Security Engineer

Position Summary

The Security Engineer is responsible for designing, implementing, and operating the organization’s cybersecurity program from the ground up, with a primary focus on software supply chain security, identity and access management (IAM), permissions architecture, and compliance readiness for SOC 2 Type II and HIPAA within a healthcare environment. This role leads the research, planning, and execution of security policies, technical controls, and operational processes that protect endpoints, cloud infrastructure, applications, and data throughout the full software development lifecycle (SDLC).

The Security Engineer builds and maintains security monitoring, threat detection, and alerting systems, while establishing and managing a company-wide Security Awareness Training Program.

• Research, develop, and implement comprehensive cybersecurity policies and procedures from the ground up to achieve and maintain SOC 2 Type II certification, including defining controls, gathering evidence, and coordinating with external auditors.
• Conduct regular risk assessments and vulnerability analyses to identify potential security threats and develop mitigation strategies aligned with HIPAA requirements and industry best practices.
• Design, implement, and manage Identity and Access Management (IAM) strategies, including role-based access control (RBAC), least privilege principles, multi-factor authentication (MFA), and single sign-on (SSO) solutions.
• Establish and enforce software supply chain security practices, including Software Bill of Materials (SBOM) management, dependency scanning, vulnerability assessment, container security, and secure CI/CD pipeline integration.
• Develop and maintain permissions governance frameworks, conducting regular access reviews and ensuring appropriate authorization levels across all systems handling PHI and sensitive data.
• Maintain incident response procedures, including breach notification processes compliant with HIPAA requirements, and lead security incident investigations and remediation efforts.
• Design, implement, and manage a comprehensive Security Awareness Training program for all workforce members, covering HIPAA requirements, phishing awareness, social engineering defense, and secure data handling practices.
• Track and document training completion for all employees, maintaining records for audit purposes and ensuring ongoing education as cyberthreats evolve.
• Collaborate with Development and Dev Ops teams to integrate security practices into the software development lifecycle (SDLC), including secure coding standards, code review processes, and automated security testing.
• Evaluate and manage third-party vendor security risks, conducting security assessments and ensuring business associates comply with HIPAA and organizational security requirements.
• Participate in an on-call rotation schedule for critical security incidents and support incident management processes for security-related events.

• Proven experience in Information Security, Cybersecurity Engineering, or a similar role with hands‑on experience implementing security programs and compliance frameworks.
• Strong knowledge of compliance frameworks including SOC 2, HIPAA Security Rule, NIST Cybersecurity Framework, and CIS Controls, with experience preparing for and supporting audits.
• Deep expertise in Identity and Access Management (IAM), including experience with IAM platforms, RBAC implementation, MFA, SSO, and privileged access management.
• Experience with software supply chain security tools and practices, including SBOM generation, dependency scanning (e.g., Dependabot, Snyk), and secure CI/CD pipeline configuration.
• Proficiency with endpoint protection solutions including EDR platforms, firewalls, and network security tools.
• Strong understanding of cloud security principles and experience securing AWS
• Excellent written and verbal communication skills, with the ability to translate complex security concepts for technical and non‑technical audiences.
• Strong analytical, problem‑solving, and incident response skills with attention to detail.
• Self‑directed individual…