Engineering Manager, Security

About The Position

Requirements

• Proven security leadership at a startup or high-growth company - you've built or scaled a security function before, not just maintained one.
• Deep compliance experience - hands-on ownership of SOC 2 Type II and HIPAA programs, from control design through audit. Familiarity with emerging requirements (state privacy laws, AI governance) is a plus.
• Technical depth across the stack - strong working knowledge of cloud security (AWS/GCP/Azure), IAM, endpoint security, and secure SDLC practices. You can go deep with engineers, not just speak to them.
• Product security chops - experience with vulnerability management, threat modeling, and integrating security into fast-moving engineering teams without becoming a bottleneck.
• People leadership - track record of managing and growing small technical teams, with the ability to hire well and develop talent as the function scales.
• Vendor & third-party risk know-how - experience running a vendor risk program, including security reviews, BAAs/DPAs, and ongoing third-party monitoring in a data-sensitive environment.
• Builder mentality - you're equally comfortable writing a policy, configuring a SIEM, presenting to the exec team, and jumping into an incident at 10 pm. You default to doing before delegating.

Responsibilities

• Security Strategy & Team Leadership - Define EvenUp's security roadmap and lead a growing Security & IT team. Serve as the internal authority on risk and security posture, advising engineering, legal, and the executive team. Hire and develop talent as the function scales.
• Compliance (SOC 2 & HIPAA) - Own our SOC 2 Type II and HIPAA programs end-to-end: gap assessments, control design, audit readiness, and ongoing compliance. Maintain policies and procedures, manage auditor relationships, and stay ahead of evolving regulatory requirements.
• Product Security - Partner with Engineering to embed security into the SDLC through threat modeling, secure design reviews, and vulnerability management (SAST, DAST, pen testing). Champion a shift-left, security-by-design culture across the product org.
• Corporate IT & Infrastructure Security - Own corporate IT systems (MDM, SSO/IdP, endpoint security, IAM) and cloud security posture. Evaluate and deploy security tooling. Enforce least-privilege and zero-trust principles across the organization.
• Vendor & Third-Party Risk Management - Lead the vendor risk program, including security assessments, contract reviews (BAAs, DPAs), and ongoing monitoring of third-party risk exposure.
• Incident Response & Risk Management - Maintain the risk register, run periodic risk assessments, and own the incident response plan. Lead tabletops, manage live incidents, and coordinate breach notification in partnership with legal.
• Security Culture & Enablement - Drive security awareness across the company through training, documentation, and internal evangelism. Coach engineers and business teams on best practices and build a security-first culture from the inside out.
• Mentorship & Growth: Recruit, mentor, and develop engineers through regular feedback, coaching, and career development. Support performance management, growth planning, and team health.

Benefits

• Choice of medical, dental, and vision insurance plans for you and your family.
• Additional insurance coverage options for life, accident, or critical illness.
• Flexible paid time off, sick leave, short-term and long-term disability.
• 10 US observed holidays, and Canadian statutory holidays by province.
• A home office stipend.
• 401(k) for US-based employees and RRSP for Canada-based employees.
• Paid parental leave.
• A local in-person meet-up program.