• You'll be the technical voice of product security across Aalyria, reporting to the Director of Security & IT. • You'll own application security, CI/CD and supply-chain security, our Kubernetes-based product infrastructure, product-side authentication and PKI. • You'll partner closely with hardware engineering on Tightbeam. • Application & software security. SAST/DAST/SCA, secure SDLC, threat modeling, and software vulnerability management across our codebase. • CI/CD and supply-chain security. Hardening our GitLab pipelines, build provenance, dependency integrity, signing, and SLSA-aligned controls. • Product infrastructure security. GKE and Kubernetes hardening, container security, workload identity, network policy, and runtime protection. • Product PKI. Certificate lifecycle, issuance, rotation, and mTLS architecture across distributed services and remote assets. • Vulnerability management. Triage, prioritization, remediation tracking, and exception handling, for both disclosed upstream issues and internal findings. • Product incident response. Leading triage and response for product-side security incidents, coordinating with corporate IR, and driving post-mortems to action. • Product infra hardening. Baseline configurations, secure defaults, and compensating controls across product environments. • Hardware security partnership. Working with the Tightbeam team on firmware security, secure boot, key storage, and hardware supply-chain integrity.

• Codify and execute the security roadmap for the organization, prioritizing the further hardening of critical systems (payment infrastructure, donor data stores, authentication flows, API integrations) and ensuring compliance with applicable laws (e.g., data privacy and security). • Partner directly with PDE leadership to embed security controls into the development lifecycle: threat modeling, secure code review, vulnerability management, and CI/CD pipeline security tooling (SAST, DAST, SCA) • Own the security incident response plan end-to-end: detection, containment, investigation, notification, remediation, and post-incident review • Work with IT to drive identity and access management improvements, including role-based access controls, MFA enforcement, endpoint security, and session management • Develop a deep understanding of fraud vectors in the fundraising and payments space—stolen cards, synthetic identities, friendly fraud, campaign abuse—and help us build systems that adapt as threats evolve. • Manage vendor security risk assessments for third-party tools, integrations, and sub-processors, with continuous monitoring rather than annual check-ins • Own the penetration testing program: vendor relationships, testing cadence, findings translation into engineering tickets, and remediation tracking to closure • Develop and deliver security awareness training for all employees, with targeted modules for PDE, CX, and leadership audiences • Lead SOC 2 Type II certification end-to-end: gap analysis, control design, evidence collection, remediation tracking, auditor coordination, and ongoing maintenance • Build the roadmap toward ISO 27001 certification as the security program matures • Serve as primary owner of our GRC platform (Vanta): driving task completion, monitoring compliance gaps, triaging findings, and ensuring remediation owners are accountable • Manage all external auditor and certification body relationships • Build and maintain evidence repositories that support continuous (not just point-in-time) compliance • Prepare board-ready compliance status reports and risk summaries quarterly • With the General Counsel’s guidance, own all required licenses, registrations, and regulatory filings across US jurisdictions, including state charitable fundraising platform registrations and other licenses • Manage the Trust Center: content accuracy, access approvals, and customer-facing compliance documentation

• Experiência comprovada com segurança de sistemas e infraestrutura; • Habilidades "hands-on" para configurar e manter ferramentas de segurança, incluindo firewall, WAFs, sistemas de detecção e prevenção de intrusões (IDS/IPS), antivírus, api gateway e monitoramento de redes; • Monitoramento e investigação de alertas em ferramentas como SIEM e EDR; • Análise de eventos e tentativa de exploração de aplicações e infraestrutura; • Gestão e tratamento de vulnerabilidades (identificação, priorização e acompanhamento de correções); • Análise de código sob a perspectiva de segurança; • Participação em processos de due diligence de segurança em fornecedores; • Apoio na resposta a incidentes e investigação de possíveis comprometimentos; • Habilidade para desenvolver e documentar políticas, diretrizes e manuais de segurança; • Proposição de melhorias em processos e controles.

• Lead all aspects of enterprise information security, including threat detection, incident response, vulnerability management, and continuous monitoring. • Establish and mature a comprehensive Governance, Risk, and Compliance (GRC) framework aligned to healthcare industry standards (e.g., NIST, HITRUST, ISO 27001). • Continuously assess enterprise risk posture, prioritizing cybersecurity risks in alignment with clinical, operational, and financial risk frameworks. • Design and implement strategies to protect sensitive patient data, including Protected Health Information (PHI), Personally Identifiable Information (PII), and clinical data. • Ensure compliance with healthcare data security and privacy regulations, including HIPAA and HITECH, as well as state-specific privacy laws. • Oversee data governance, encryption, identity management, and secure data exchange across clinical systems (EHR/EMR), patient platforms, and third-party partners. • Own and manage IT risk, compliance, and IT General Controls (ITGC) programs in support of SOX and healthcare regulatory requirements. • Partner with internal audit, compliance, legal, and finance teams to ensure audit readiness and timely remediation of control deficiencies. • Maintain compliance with standards such as HIPAA, HITRUST, SOC 2, PCI-DSS (as applicable), and other healthcare-specific regulatory frameworks. • Lead security architecture across enterprise infrastructure, including cloud, hybrid, and on-premise environments supporting clinical and digital health platforms. • Drive secure cloud transformation initiatives, ensuring appropriate controls across IaaS, PaaS, and SaaS environments. • Partner with engineering, IT, and DevOps teams to implement DevSecOps practices and secure software development lifecycle (SDLC). • Lead enterprise incident response strategy, including preparedness, detection, containment, and recovery from cyber incidents. • Build, lead, and scale a high-performing information security organization, including security operations, risk, IT compliance functions. • Serve as a key advisor to executive leadership, the Board, and Audit/Compliance Committees on cybersecurity risk and strategy. • Drive enterprise-wide security awareness and training programs to foster a culture of security and compliance.