• Work closely with engineering and product teams as a trusted security partner, helping teams ship securely without unnecessary friction. • Design and implement secure-by-default patterns, SDLC guardrails, and secure primitives (“paved roads”) that reduce the need for manual security reviews. • Contribute to and review code in shared repositories that include customer-facing applications, APIs, infrastructure, and internal tooling. • Identify, prioritize, and drive remediation of security risks across application and cloud environments, with a strong emphasis on AWS and Kubernetes. • Help define practical security standards and explain the why behind them, building understanding, trust, and shared ownership with developers. • Improve automated guardrails and security review capabilities (e.g.policy-as-code, CI/CD controls, Kubernetes controls) to catch issues early while minimizing noise. • Take ownership of product-level security posture for Thoughtful systems while collaborating with the broader security team on shared tooling and strategy.

• Ensure cloud-hosted IT systems are architected and designed to meet DoD security requirements, standards, and control baselines. • Review cloud security policies and provide recommendations to improve overall security posture, including protection, detection, monitoring, and incident response capabilities for systems and data. • Apply knowledge of current advances in cloud security engineering and evolving cloud threats to support secure deployment of programs and applications. • Provide input throughout the deployment lifecycle to ensure systems meet DoD compliance requirements and are positioned to achieve/maintain ATO. • Provide guidance to assessment staff performing Cybersecurity Vulnerability Assessments related to cloud hosting environments, ensuring findings are risk-prioritized and remediations are actionable. • Advise on control selection, inheritance, and implementation for cloud services (e.g., leveraging FedRAMP baselines and CSP-native controls) and assist teams in developing audit-ready artifacts and evidence. • Coordinate with SOC/Blue Team/IR stakeholders to align logging, monitoring, alerting, and response with mission objectives and compliance obligations. • Partner with engineering, DevSecOps, governance, and mission owners to balance security, performance, and cost in multi-cloud or hybrid architectures. • Track and incorporate changes in DoD cybersecurity policy, cloud provider security capabilities, and best practices to continually improve architecture and operations.

• Execute comprehensive IT security audits on complex systems in accordance with DoD and Federal requirements. • Perform security control validation to verify proper implementation and effectiveness of technical, operational, and management controls. • Conduct vulnerability assessments and analyze findings to identify security gaps and risks. • Support RMF activities including control selection, implementation validation, assessment, and authorization support. • Evaluate applied security mitigations to determine alignment with security requirements and business objectives. • Validate project security controls to ensure compliance with DoD contracting system standards. • Document security findings, risk assessments, and remediation recommendations. • Maintain and update RMF artifacts and assessment results within eMASS. • Collaborate with system owners, engineers, and stakeholders to resolve security issues and implement corrective actions. • Support audits, inspections, and compliance reviews while ensuring accuracy and quality of deliverables.

• Own and evolve the company’s security and privacy strategy • Scale and mentor the Security team, developing great security team members as the company grows. • Build and mature the company’s security framework, balancing pragmatism and rigor across system security, application security, infrastructure security, and device security. • Lead security operations and incident response, ensuring the company can rapidly detect, respond to, and recover from threats. • Oversee compliance programs (e.g., SOC 2, GDPR, CPRA) and maintain a continuous improvement mindset beyond checkbox compliance. • Partner with Engineering and Product to embed security into the SDLC, CI/CD pipelines, and IoT device lifecycle. • Establish and maintain relationships with key stakeholders, such as executive leadership, providing actionable metrics and insights into security posture, risk trends, and emerging threats. • Oversee vendor risk management and ensure robust controls across third-party services and integrations. • Conduct regular security awareness training and education programs for employees. • Evaluate and select security technologies and tools to enhance the organization's security posture. • Build a strong security culture, from awareness and education to clear policies and positive engagement across all teams. • Optimize the security budget and make pragmatic tradeoffs that balance protection, velocity, and business impact.