Key skills
Information SecurityIdentityAccess ManagementCompliance FrameworksSoftware Supply Chain SecurityEndpoint Protection SolutionsCloud SecurityRisk AssessmentsSecurity Awareness TrainingAnalytical SkillsSelf-DirectedScripting SkillsProblem-Solving SkillsCommunication SkillsPythonBashPowerShellAWSKubernetesIAMSSOSingle Sign-OnSDLCCI/CDCommunicationSnykNetwork SecurityZero Trust
About this role
Birdi is a company focused on building a robust cybersecurity program, and they are seeking a Security Engineer to design and implement security measures. The role involves developing cybersecurity policies, managing IAM strategies, and ensuring compliance with SOC 2 Type II and HIPAA in a healthcare environment.
Responsibilities:
- Research, develop, and implement comprehensive cybersecurity policies and procedures from the ground up to achieve and maintain SOC 2 Type II certification, including defining controls, gathering evidence, and coordinating with external auditors
- Conduct regular risk assessments and vulnerability analyses to identify potential security threats and develop mitigation strategies aligned with HIPAA requirements and industry best practices
- Design, implement, and manage Identity and Access Management (IAM) strategies, including role-based access control (RBAC), least privilege principles, multi-factor authentication (MFA), and single sign-on (SSO) solutions
- Establish and enforce software supply chain security practices, including Software Bill of Materials (SBOM) management, dependency scanning, vulnerability assessment, container security, and secure CI/CD pipeline integration
- Develop and maintain permissions governance frameworks, conducting regular access reviews and ensuring appropriate authorization levels across all systems handling PHI and sensitive data
- Maintain incident response procedures, including breach notification processes compliant with HIPAA requirements, and lead security incident investigations and remediation efforts
- Design, implement, and manage a comprehensive Security Awareness Training program for all workforce members, covering HIPAA requirements, phishing awareness, social engineering defense, and secure data handling practices
- Track and document training completion for all employees, maintaining records for audit purposes and ensuring ongoing education as cyberthreats evolve
- Collaborate with Development and DevOps teams to integrate security practices into the software development lifecycle (SDLC), including secure coding standards, code review processes, and automated security testing
- Evaluate and manage third-party vendor security risks, conducting security assessments and ensuring business associates comply with HIPAA and organizational security requirements
- Participate in an on-call rotation schedule for critical security incidents and support incident management processes for security-related events
Requirements:
- Proven experience in Information Security, Cybersecurity Engineering, or a similar role with hands-on experience implementing security programs and compliance frameworks
- Strong knowledge of compliance frameworks including SOC 2, HIPAA Security Rule, NIST Cybersecurity Framework, and CIS Controls, with experience preparing for and supporting audits
- Deep expertise in Identity and Access Management (IAM), including experience with IAM platforms, RBAC implementation, MFA, SSO, and privileged access management
- Experience with software supply chain security tools and practices, including SBOM generation, dependency scanning (e.g., Dependabot, Snyk), and secure CI/CD pipeline configuration
- Proficiency with endpoint protection solutions including EDR platforms, firewalls, and network security tools
- Strong understanding of cloud security principles and experience securing AWS
- Excellent written and verbal communication skills, with the ability to translate complex security concepts for technical and non-technical audiences
- Strong analytical, problem-solving, and incident response skills with attention to detail
- Self-directed individual capable of working independently to build programs from the ground up with minimal supervision
- Bachelor's degree in information security, Computer Science, or related field; or equivalent combination of education and experience with at least 3-5 years of relevant cybersecurity experience
- Demonstrated experience implementing security compliance programs (SOC 2, HIPAA, ISO 27001, or similar)
- Experience conducting risk assessments and developing security policies and procedures
- Experience working within the Healthcare industry with direct knowledge of HIPAA compliance requirements and ePHI protection
- Industry certifications such as CISSP, CISM, Security+, CCSP, AWS Security Specialty, or HCISPP (Healthcare Information Security and Privacy Practitioner)
- Experience with zero trust architecture design and implementation
- Familiarity with healthcare data standards (HL7, FHIR) and healthcare IT systems including EHR platforms
- Experience with policy-as-code tools (e.g., OPA, Checkov) and infrastructure-as-code security scanning
- Scripting and automation skills in Python, PowerShell, or Bash for security automation
- Experience with container security, Kubernetes security, and DevSecOps practices
- Experience with Security Awareness Training platforms (e.g., KnowBe4, Proofpoint) and phishing simulation tools