Senior Security Analyst/Engineer

Trusted Resource Underwriters is a reciprocal insurer focused on serving homeowners in storm-prone regions across the United States. They are seeking a Senior Security Analyst/Engineer to lead their security initiatives, ensuring the protection of their systems and data while collaborating with various teams to maintain a strong security posture.

Responsibilities:

• Lead the application security program, including secure SDLC practices, threat modeling, and code review processes
• Conduct and coordinate application penetration testing and vulnerability assessments
• Partner with engineering teams to integrate security tooling (SAST, DAST, SCA) into CI/CD pipelines
• Define and enforce secure coding standards and developer security training programs
• Design and implement data classification frameworks and data loss prevention (DLP) strategies
• Oversee encryption standards for data at rest and in transit across all systems
• Identify and remediate risks related to sensitive data exposure, PII, and regulated data (e.g., SOC 2, GDPR, HIPAA where applicable)
• Develop and maintain data access controls and data governance policies
• Oversee the endpoint security program, including MDM, EDR, and device compliance policies
• Develop and deliver security awareness training and phishing simulation programs for all employees
• Establish onboarding and offboarding security checklists and access provisioning controls
• Monitor for insider threats and risky user behaviors through appropriate tooling
• Maintain, mature, and enforce the organization's cybersecurity policies, incident responses, standards, and procedures
• Drive compliance with relevant frameworks (SOC 2, ISO 27001, NIST CSF, CIS Controls)
• Manage the vendor risk management program, including third-party security assessments
• Serve as the primary point of contact for security-related audits, customer questionnaires, and compliance inquiries
• Lead and coordinate annual security risk assessments and gap analyses
• Own the vulnerability management lifecycle — from scanning to prioritization to remediation tracking
• Present security metrics, risk findings, and program status to leadership on a regular cadence
• Maintain and mature the organization's risk register
• Evaluate and harden cloud infrastructure (AWS) configurations using best practices and benchmarks (e.g., CIS)
• Implement and oversee identity and access management (IAM), zero trust principles, and privileged access controls
• Monitor security alerts via SIEM and investigate potential incidents end-to-end

Requirements:

• 5+ years of experience in information security, with a mix of analyst and engineering responsibilities
• Demonstrated experience owning or significantly contributing to an enterprise security program
• Solid understanding of application security concepts (OWASP Top 10, threat modeling, secure SDLC)
• Hands-on experience with cloud security (AWS) and infrastructure hardening
• Familiarity with compliance frameworks such as SOC 2, NIST CSF, ISO 27001, or CIS Controls
• Strong written and verbal communication skills; able to translate technical risk into business language
• Proven ability to work independently and prioritize in a fast-paced, resource-constrained environment
• Relevant certifications: CISSP, CISM, CCSP, CEH, AWS Security Specialty, or equivalent
• Experience conducting or managing penetration tests and red team exercises
• Familiarity with SaaS security tooling (e.g., Okta, CrowdStrike, Wiz, Drata, Vanta)
• Experience building a security program from scratch at a startup or high-growth company
• Knowledge of privacy regulations (GDPR, CCPA, HIPAA) and their security implications
• Background in software engineering or DevSecOps practices