Security Strategy & Team Leadership - Define EvenUp's security roadmap and lead a growing Security & IT team. Serve as the internal authority on risk and security posture, advising engineering, legal, and the executive team. Hire and develop talent as the function scales.
Compliance (SOC 2 & HIPAA) - Own our SOC 2 Type II and HIPAA programs end-to-end: gap assessments, control design, audit readiness, and ongoing compliance. Maintain policies and procedures, manage auditor relationships, and stay ahead of evolving regulatory requirements.
Product Security - Partner with Engineering to embed security into the SDLC through threat modeling, secure design reviews, and vulnerability management (SAST, DAST, pen testing). Champion a shift-left, security-by-design culture across the product org.
Corporate IT & Infrastructure Security - Own corporate IT systems (MDM, SSO/IdP, endpoint security, IAM) and cloud security posture. Evaluate and deploy security tooling. Enforce least-privilege and zero-trust principles across the organization.
Vendor & Third-Party Risk Management - Lead the vendor risk program, including security assessments, contract reviews (BAAs, DPAs), and ongoing monitoring of third-party risk exposure.
Incident Response & Risk Management - Maintain the risk register, run periodic risk assessments, and own the incident response plan. Lead tabletops, manage live incidents, and coordinate breach notification in partnership with legal.
Security Culture & Enablement - Drive security awareness across the company through training, documentation, and internal evangelism. Coach engineers and business teams on best practices and build a security-first culture from the inside out.
Mentorship & Growth: Recruit, mentor, and develop engineers through regular feedback, coaching, and career development. Support performance management, growth planning, and team health.

Requirements

Proven security leadership at a startup or high-growth company - you've built or scaled a security function before, not just maintained one.
Deep compliance experience - hands-on ownership of SOC 2 Type II and HIPAA programs, from control design through audit. Familiarity with emerging requirements (state privacy laws, AI governance) is a plus.
Technical depth across the stack - strong working knowledge of cloud security (AWS/GCP/Azure), IAM, endpoint security, and secure SDLC practices. You can go deep with engineers, not just speak to them.
Product security chops - experience with vulnerability management, threat modeling, and integrating security into fast-moving engineering teams without becoming a bottleneck.
People leadership - track record of managing and growing small technical teams, with the ability to hire well and develop talent as the function scales.
Vendor & third-party risk know-how - experience running a vendor risk program, including security reviews, BAAs/DPAs, and ongoing third-party monitoring in a data-sensitive environment.
Builder mentality - you're equally comfortable writing a policy, configuring a SIEM, presenting to the exec team, and jumping into an incident at 10 pm. You default to doing before delegating.

Benefits

Choice of medical, dental, and vision insurance plans for you and your family.
Additional insurance coverage options for life, accident, or critical illness.
Flexible paid time off, sick leave, short-term and long-term disability.
10 US observed holidays, and Canadian statutory holidays by province.
A home office stipend.
401(k) for US-based employees and RRSP for Canada-based employees.
Paid parental leave.
A local in-person meet-up program.
Hubs in San Francisco and Toronto.

Applicant Tracking System Keywords

Tip: use these terms in your resume and cover letter to boost ATS matches.

Hard Skills & Tools

security strategyrisk managementSOC 2 Type IIHIPAA compliancevulnerability managementthreat modelingsecure SDLCcloud securityIAMendpoint security

Soft Skills

leadershipmentorshipteam developmentcommunicationcoachingproblem-solvingcollaborationadaptabilitytrainingevangelism