Staff Information Security Specialist

Carrum Health

3h•$150,000 - $175,000•Remote

About The Position

At Carrum, we are transforming how we pay for, deliver and experience healthcare. If you are passionate about changing healthcare and want to finally get rid of surprise bills, poor quality, and high prices, while thriving in an entrepreneurial, cutting-edge environment, we would love to connect with you. In 2014 Carrum reinvented the Centers of Excellence (COE) category in digital health. Today, 95% of the US population lives within 50 miles of a Carrum COE and our providers rank in the top 10% nationally. Our team’s execution has been recognized by the venture community and we’ve raised more than $96M in aggregate from investors like OMERS, Tiger Global Management and Wildcat Ventures. Our impact has been externally proven in a 2021 RAND Corporation study and featured as a Harvard Business School (HBS) case study. We are not hiring for a standard operational support role; we are seeking a senior-level "force multiplier" to join our Cybersecurity & IT team as a permanent, full-time member. Our team's focus on maintaining mission-critical operations requires a strategic partner who can execute with high agency. This is a unique opportunity for a seasoned security generalist to work directly with the Director of Cybersecurity & IT to mature our program, apply deep technical expertise, provide leadership, and deliver immediate value across the organization. This role is designed for a specific profile: a builder who is ready to put down roots. You are an experienced technology generalist with a proven blend of Senior IT/Security and Senior DevOps/Engineering expertise. You are humble enough to handle audit evidence, access requests, and security questionnaires, but technical enough to dive into code reviews and cloud architecture. You thrive on execution and are wired to deliver results with minimal supervision. We know that exceptional candidates don't always fit a perfect mold, and the list of qualifications below represents our ideal profile. If you're excited about this mission and believe you have a strong foundation in several of these areas—plus the willingness and desire to learn the systems you are not yet familiar with—we strongly encourage you to apply. This is a full time position, the salary range for this role is $150,000 - $175,000 depending on level of experience and geographic location.

Requirements

You have 8+ years of relevant experience in senior-level IT, DevOps, Engineering, or Security roles.
You value practical application. We prioritize hands-on experience over certifications. While certifications are valuable, they are less desirable without the demonstrable, battle-tested experience to back them up.
You are comfortable working independently as a Full-Time Employee (FTE), with clear deliverables and minimal day-to-day supervision.
You have deep experience with compliance automation platforms (Vanta is preferred, but experience with Drata or Secureframe is acceptable), including system integration, control automation, and evidence collection.
You possess a "builder" mindset but understand the importance of administrative security work; you are willing to dive into security questionnaires and vendor assessments to support business growth.
You bring expert-level knowledge of Identity and Access Management (IAM) principles, specifically for re-architecting roles and enforcing the principle of least privilege in complex environments.
You can communicate technical security risks and incident status clearly across both written and oral formats to non-technical stakeholders and clients. You are skilled at advocating for security priorities and negotiating "secure-by-default" solutions with Engineering and Product teams.
You are highly organized and comfortable using task management tools (preferably Jira) to structure your work and track deliverables.
You have hands-on experience with AppSec workflows, including code scanning, vulnerability management, and translating security findings into actionable engineering tickets.

Nice To Haves

Rippling management and configuration.
Hands-on experience configuring and managing Zscaler environments.
Administration and policy configuration for SentinelOne or similar EDR platforms.
Experience with SaaS Security Posture Management (SSPM) tools like Spin.ai.
Microsoft Azure Security design and hardening.
Interest in leveraging AWS AI tools (Amazon Q Business, Bedrock, Kendra) for internal knowledge management.

Responsibilities

Act as a Strategic Partner: Operate as a force multiplier for the Director and second-in-command, executing high-impact security initiatives and identifying opportunities to operationalize security strategy. Over time, you will grow into ownership and rollout of defined strategic projects.
Support Compliance & Business Enablement: Execute the compliance lifecycle for HITRUST, SOC 2, and HIPAA using automation platforms like Vanta. You will also play a critical role in revenue enablement by performing vendor reviews and taking the "first pass" on client security questionnaires to unblock sales deals.
Architect & Automate Identity Access Management (IAM): Lead the design and restructuring of complex access controls to enforce Least Privilege across our SaaS and Cloud ecosystem. Crucially, you will move us away from manual provisioning by implementing lifecycle automation and Identity Governance (IGA) workflows. While you will initially handle operational requests, your primary goal is to engineer the systems that eliminate the need for manual intervention. (e.g. AWS, Azure, Google Workspace, GitHub, Atlassian, Slack Enterprise)
Lead AppSec & DevSecOps: Function as an Application Security lead by conducting automated and manual code security reviews, performing threat hunting, and tracking remediation tasks directly with the Engineering and DevOps teams.
AI Tooling & Innovation: Proactively identify, evaluate, and leverage AI-driven security tools to automate manual tasks, improve threat detection, and enhance internal knowledge management.
Partner on AI Governance & Security Strategy: Collaborate with cross-department leadership to define and execute the security posture for our adoption of emerging AI technologies. While we don't expect a decade of experience in this new field, you must possess a strong grasp of AI Governance principles, including securing LLM implementations and managing data privacy in AI workflows. You will be responsible for researching and implementing the "guardrails" that allow us to innovate safely.
Handle Security Operations: Configure and analyze logs for our defensive stack, including tools such as SentinelOne, AWS Security Hub/GuardDuty, and Spin.ai.
Incident Response Leadership: Act as a technical lead during security incidents. You will coordinate the initial response, lead investigation efforts, and communicate technical findings to Engineering and Leadership to ensure rapid remediation and minimal business impact.
Drive Policy Governance: Contribute to the security policy lifecycle by participating in regular reviews and updating internal documentation to ensure it remains current, effective, and aligned with the evolving threat landscape.
Organizational Rollouts & Education: Act as the lead for rolling out new security tools or processes. You will drive a "security-first" culture by leading internal awareness sessions and educating team members on best practices.