• Perform day-to-day operations of Infrastructure Security systems • Design, deploy, and maintain enterprise and cloud security solutions • Participate in the incident response program • Improve security posture and operational process

• Own threat modeling across our core platform APIs, risk decisioning and event-ingestion systems, and agentic AI products; harden multi-tenant isolation and data-handling across designs and PRs. • Design, implement, and deploy authentication, authorization (user and API), and RBAC across our platform: own and propose new approaches as we scale • Stand up our AppSec program from the ground up: SAST (Semgrep), SCA (Dependabot/Snyk), secret scanning, IaC scanning, and container scanning on Pulumi + EKS • Build guardrails around LLM usage — prompt-injection defenses, output validation, and cost and abuse monitoring on Bedrock/Anthropic/OpenAI calls • Drive security incident process, vulnerability triage, and the responsible-disclosure workflow • Write SECURITY.md, maintain a threat registry, and champion secure-by-default patterns across the engineering org • Partner with IT on shared areas — incident response across corporate and product, access reviews, and audit evidence collection • Collaborate with product and engineering teams on feature design, embedding security early rather than gating at the end • Keep us aligned with current security standards and trends (OWASP, MITRE ATT&CK, and emerging LLM/agent security guidance)

Title: Staff Information Security Specialist Location: United States Job Description: At Carrum, we are transforming how we pay for, deliver and experience healthcare. If you are passionate about changing healthcare and want to finally get rid of surprise bills, poor quality, and high prices, while thriving in an entrepreneurial, cutting-edge environment, we would love to connect with you. In 2014 Carrum reinvented the Centers of Excellence (COE) category in digital health. Today, 95% of the US population lives within 50 miles of a Carrum COE and our providers rank in the top 10% nationally. Our team’s execution has been recognized by the venture community and we’ve raised more than $96M in aggregate from investors like OMERS, Tiger Global Management and Wildcat Ventures. Our impact has been externally proven in a 2021 RAND Corporation study and featured as a Harvard Business School (HBS) case study. We are not hiring for a standard operational support role; we are seeking a senior-level "force multiplier" to join our Cybersecurity & IT team as a permanent, full-time member. Our team's focus on maintaining mission-critical operations requires a strategic partner who can execute with high agency. This is a unique opportunity for a seasoned security generalist to work directly with the Director of Cybersecurity & IT to mature our program, apply deep technical expertise, provide leadership, and deliver immediate value across the organization. This role is designed for a specific profile: a builder who is ready to put down roots. You are an experienced technology generalist with a proven blend of Senior IT/Security and Senior DevOps/Engineering expertise. You are humble enough to handle audit evidence, access requests, and security questionnaires, but technical enough to dive into code reviews and cloud architecture. You thrive on execution and are wired to deliver results with minimal supervision. We know that exceptional candidates don't always fit a perfect mold, and the list of qualifications below represents our ideal profile. If you're excited about this mission and believe you have a strong foundation in several of these areas—plus the willingness and desire to learn the systems you are not yet familiar with—we strongly encourage you to apply. This is a full time position, the salary range for this role is $150,000 - $175,000 depending on level of experience and geographic location. You’re excited about this opportunity because you will... - Act as a Strategic Partner: Operate as a force multiplier for the Director and second-in-command, executing high-impact security initiatives and identifying opportunities to operationalize security strategy. Over time, you will grow into ownership and rollout of defined strategic projects. - Support Compliance & Business Enablement: Execute the compliance lifecycle for HITRUST, SOC 2, and HIPAA using automation platforms like Vanta. You will also play a critical role in revenue enablement by performing vendor reviews and taking the "first pass" on client security questionnaires to unblock sales deals. - Architect & Automate Identity Access Management (IAM): Lead the design and restructuring of complex access controls to enforce Least Privilege across our SaaS and Cloud ecosystem. Crucially, you will move us away from manual provisioning by implementing lifecycle automation and Identity Governance (IGA) workflows. While you will initially handle operational requests, your primary goal is to engineer the systems that eliminate the need for manual intervention. (e.g. AWS, Azure, Google Workspace, GitHub, Atlassian, Slack Enterprise) - Lead AppSec & DevSecOps: Function as an Application Security lead by conducting automated and manual code security reviews, performing threat hunting, and tracking remediation tasks directly with the Engineering and DevOps teams. - AI Tooling & Innovation: Proactively identify, evaluate, and leverage AI-driven security tools to automate manual tasks, improve threat detection, and enhance internal knowledge management. - Partner on AI Governance & Security Strategy: Collaborate with cross-department leadership to define and execute the security posture for our adoption of emerging AI technologies. While we don't expect a decade of experience in this new field, you must possess a strong grasp of AI Governance principles, including securing LLM implementations and managing data privacy in AI workflows. You will be responsible for researching and implementing the "guardrails" that allow us to innovate safely. - Handle Security Operations: Configure and analyze logs for our defensive stack, including tools such as SentinelOne, AWS Security Hub/GuardDuty, and Spin.ai. - Incident Response Leadership: Act as a technical lead during security incidents. You will coordinate the initial response, lead investigation efforts, and communicate technical findings to Engineering and Leadership to ensure rapid remediation and minimal business impact. - Drive Policy Governance: Contribute to the security policy lifecycle by participating in regular reviews and updating internal documentation to ensure it remains current, effective, and aligned with the evolving threat landscape. - Organizational Rollouts & Education: Act as the lead for rolling out new security tools or processes. You will drive a "security-first" culture by leading internal awareness sessions and educating team members on best practices. We’re excited about you because… - You have 8+ years of relevant experience in senior-level IT, DevOps, Engineering, or Security roles. - You value practical application. We prioritize hands-on experience over certifications. While certifications are valuable, they are less desirable without the demonstrable, battle-tested experience to back them up. - You are comfortable working independently as a Full-Time Employee (FTE), with clear deliverables and minimal day-to-day supervision. - You have deep experience with compliance automation platforms (Vanta is preferred, but experience with Drata or Secureframe is acceptable), including system integration, control automation, and evidence collection. - You possess a "builder" mindset but understand the importance of administrative security work; you are willing to dive into security questionnaires and vendor assessments to support business growth. - You bring expert-level knowledge of Identity and Access Management (IAM) principles, specifically for re-architecting roles and enforcing the principle of least privilege in complex environments. - You can communicate technical security risks and incident status clearly across both written and oral formats to non-technical stakeholders and clients. You are skilled at advocating for security priorities and negotiating "secure-by-default" solutions with Engineering and Product teams. - You are highly organized and comfortable using task management tools (preferably Jira) to structure your work and track deliverables. - You have hands-on experience with AppSec workflows, including code scanning, vulnerability management, and translating security findings into actionable engineering tickets. Other Preferred Skills: - Rippling management and configuration. - Hands-on experience configuring and managing Zscaler environments. - Administration and policy configuration for SentinelOne or similar EDR platforms. - Experience with SaaS Security Posture Management (SSPM) tools like Spin.ai. - Microsoft Azure Security design and hardening. - Interest in leveraging AWS AI tools (Amazon Q Business, Bedrock, Kendra) for internal knowledge management. Why you’ll love working with us... - We’re a hard-working, humble, and compassionate group motivated to solve the hard problems in healthcare today. You’ll work with talented, experienced co-workers from companies like Booz & Company, Livongo, 98point6, Google, and Optum. We believe in using data to inform decisions, technology to make our jobs easier, and creative thinking to pave the future. - We are working with some of the most recognized and esteemed names in the country. Top hospitals like Johns Hopkins, Mayo Clinic, Stanford Health Care, Scripps Health, and Rush Health have joined our platform. Employers who use our benefit include US Foods, United Airlines, and large public sector organizations like the self-insured schools of California, and the State of Maine. - We empower team members to be autonomous and provide a collaborative environment where you get support and healthy feedback. You can bring your authentic self to work every day and are encouraged to help others do the same. - We carve out time to let go of work to celebrate our successes and have fun. We’re a remote-first company with employees all over the United States and two office locations in San Francisco and Chicago. We support our employees during the work day and beyond with flexible working hours, generous time off, paid parental leave, and opportunities to connect with coworkers both virtually and in-person. - We embrace our team’s diversity of thought, experience, and interests and know that doing so makes us stronger as a company. Carrum has an active employee-led Diversity, Equity, Inclusion, and Justice (DEIJ) committee and several employee resource groups (ERGs). Our ERGS help employees build stronger connections through social, educational, and community activities. - You’ll feel proud that the work you do each day directly impacts people’s lives in big and meaningful ways. Other benefits: - Stock option plan - Flexible schedules and remote work - Chicago and San Francisco offices available - Self-managed vacation days, within reason - Paid parental leave - Health, vision, and dental insurance - 401K retirement plan About Carrum We’re a health tech company that brings value-based care to the masses. We help employers deliver a memorable patient experience, immediately lower healthcare costs, and drive better outcomes and achieve this through the power of technology and human-centered design. Since launching in 2014, we’ve partnered with Fortune 500 employers and top hospitals across the nation. We’ve been recognized by Harvard Business School and featured in TechCrunch, The Los Angeles Times, Washington Post, and Modern Healthcare. We believe we’re only scratching the surface of our opportunity and we’re looking for incredible people like you to help us realize our full impact. Carrum Health is an equal opportunity employer and encourages all applicants from every background and life experience. Autofill application Save time by importing your resume in one of the following formats: .pdf or .docx. Loading...

• Operar e administrar soluções de Cloud Security, CNAPP, CSPM, Containers Security e Kubernetes Security; • Configurar, monitorar e otimizar WAF/WAAP para proteção contra ameaças web (ex.: OWASP Top 10); • Apoiar na implementação das práticas de API Security, garantindo visibilidade e mitigação de riscos; • Apoiar a resposta a incidentes de segurança em ambientes cloud e aplicações; • Colaborar com times de desenvolvimento, infraestrutura e DevOps, promovendo cultura DevSecOps; • Produzir relatórios, indicadores e recomendações de melhorias contínuas em segurança.