Jobs · Information Technology

Staff Information Security Specialist

Carrum Health · United States · 2 mo ago
RemoteRemoteInformation Technology$150k–$190k/yrFull-time

Job Summary

Inspired by a passion to transform healthcare, Carrum seeks a seasoned "force multiplier" to join our Cybersecurity & IT team. This role demands a strategic partner with a blend of Senior IT/Security and Senior DevOps/Engineering expertise, ready to mature our cybersecurity program and deliver immediate value.

About the Role

This is a full-time position with a salary range of $150,000 - $190,000, depending on experience and location. The role involves operating as a force multiplier for the Director, executing high-impact security initiatives, and supporting compliance and business enablement.

Responsibilities

  • Operate as a force multiplier for the Director and second-in-command, executing high-impact security initiatives and identifying opportunities to operationalize security strategy.
  • Execute the compliance lifecycle for HITRUST, SOC 2, and HIPAA using automation platforms like Vanta.
  • Play a critical role in revenue enablement by performing vendor reviews and taking the "first pass" on client security questionnaires to unblock sales deals.
  • Lead the design and restructuring of complex access controls to enforce Least Privilege across our SaaS and Cloud ecosystem.
  • Migrate us away from manual provisioning by implementing lifecycle automation and Identity Governance (IGA) workflows.
  • Function as an Application Security lead by conducting automated and manual code security reviews, performing threat hunting, and tracking remediation tasks directly with the Engineering and DevOps teams.
  • Proactively identify, evaluate, and leverage AI-driven security tools to automate manual tasks, improve threat detection, and enhance internal knowledge management.
  • Collaborate with cross-department leadership to define and execute the security posture for our adoption of emerging AI technologies.
  • Configure and analyze logs for our defensive stack, including tools such as SentinelOne, AWS Security Hub/GuardDuty, and Spin.ai.
  • Act as a technical lead during security incidents, coordinating the initial response, leading investigation efforts, and communicating technical findings to Engineering and Leadership to ensure rapid remediation and minimal business impact.
  • Contribute to the security policy lifecycle by participating in regular reviews and updating internal documentation to ensure it remains current, effective, and aligned with the evolving threat landscape.
  • Drive policy governance by contributing to the security policy lifecycle and updating internal documentation.
  • Act as the lead for rolling out new security tools or processes, driving a "security-first" culture by leading internal awareness sessions and educating team members on best practices.

Requirements

  • 8+ years of relevant experience in senior-level IT, DevOps, Engineering, or Security roles.
  • Deep experience with compliance automation platforms (Vanta is preferred, but experience with Drata or Secureframe is acceptable).
  • Expert-level knowledge of Identity and Access Management (IAM) principles, specifically for re-architecting roles and enforcing the principle of least privilege in complex environments.
  • Hands-on experience with AppSec workflows, including code scanning, vulnerability management, and translating security findings into actionable engineering tickets.
  • Hands-on experience configuring and managing Zscaler environments.
  • Administration and policy configuration for SentinelOne or similar EDR platforms.
  • Experience with SaaS Security Posture Management (SSPM) tools like Spin.ai.
  • Interest in leveraging AWS AI tools (Amazon Q Business, Bedrock, Kendra) for internal knowledge management.

Qualifications

  • Comfortable working independently as a Full-Time Employee (FTE), with clear deliverables and minimal day-to-day supervision.
  • Value practical application over certifications, prioritizing hands-on experience.
  • Bring a "builder" mindset but understand the importance of administrative security work; willing to dive into security questionnaires and vendor assessments to support business growth.
  • Communicate technical security risks and incident status clearly across both written and oral formats to non-technical stakeholders and clients.
  • Advocate for security priorities and negotiate "secure-by-default" solutions with Engineering and Product teams.
  • Highly organized and comfortable using task management tools (preferably Jira) to structure work and track deliverables.
  • Hands-on experience with AppSec workflows, including code scanning, vulnerability management, and translating security findings into actionable engineering tickets.

Skills

  • Comprehensive understanding of compliance automation platforms (Vanta is preferred, but experience with Drata or Secureframe is acceptable).
  • Expert-level knowledge of Identity and Access Management (IAM) principles, specifically for re-architecting roles and enforcing the principle of least privilege in complex environments.
  • Hands-on experience with AppSec workflows, including code scanning, vulnerability management, and translating security findings into actionable engineering tickets.
  • Hands-on experience configuring and managing Zscaler environments.
  • Administration and policy configuration for SentinelOne or similar EDR platforms.
  • Experience with SaaS Security Posture Management (SSPM) tools like Spin.ai.
  • Interest in leveraging AWS AI tools (Amazon Q Business, Bedrock, Kendra) for internal knowledge management.

Similar jobs