Staff Information Security Specialist

Carrum Health•,

12h•Remote

About The Position

At Carrum, we are transforming how we pay for, deliver and experience healthcare. We are seeking a senior-level "force multiplier" to join our Cybersecurity & IT team as a permanent, full-time member. This role requires a strategic partner who can execute with high agency to maintain mission-critical operations. This is a unique opportunity for a seasoned security generalist to work directly with the Director of Cybersecurity & IT to mature our program, apply deep technical expertise, provide leadership, and deliver immediate value across the organization. This role is designed for a builder who is ready to put down roots, possessing a proven blend of Senior IT/Security and Senior DevOps/Engineering expertise. The ideal candidate is humble enough to handle audit evidence, access requests, and security questionnaires, but technical enough to dive into code reviews and cloud architecture, thriving on execution and delivering results with minimal supervision.

Requirements

8+ years of relevant experience in senior-level IT, DevOps, Engineering, or Security roles.
Hands-on experience over certifications.
Comfortable working independently as a Full-Time Employee (FTE), with clear deliverables and minimal day-to-day supervision.
Deep experience with compliance automation platforms (Vanta is preferred, but experience with Drata or Secureframe is acceptable), including system integration, control automation, and evidence collection.
Possess a "builder" mindset but understand the importance of administrative security work; willing to dive into security questionnaires and vendor assessments to support business growth.
Expert-level knowledge of Identity and Access Management (IAM) principles, specifically for re-architecting roles and enforcing the principle of least privilege in complex environments.
Ability to communicate technical security risks and incident status clearly across both written and oral formats to non-technical stakeholders and clients.
Skilled at advocating for security priorities and negotiating "secure-by-default" solutions with Engineering and Product teams.
Highly organized and comfortable using task management tools (preferably Jira) to structure work and track deliverables.
Hands-on experience with AppSec workflows, including code scanning, vulnerability management, and translating security findings into actionable engineering tickets.

Nice To Haves

Rippling management and configuration.
Hands-on experience configuring and managing Zscaler environments.
Administration and policy configuration for SentinelOne or similar EDR platforms.
Experience with SaaS Security Posture Management (SSPM) tools like Spin.ai.
Microsoft Azure Security design and hardening.
Interest in leveraging AWS AI tools (Amazon Q Business, Bedrock, Kendra) for internal knowledge management.

Responsibilities

Act as a Strategic Partner: Operate as a force multiplier for the Director and second-in-command, executing high-impact security initiatives and identifying opportunities to operationalize security strategy. Over time, you will grow into ownership and rollout of defined strategic projects.
Support Compliance & Business Enablement: Execute the compliance lifecycle for HITRUST, SOC 2, and HIPAA using automation platforms like Vanta. You will also play a critical role in revenue enablement by performing vendor reviews and taking the "first pass" on client security questionnaires to unblock sales deals.
Architect & Automate Identity Access Management (IAM): Lead the design and restructuring of complex access controls to enforce Least Privilege across our SaaS and Cloud ecosystem. Implement lifecycle automation and Identity Governance (IGA) workflows to move away from manual provisioning. Engineer systems that eliminate the need for manual intervention (e.g., AWS, Azure, Google Workspace, GitHub, Atlassian, Slack Enterprise).
Lead AppSec & DevSecOps: Function as an Application Security lead by conducting automated and manual code security reviews, performing threat hunting, and tracking remediation tasks directly with the Engineering and DevOps teams.
AI Tooling & Innovation: Proactively identify, evaluate, and leverage AI-driven security tools to automate manual tasks, improve threat detection, and enhance internal knowledge management.
Partner on AI Governance & Security Strategy: Collaborate with cross-department leadership to define and execute the security posture for our adoption of emerging AI technologies. Possess a strong grasp of AI Governance principles, including securing LLM implementations and managing data privacy in AI workflows. Research and implement "guardrails" for safe innovation.
Handle Security Operations: Configure and analyze logs for our defensive stack, including tools such as SentinelOne, AWS Security Hub/GuardDuty, and Spin.ai.
Incident Response Leadership: Act as a technical lead during security incidents. Coordinate the initial response, lead investigation efforts, and communicate technical findings to Engineering and Leadership to ensure rapid remediation and minimal business impact.
Drive Policy Governance: Contribute to the security policy lifecycle by participating in regular reviews and updating internal documentation to ensure it remains current, effective, and aligned with the evolving threat landscape.
Organizational Rollouts & Education: Act as the lead for rolling out new security tools or processes. Drive a "security-first" culture by leading internal awareness sessions and educating team members on best practices.