Senior Technical Program Manager, Security

Aledade exists to help independent primary care practices survive and thrive — and to bend the healthcare cost curve by reducing the most suffering and saving the most lives. That mission runs on trust: trust that patient data is protected, that financial controls hold, that the systems clinicians and patients depend on are secure and reliable.This role exists to scale that trust through security as a foundation, not the friction.As Sr Security TPM, you bring vision and depth across multiple disciplines: the controls and compliance frameworks that are non-negotiable in healthcare and financial operations, the engineering instincts that come from understanding how engineering teams actually work — their cycles, their constraints, their craft — and knowing how to weave security into that fabric as a native discipline, not an outside requirement, and the program leadership to make it all move at the speed the technology landscape demands. You understand where a security program is, what it needs to become, and how to build the structures that get it there — durably, extensibly, and without creating hurdles or stovepipes along the way.You see security as infrastructure. You engineer the highways — not the roadblocks — so that the compliance requirements, control frameworks, and engineering practices that protect Aledade’s patients, practices, and people aren’t obstacles to work around. They’re already built into how work gets done, smoothing the way for the trust this mission depends on.Primary DutiesDiagnose, prioritize, and drive security program maturityAssess the current state with clear eyes: identify what’s working, what’s underdeveloped, and what needs to be rebuiltBuild a prioritized, multi-quarter roadmap that sequences risk reduction against business reality — without waiting to be handed a problem statementEstablish governance, ownership, and metrics that make the portfolio legible and actionable across security leadership, engineering leadership, and executivesHold the line on outcomes — not activity or artifacts.Translate security requirements into engineering practiceMake security by design the operating standard: shift-left practices, threat modeling, architecture review, and controls embedded into how teams plan and shipOwn the intersection of what security requires and what engineering can build — and move both sides toward it, fluentlyRemove the blockers that sit between security intent and engineering executionBuild the habits and structures that outlast any individual program or initiativeOwn the compliance surface without losing sight of real riskTranslate HIPAA, financial controls, and governance requirements into resilient programs that reduce actual exposure and scale — not just satisfy milestone auditsSequence compliance investments against where the company is going, not just where it’s beenBuild the evidence frameworks, metrics, and operational readiness that hold up under real scrutiny at scaleShape the AI security framework before it becomes a crisisSynthesize Aledade posture about AI risk, guardrails, and governance as AI becomes embedded in how we work and what we buildBuild the scaffolding — principles, review processes, accountability structures — that gives others a framework to execute againstOperate with conviction in a space where the industry is still writing the rulesDrive alignment across a complex, high-stakes intersectionOperate at the seam between security, engineering, compliance, legal, and finance — without owning any of the headcountEliminate toil that crushes effectiveness of the subject matter experts around you by clearing the path, not walking it for themSurface what’s being normalized that shouldn’t be — the risks deferred, the gaps unnamed, the programs that exist only on paperDrive evidence-based decisions that stick — from architecture, through build, to the risk level with executivesFull-stack program leadership: equally at home in an architecture review, a compliance audit, a risk conversation with the CTO, and a sprint planning session with an engineering teamMinimum Qualifications10+ years in technical program management at Staff-level scope — cross-org, ambiguous, high-stakes security programsDeep security domain fluency: frameworks, controls, HIPAA and financial-specific obligations, risk management — and how all of it maps to real engineering decisionsTechnical judgment strong enough to question the status quo, challenge architectural decisions, and identify real risk versus inherited noiseProven track record of transforming security programs — advancing maturity, closing gaps, and positioning programs for where the business is goingInfluence without authority across senior security, engineering, compliance, and executive stakeholdersOutcomes orientation: risk reduction and program maturityPreferred KSA’sExperience in healthcare or other highly regulated environments where security failure has consequences beyond the companyTrack record of building s