Information Technology Security Engineer

Position

We are looking for a hands-on and highly motivated IT and Security Engineer to own and shape our corporate IT, security, and compliance landscape. This is a unique opportunity to build our systems from the ground up - establishing the infrastructure, governance practices, and operational controls necessary for a secure, compliant, and efficient medical device company.

You will be our go-to expert for employee devices, cloud services, SOC 2, HIPAA, and overall security governance, driving compliance across all Trust Services Criteria: Security, Availability, Confidentiality, Processing Integrity, and Privacy. The ideal candidate has significant experience owning SOC 2 programs end-to-end and thrives in an environment where security, compliance, and operational excellence are critical.

Key Responsibilities

IT Infrastructure & Operations

• Build, manage, and maintain our corporate IT environment, ensuring high levels of availability, performance, and compliance with SOC 2 operational requirements.
• Administer and support all employee devices (laptops, peripherals) using modern MDM solutions; ensure secure configurations, baselines, and monitoring aligned with SOC 2 controls.
• Manage our core SaaS applications and identity lifecycle processes, RBAC, SSO, MFA, and least-privilege policies.
• Oversee cloud infrastructure (AWS/GCP/Azure), implementing guardrails, logging, monitoring, and access governance consistent with SOC 2, HIPAA, and industry best practices.
• Provide exceptional on-site IT support, ensuring timely and compliant handling of incidents, change requests, and asset tracking.

Compliance and Governance

• Own the end-to-end SOC 2 Type I and Type II compliance program, including annual planning, evidence gathering, auditor coordination, remediation management, and continuous control monitoring.
• Develop, document, and maintain a comprehensive library of policies, procedures, and technical standards covering all SOC 2 Trust Services Criteria.
• Build and manage a governance framework, including: Risk assessments, Internal controls testing, Access reviews, Change management processes, Disaster recovery and business continuity planning, Third-party/vendor risk management
• Conduct ongoing SOC 2 gap analyses and drive cross-functional remediation initiatives.
• Manage security and compliance training programs across the organization, ensuring measurable improvement in security awareness.
• Maintain HIPAA-aligned safeguards for PHI, including administrative, technical, and physical controls.

Security & Threat Management

• Lead the company's threat modeling program for systems, applications, cloud services, and data flows; partner with engineering to identify threats, validate mitigations, and track closure.
• Manage security tools and programs, including: Endpoint detection & response (EDR), Vulnerability scanning and patch management, Log management and SIEM, Configuration monitoring, Data loss prevention (DLP)
• Own the penetration testing lifecycle, including scoping, vendor coordination, remediation tracking, and executive reporting.
• Maintain security incident response procedures, perform incident triage, and lead coordination with internal stakeholders and external partners.
• Ensure compliance with SOC 2 security controls, including: Audit logging, Network security, Access control, Encryption at rest and in transit, System hardening, Backup and recovery
• Protect the confidentiality, integrity, and availability of company data, intellectual property, and PHI.

Additional Security Experience Requirements (Urology Groups, BAAs, and Mid-Market Client Expectations)

• Serve as the primary technical point of contact for security related questions from mid-size urology groups and other healthcare practices evaluating our security posture.
• Demonstrate deep knowledge of business associate agreements (BAAs), including how SOC 2 controls map to HIPAA requirements.
• Clearly articulate whether BAAs, security controls, and vendor practices meet SOC 2 and HIPAA standards in external discussions.
• Own the process of responding to external security questionnaires, RFPs, and due diligence reviews from healthcare clients and partners.
• Prepare and maintain standardized security documentation, including security whitepapers, SOC 2 control summaries, and HIPAA safeguard explanations.
• Lead patch management and vulnerability remediation programs, ensuring timely rollout, risk prioritization, and audit-ready documentation.
• Manage vulnerability testing schedules, reporting, and remediation workflows across cloud services, endpoints, and third-party vendors.
• Collaborate with compliance and legal teams to ensure BAAs, DPAs, and vendor contracts accurately reflect required security obligations.

Required Qualifications

• Bachelor's degree in Computer Science, Information Systems, Cybersecurity, or equivalent practical experience.
• 3+ years of experience owning SOC 2 audits, including evidence collection, control implementation, remediation plans, auditor relationships, and continuous monitoring.
• Experience speaking with external customers or partners about security posture, compliance, and IT controls.
• Strong understanding of SOC 2 Trust Services Criteria and how to operationalize controls across IT, security, and engineering teams.
• Demonstrated experience with threat modeling frameworks (STRIDE, LINDDUN, PASTA, etc.).
• Hands-on experience with penetration testing processes, vulnerability management, SIEM, EDR, and cloud security controls.
• Technical proficiency managing modern IT environments, with expertise in: MDM, IAM/SSO, Cloud security, SaaS administration, Endpoint hardening
• Strong understanding of incident response, secure system design, network security, and compliance frameworks.
• Excellent documentation and communication skills.
• Ability to work full-time and onsite in our Oakland, CA office.

Preferred Qualifications

• Experience building compliance programs for medical device, healthcare, or similarly regulated environments.
• Familiarity with BAAs, HIPAA Security Rule requirements, and vendor security assessments.
• Experience scaling an IT/security program in a fast-paced startup.
• Familiarity with additional frameworks such as HIPAA, NIST 800-53/800-171, ISO 27001, HITRUST, FDA cybersecurity, and CIS Controls.