DevSecOps Lead

About The Position

Requirements

• 7+ years of relevant experience in healthcare, financial services or other environments handling highly sensitive data.
• AWS Expert: Deep experience securing and scaling AWS services (IAM, VPC, EKS, RDS, CloudTrail).
• Pipeline Engineering: Advanced proficiency in modern CI/CD tooling, focusing on automated deployments and security integrations.
• Threat Modeling: Proven ability to identify attack vectors and design defensive strategies for cloud-native applications.
• Security Assessments: Hands-on experience reviewing feature architecture and code for security flaws.
• Risk Management: Experience working with a corporate risk register and managing the lifecycle of security findings from discovery to remediation.
• MacOS Management: Comfortable managing and securing remote macOS laptops in a startup environment.
• Monitoring and Observability: Experience with SIEM log setup and alert configuration.
• Compliance: Experience with PHI, HIPAA, and/or SOC2 compliance in a healthcare, financial services or other environment handling highly sensitive data.
• Incident Response: Experience leading or contributing to IR efforts and post-mortem analysis.
• Mentorship: A passion for coaching developers on secure coding practices and modern DevSecOps methodologies.

Nice To Haves

• Preference for candidates that are located in the Greater Toronto Area (GTA), and have flexibility to come into our office in Liberty Village.

Responsibilities

• DevSecOps Automation: Implement "shift-left" security by integrating automated scanning (SAST/DAST/Secret detection) into our CI/CD pipelines.
• Infrastructure as Code (IaC): Maintain and secure our AWS environment, ensuring high availability and proactive monitoring.
• Vulnerability Management: Lead the end-to-end vulnerability management lifecycle. Facilitate and oversee third-party penetration tests, translate findings into actionable engineering tasks. Ensure remediation efforts are tracked, time-bound, and aligned with company risk tolerance.
• Security Advisory: Act as the security partner to product engineering. Lead threat modeling sessions and conduct architecture reviews for new features to mitigate risk before deployment.
• Operational Security: Oversee and continuously improve the security posture of our macOS-based fleet.
• Incident Response: Own the technical aspect of incident response and continuously improve processes. Act as or support the incident response lead (as the situation may be), ensuring clear playbooks, timely detection, investigation, containment, and post-incident reviews.
• Secure Corporate IT: Overseeing and strategically enhancing our identity management systems (not day-to-day operation). Partner with People Operations to ensure seamless, secure onboarding and offboarding processes, with clear auditability and minimal access drift.
• Security Governance, Policies & Compliance: Operationalize Layla's security policies and controls in practice. Partner with the CPO and security advisor to translate program requirements into technical and operational implementation.

Benefits

• A diverse, passionate, and friendly team.
• Supportive health & wellness benefits for you and your family.
• 20 days of paid vacation + paid sick and family responsibility leave
• Employee Development Benefit - time and annual budget to support your learning and professional growth.
• Work from home setup budget