• Lead and develop the IAM (Identity and Access Management), Security By Design, and Anti-Fraud & Revenue Protection teams, fostering technical excellence, collaboration, mentorship and professional growth. • Define, implement and evolve VOLL’s Cyber Security strategy, aligned with business objectives, product roadmap and the company’s risk appetite. • Establish and govern the IAM program, ensuring identity lifecycle management, access controls (RBAC/ABAC), least privilege, MFA, SSO and periodic access reviews. • Implement and promote Security By Design and Secure SDLC practices across Engineering and Product teams, including threat modeling, secure architecture reviews, SAST/DAST/SCA and security gates in the CI/CD pipeline. • Drive the Anti-Fraud and Revenue Protection strategy, defining rules, models and metrics for fraud prevention, detection and response to reduce financial losses and protect company revenue. • Define and monitor security OKRs, KPIs and KRIs (control coverage, time to remediation, exposure, losses prevented, maturity) and report results to the executive board. • Manage budget, roadmap, vendors and strategic partnerships for the areas under your responsibility, ensuring operational efficiency and ROI. • Support audit, compliance and certification processes (LGPD, ISO 27001, SOC 2, PCI-DSS when applicable), ensuring regulatory adherence. • Serve as the technical and executive reference for security and fraud incidents, leading crisis response, stakeholder communication and continuous improvement plans. • Stay up to date on trends, emerging threats and new technologies, fostering continuous innovation and a security culture across the organization.

Role Description CORMAC is seeking a Security Compliance Engineer. The duties of this role involve security analysis, framework governance, and hands-on development work. Both technical and governance responsibilities are handled by the Security Compliance Developer in this pivotal role for safeguarding complex federal healthcare systems: - Handles code development work to implement secure coding solutions. - Maintains a strong security posture across applications in robust cloud environments. - Works with stakeholders to develop & maintain a cybersecurity governance framework and organizational security policies. Responsibilities: - Review applications and services for security issues, then directly implement changes to code to remediate security issues as well as proactively implement security controls. - Work closely with the Product Owners, ISSOs, engineering and infrastructure staff to provide guidance on implementation of security policies, standards, and procedures. - Create design documentation following federal security and compliance frameworks, including HIPAA, NIST, etc. - Analyze and interpret agency security requirements and ensure compliance with standards. - Collaborate with agency representatives to implement security initiatives through direct code development work. - Conduct and subsequently handle code-based remediation for vulnerability assessments. - Monitor networks, databases, and Web-based assets for potential system breaches. - Respond to alerts from information security tools. Report, investigate, and resolve higher level security incidents. - Iterate on security rules and alerting capabilities. - Create and maintain security tool dashboards and reporting. - Educate and communicate security requirements and teach safe coding practices to organization users with hands-on lessons, focusing on continuous improvement of security standards and maintenance of internal security. - Provide vulnerability & compliance reviews and present any findings to government stakeholders, followed by direct remediation work as a developer. Qualifications - Bachelor's degree in Cybersecurity, Computer Science, Information Technology, or similar field. - Must be a U.S. Citizen. - Must be able to obtain a Public Trust (Tier I) Clearance. - Minimum of 5+ years of progressive experience in information security, cybersecurity engineering, or system security roles, with demonstrated technical depth and increasing responsibility. - Ability to maintain cybersecurity framework compliance from a governance perspective while handling direct coding work through hands-on development and remediation for security issues or security control implementation. - Experience in coding, with the ability to directly handle updating code in a development role. - Hands-on coding, scripting, or automation experience using Python, JavaScript, and Bash to improve security operations, remediate security issues, or perform compliance validation. - Proven experience owning and maintaining an Authorization to Operate (ATO), including authoring, updating, and defending security artifacts such as System Security Plans (SSPs), Incident Response Plans, contingency plans, and related documentation. - Demonstrated hands-on experience managing vulnerability and compliance scanning programs remediation using tools such as Tenable, AWS Security Hub, and Snyk. - Ability to assess security findings through reviewing code, determine risk severity, prioritize remediation, and drive closure through directly updating code. - Strong hands-on experience securing cloud-based environments, with a focus on AWS (IAM, GuardDuty, CloudTrail, Security Hub) and SaaS platforms. - Experience with least-privilege enforcement across cloud, application, and CI/CD environments. - Strong written and verbal communication skills, with the ability to clearly articulate security risks, requirements, and remediation strategies to technical teams, leadership, and government stakeholders. - Ability to work independently and as part of a cross-functional team, managing multiple priorities in a fast-paced, highly regulated environment. Preferred Qualifications - Master’s of Science in Cybersecurity, Computer Science, Information Technology, or similar fields. - Experience with governance and direct engineering/development work in complying with NIST 800-53, HIPAA, ISO 20000-1 frameworks. - Federal government contracting experience supporting complex, multi-system environments, preferably within health, civilian, or defense agencies. - Advanced or senior-level industry security certifications, such as: CISSP, CISM, CRISC, or GIAC (GSEC, GCSA, GPEN). - Cloud security and architecture certifications, including: AWS Certified Security – Specialty, AWS Solutions Architect, CCSP or CCSK. - DevSecOps, automation, or platform security certifications, such as: Kubernetes Security (CKS), GitHub Advanced Security or equivalent. - Offensive or advanced technical security certifications, including: OSCP, CEH, GPEN, GWAPT, or similar. - Experience securing SaaS platforms from both a governance and direct developer level, with preference for Salesforce GovCloud, including roles, profiles, permission sets, MFA, OAuth, and third-party monitoring tools. - Experience designing or maintaining security dashboards and executive-level metrics for visibility into vulnerabilities, compliance posture, access reviews, and risk trends. - Experience facilitating incident response activities, tabletop exercises, and driving lessons learned into measurable, continuous improvement. - Demonstrated ability to mentor engineers and product teams on secure development practices, threat modeling, and evolving security risks. Location Leesburg, VA Work arrangement 100% Remote Why CORMAC? At CORMAC, we leverage the power of Data Management and Analytics to enable our customers to achieve their strategic goals. With over 20 years of experience in Health Information Technology (HIT), human-centered design principles, and Agile development methodologies, CORMAC delivers complex digital solutions to solve some of the most challenging problems facing public healthcare programs today. As a US Federal Government contractor in the public healthcare sector, our work is impactful and cutting-edge while being performed in a supportive, collaborative, and welcoming environment. We offer flexible work schedules with remote, hybrid, or fully in-person workplace options to empower our employees to decide the workplace most suitable for them. At CORMAC, we have a highly diverse workforce and believe the work environment is a place where creativity, collaboration, enthusiasm, and innovation happen, regardless of location. E-Verify Participation/EEO As an Equal Employment Opportunity employer, CORMAC provides equal employment opportunity to all employees and applicants without regard to an individual's protected status, including race/ethnicity, color, national origin, ancestry, religion, creed, age, gender, gender identity/expression, sexual orientation, marital status, parental status, including pregnancy, childbirth, or related conditions, disability, military service, veteran status, genetic information, or any other protected status.

• Develop systems and tools that improve the security posture of Life360's DLP, device hardening, SaaS, and zero trust layers • Execute security strategy and policy for Life360-built services and SaaS applications • Review and provide architectural guidance on infrastructure systems, fleet management, and automation • Own EDR agent deployment health and coverage across the endpoint fleet, ensuring CrowdStrike Falcon agents are installed, current, and correctly configured on every managed device; identify and close coverage gaps in partnership with IT and D&R • Partner with D&R on log source enablement, ensuring corporate systems (Kandji, Intune, Slack, Box, Google Workspace) emit the telemetry D&R needs for detection and investigation, without owning the detection logic itself • Build and operate agent-assisted workflows that take action across endpoint, SaaS, and awareness domains — directing AI more than doing the work by hand, with appropriate guardrails on anything that touches sensitive data or production systems • Automate the boring parts using Python, Tray.io, Lambda, and AI agents to eliminate manual toil across endpoint, SaaS, and corporate security workflows • Engineer controls that satisfy SOC 2 and privacy requirements across device and SaaS layers, partnering with GRC on evidence collection and audit readiness • Own the security awareness program end-to-end, including developing and delivering training, running phishing simulations, tracking and reporting metrics, and continuously improving the program to drive measurable behavior change

• Lead product security engineering for our payment platform—owning threat modeling, security architecture review, secure SDLC practices, and API security across the engineering organization • Help mature our AI security program developing genAI controls, securing ML pipelines, and working alongside the Model Risk Office for model evaluations. • Provide security architecture oversight across infrastructure and enterprise security—endpoint, network, VPN, and corporate security controls—ensuring technical standards are coherent across all security domains • Shape how security engineering scales across the organization through tooling, frameworks, security champions engagement, and engineering partnerships