Staff Security Engineer

Summary

Join Foodsmart as their Governance, Risk, and Compliance (GRC) Lead, where you will independently manage compliance programs, respond to customer security inquiries, and lead audit processes. Reporting to the CISO, you will be the primary interface for customer security/privacy audits and inquiries, ensuring compliance with regulations like HIPAA, HITRUST CSF, and CCPA. This hands-on role requires a self-starter with technical expertise and strong communication skills. You will conduct internal audits, manage external certifications, and collaborate with various teams. The role involves developing policies, performing risk assessments, monitoring security incidents, and automating compliance workflows. Foodsmart offers a remote-first work environment with competitive compensation and benefits.

Requirements

• At least 5-8 years of experience in governance, risk management, compliance (GRC), privacy, or information security roles within regulated industries such as healthcare or technology
• Proven expertise in managing enterprise risks and leading compliance initiatives such as SOC 2 or HITRUST certification processes
• Deep knowledge of healthcare privacy regulations like HIPAA and HITRUST CSF as well as state-specific laws like CCPA
• Experience responding to customer security questionnaires (e.g., SIG or CAIQ) and managing customer audits or inquiries
• Technical familiarity with cloud infrastructure (AWS), SaaS security models, vulnerability management tools, and risk assessment methodologies
• Exceptional written and verbal communication skills, able to engage effectively with internal teams and external stakeholders such as auditors or customers

Responsibilities

• Conduct internal audits, risk assessments, and vulnerability scans to ensure compliance with HIPAA, HITRUST CSF, CCPA, and other privacy regulations
• Own end-to-end management of external certifications (e.g., SOC 2, ISO 27001), including audit preparation, evidence collection, coordination with auditors, and remediation of findings
• Respond to customer security questionnaires (e.g., SIG or CAIQ), audits, and due diligence requests, serve as the primary point of contact for external stakeholders regarding security/privacy inquiries
• Collaborate with Sales, Legal, Product Development, and Engineering teams to address customer security concerns during contract negotiations or product development
• Develop and maintain policies, procedures, controls, and training programs that align with regulatory requirements and industry standards
• Perform risk assessments on cloud infrastructure (AWS), SaaS applications, and third-party vendors, implement actionable mitigation strategies
• Monitor security incidents, support incident response activities including root cause analysis and corrective actions
• Automate compliance workflows (e.g., evidence collection or control monitoring) to streamline processes
• Stay updated on emerging threats and regulatory changes impacting healthcare privacy laws, proactively adapt policies to meet new requirements

Preferred Qualifications

• Certified Information Systems Auditor (CISA)
• Certified Information Security Manager (CISM)
• Certified in Risk and Information Systems Control (CRISC)
• Certified Information Systems Security Professional (CISSP)
• HITRUST Certified CSF Practitioner (CCSFP)
• ISO 27001 Lead Implementer/Auditor

Benefits

• Remote-First Company
• Unlimited PTO
• Flexible & remote location
• Healthcare Coverage (Medical, Dental, Vision)
• 401k, bonus, & stock options
• Registered Dietitian Sessions
• Wellness reimbursement