Staff Information Security Specialist
Carrum Health · United States · 2 mo ago
RemoteRemoteInformation Technology$150k–$190k/yrFull-time
Job Summary
Inspired by a passion to transform healthcare, Carrum seeks a seasoned "force multiplier" to join our Cybersecurity & IT team. This role demands a strategic partner with a blend of Senior IT/Security and Senior DevOps/Engineering expertise, ready to mature our cybersecurity program and deliver immediate value.
About the Role
This is a full-time position with a salary range of $150,000 - $190,000, depending on experience and location. The role involves operating as a force multiplier for the Director, executing high-impact security initiatives, and supporting compliance and business enablement.
Responsibilities
- Operate as a force multiplier for the Director and second-in-command, executing high-impact security initiatives and identifying opportunities to operationalize security strategy.
- Execute the compliance lifecycle for HITRUST, SOC 2, and HIPAA using automation platforms like Vanta.
- Play a critical role in revenue enablement by performing vendor reviews and taking the "first pass" on client security questionnaires to unblock sales deals.
- Lead the design and restructuring of complex access controls to enforce Least Privilege across our SaaS and Cloud ecosystem.
- Migrate us away from manual provisioning by implementing lifecycle automation and Identity Governance (IGA) workflows.
- Function as an Application Security lead by conducting automated and manual code security reviews, performing threat hunting, and tracking remediation tasks directly with the Engineering and DevOps teams.
- Proactively identify, evaluate, and leverage AI-driven security tools to automate manual tasks, improve threat detection, and enhance internal knowledge management.
- Collaborate with cross-department leadership to define and execute the security posture for our adoption of emerging AI technologies.
- Configure and analyze logs for our defensive stack, including tools such as SentinelOne, AWS Security Hub/GuardDuty, and Spin.ai.
- Act as a technical lead during security incidents, coordinating the initial response, leading investigation efforts, and communicating technical findings to Engineering and Leadership to ensure rapid remediation and minimal business impact.
- Contribute to the security policy lifecycle by participating in regular reviews and updating internal documentation to ensure it remains current, effective, and aligned with the evolving threat landscape.
- Drive policy governance by contributing to the security policy lifecycle and updating internal documentation.
- Act as the lead for rolling out new security tools or processes, driving a "security-first" culture by leading internal awareness sessions and educating team members on best practices.
Requirements
- 8+ years of relevant experience in senior-level IT, DevOps, Engineering, or Security roles.
- Deep experience with compliance automation platforms (Vanta is preferred, but experience with Drata or Secureframe is acceptable).
- Expert-level knowledge of Identity and Access Management (IAM) principles, specifically for re-architecting roles and enforcing the principle of least privilege in complex environments.
- Hands-on experience with AppSec workflows, including code scanning, vulnerability management, and translating security findings into actionable engineering tickets.
- Hands-on experience configuring and managing Zscaler environments.
- Administration and policy configuration for SentinelOne or similar EDR platforms.
- Experience with SaaS Security Posture Management (SSPM) tools like Spin.ai.
- Interest in leveraging AWS AI tools (Amazon Q Business, Bedrock, Kendra) for internal knowledge management.
Qualifications
- Comfortable working independently as a Full-Time Employee (FTE), with clear deliverables and minimal day-to-day supervision.
- Value practical application over certifications, prioritizing hands-on experience.
- Bring a "builder" mindset but understand the importance of administrative security work; willing to dive into security questionnaires and vendor assessments to support business growth.
- Communicate technical security risks and incident status clearly across both written and oral formats to non-technical stakeholders and clients.
- Advocate for security priorities and negotiate "secure-by-default" solutions with Engineering and Product teams.
- Highly organized and comfortable using task management tools (preferably Jira) to structure work and track deliverables.
- Hands-on experience with AppSec workflows, including code scanning, vulnerability management, and translating security findings into actionable engineering tickets.
Skills
- Comprehensive understanding of compliance automation platforms (Vanta is preferred, but experience with Drata or Secureframe is acceptable).
- Expert-level knowledge of Identity and Access Management (IAM) principles, specifically for re-architecting roles and enforcing the principle of least privilege in complex environments.
- Hands-on experience with AppSec workflows, including code scanning, vulnerability management, and translating security findings into actionable engineering tickets.
- Hands-on experience configuring and managing Zscaler environments.
- Administration and policy configuration for SentinelOne or similar EDR platforms.
- Experience with SaaS Security Posture Management (SSPM) tools like Spin.ai.
- Interest in leveraging AWS AI tools (Amazon Q Business, Bedrock, Kendra) for internal knowledge management.