.
WHAT IS IN IT FOR YOU?
- The company sponsors health insurance, long-term disability, and life insurance.
- Unlimited Paid Time Off.
- 10 paid Holidays.
- Paid Parental Leave.
- Work Anniversary Bonus.
- Participation in the Employee of the Quarter Program.
- Monthly $100 Connectivity Stipend Reimbursement.
- RealTime matches employee 401K contributions at 100% of the first 3% invested and 50% of the next 2% invested.
All successful candidates must complete and pass reference and background checks.
The desired salary must be indicated for the application to be considered.
The pay rate is commensurate with experience and is determined on an individual basis after an interview has occurred.
Equal Opportunity Employer – RealTime eClinical Solutions strongly values diversity and is committed to equal opportunity and non-discrimination in all of its policies and practices, including employment.
Your Right to Work – In compliance with federal law, all persons hired will be required to verify identity and eligibility.
Thank you for your interest in RealTime eClinical Solutions.