• Assess the current cloud and infrastructure security posture across AWS environments, Kubernetes platforms, and supporting services • Identify critical gaps and define a prioritized roadmap for improving security maturity across identity, runtime, network, and platform layers • Define and implement enterprise security controls across IAM governance, workload/runtime posture, and DNS security • Embed security guardrails, standards, and policies into the Platform Engineering and Cloud Center of Excellence (CoE) frameworks from the beginning of the transformation • Partner with platform teams to design secure-by-default self-service infrastructure patterns, templates, and workflows • Establish identity and access governance models including account strategy, role design, least-privilege policies, and federated access • Design and implement security standards for Kubernetes and containerized workloads, including supply chain security, workload isolation, and runtime protection • Define DNS and network security practices, including private networking, segmentation, service discovery, and threat protection • Collaborate with DevSecOps teams to integrate automated security testing, policy enforcement, and compliance checks into CI/CD pipelines • Support the creation of security observability, monitoring, incident response, and threat detection capabilities across the platform • Provide security leadership and mentoring to engineering teams to promote security ownership and best practices • Support organizational change management and stakeholder alignment to ensure security adoption across teams • Continuously evolve the security framework as the platform and operating model mature

• Assess the current cloud and infrastructure security posture across AWS environments, Kubernetes platforms, and supporting services • Identify critical gaps and define a prioritized roadmap for improving security maturity across identity, runtime, network, and platform layers • Define and implement enterprise security controls across IAM governance, workload/runtime posture, and DNS security • Embed security guardrails, standards, and policies into the Platform Engineering and Cloud Center of Excellence (CoE) frameworks from the beginning of the transformation • Partner with platform teams to design secure-by-default self-service infrastructure patterns, templates, and workflows • Establish identity and access governance models including account strategy, role design, least-privilege policies, and federated access • Design and implement security standards for Kubernetes and containerized workloads, including supply chain security, workload isolation, and runtime protection • Define DNS and network security practices, including private networking, segmentation, service discovery, and threat protection • Collaborate with DevSecOps teams to integrate automated security testing, policy enforcement, and compliance checks into CI/CD pipelines • Support the creation of security observability, monitoring, incident response, and threat detection capabilities across the platform • Provide security leadership and mentoring to engineering teams to promote security ownership and best practices • Support organizational change management and stakeholder alignment to ensure security adoption across teams • Continuously evolve the security framework as the platform and operating model mature

Role Description We’re hiring Senior NIST 800-53A Security Control Assessors for multiple federal assessment projects kicking off between. ⚠️ This is NOT a general GRC or compliance role. We are specifically looking for professionals who have hands-on experience executing full NIST 800-53A assessments, not just mapping controls or supporting audits. What you’ll actually be doing: - Developing Security Assessment Plans (SAP) with defined testing procedures (Inspect / Interview / Test) - Conducting control assessments across all control families (technical + administrative) - Interviewing control owners and validating implementation statements in SSPs - Performing evidence-based testing (logs, configurations, artifacts) - Writing Security Assessment Reports (SAR) with formal findings and risk ratings - Building POA&M entries tied to identified control deficiencies 🚫 Not a fit if your experience is limited to SOC 2, ISO 27001, or third-party risk management without hands-on 800-53A assessment execution. Qualifications - 5+ years of direct experience performing NIST 800-53A assessments - Proven ownership of SAP and SAR deliverables - Strong experience designing and executing control testing procedures - Background in RMF, FedRAMP, FISMA, or CMS ARS frameworks - Ability to independently validate controls beyond documentation review Requirements - Experience with CMS ARS / ARC-AMPE baseline (Nice to have) - Strong Excel-based evidence mapping and tracking (Nice to have) Benefits As a lean, growing firm, we prioritize results over red tape, offering you a direct seat at the table and a clear path for career progression as we scale. You won’t be just a number here; you’ll have the autonomy to make a visible impact on the business from day one.

• Define and lead the long-term product security strategy, roadmap, and vision in alignment with company goals, risk appetite, and regulatory requirements. • Serve as the internal authority on application and product security, providing expert guidance to engineering, product, and executive leadership. • Drive a company-wide culture of security ownership embedding security thinking deeply into the habits of every engineering team. • Architect and continuously evolve a best-in-class Product Security program, spanning threat modeling, SAST, DAST, IAST, SCA, runtime protection, and API security. • Lead the design and enforcement of secure development standards across web, mobile, and cloud including secure coding guidelines, IaC policies, and API security frameworks. • Identify and drive resolution of systemic, high-impact vulnerabilities and architectural security gaps across Greenlight's platform. • Lead and mature Greenlight's penetration testing program, both through internal efforts and external vendor partnerships. • Partner with engineering and platform teams to build security-enhancing product features that protect our customers' financial data. • Establish and lead incident response processes for product-level security events, including root cause analysis and systemic remediation. • Evaluate and introduce emerging security tooling, techniques, and frameworks to keep Greenlight ahead of the threat landscape. • Mentor staff and senior engineers across the security and engineering organizations, raising the overall security engineering capability of the company.