Security Engineer

Linus Health is a Boston-based digital health company focused on transforming brain health for people across the world. By advancing how we detect, diagnose and address cognitive and brain disorders – leveraging cutting-edge neuroscience, clinical expertise, and artificial intelligence – our goal is to enable a future where people can live longer, happier, and healthier lives with better brain health. 

We are a team of 95+(and growing!), embarking on an exciting period of accelerated growth.  We invite collaborative, self-driven and impact-oriented professionals to join our dynamic and fast-growing team.

Does this sound like an innovative & disruptive start-up where you could see yourself?  If so, continue reading!

The Security Engineer will be responsible for the day-to-day management of the Linus Health security program. The responsibilities include overseeing the operation of our security controls, running internal audits, coordinating internal penetration tests and vulnerabilities scans, advising all members of the organization on best security practices, and communicating the effectiveness of our controls with external stakeholders such as auditors and customers.

The ideal candidate is a proactive and detail-oriented security expert with experience managing the security and privacy controls specified by SOC2, HIPAA, and GDPR. You have experience interfacing with external auditors to present evidence of our internal security program and compliance. You have a desire and the soft skills necessary to build and maintain an effective and high-powered internal security culture through friendly and informative interactions with all members of the organization. You have experience being responsible for an incident response process, and the technical skills to perform security investigations. You enjoy working alongside our Engineers to ensure our code meets the company security standards.

Linus Health is a distributed company with a headquarters in Boston, Massachusetts and many remote employees across numerous time zones. Linus Health fully supports those who wish to work remotely, and to facilitate collaboration with all team members we do ask for a core set of working hours of 10am to 5pm eastern time. Unfortunately, we are not able to provide sponsorship for this role at this time.

• Be the primary point of contact for Security related questions and issues for the company. This includes security related questions that come to our IT Helpdesk as well as questions around application security best-practices from Engineering.
• Be responsible for the set of Linus Health security controls, including maintenance and updates to the control set as industry standards change and new regulations apply to our operations. The responsibility will also include verification of effective internal controls through internal audits, risk assessments, and the proposal and implementation of automatic control enforcement where applicable.
• Handle external questions related to the Linus Health security program, such as from auditors seeking evidence of successful control operation, as well as from customers looking to understand and validate our security stance.
• Be friendly and transparent with all members of the organization as to build a successful security culture of shared responsibility and understanding of the threats to our operations. Be able to explain why particular security controls exist, both from a risk-mitigation perspective but also can reference the regulation or source for a control, and how it protects our operation.
• Work with our Engineering department to ensure our code meets our security standards through collaborative architecture review, threat modeling, and training on the most prevalent security threats. 
• Run internal scans of our environment by performing internal penetration tests and vulnerability scans on our infrastructure and route the resulting findings through our SDLC process to be addressed.  Advocate for and implement ongoing security/vulnerability scans into our application build processes.
• Write scripts and other automation to aid in verification of security controls, and to increase efficiency of various security-related processes.

Must Have:

• B.S. in Computer Science OR equivalent software engineering and scripting experience(Atleast a few years of professional experience). 
• Deep knowledge of security concepts, industry best practices, and how they apply to an Agile software development environment.
• Knowledge of common compliance frameworks/regulations such as SOC2, HIPAA, GDPR, ISO27001, HI-TRUST, etc.
• Experience operating in an environment built to protect sensitive data such as health records, credit cards, and other forms of personally identifiable data.
• Experience completing a SOC2, ISO27001, or similar security audit, including evidence gathering, effective communication with the auditors, and maintaining the associated documentation to describe the internal security control environment. 
• Experience working with Engineering teams to build and evaluate application threat models, integrate security scanning tools into a CI pipeline, and test applications for adherence to security controls using approaches such as penetration tests and code reviews.

Nice to Have:

• Experience securing and auditing production environments hosted within Amazon Web Services.
• Knowledge of the Typescript programming language and familiarity with REST APIs powered by NodeJS.
• Hands-on experience performing application penetration testing against modern web application stacks (SPA frontend, API-based backend).
• Deep knowledge of implementation details and security ramifications around authentication and authorization protocols and approaches such as OAuth2, SAML, RBAC, ABAC, etc.

What We Offer:

• As a health and wellness company, an opportunity to have a lasting impact on the way people and communities engage with brain and mental health, and even to affect the prognoses of people’s mental and brain health trajectory
• A mission driven environment where all 95+ employees strive to exemplify our core values every day
• Competitive compensation packages that include an annual discretionary target bonus incentive as well as valuable equity for full time employees
• Unlimited PTO -- We know this can work both ways, however our leadership team does an excellent job at encouraging people to take PTO
• A sincere and deep appreciation for the importance of mental health: We have recently implemented a “monthly flex day” where employees are encouraged to take time away from work to rest, recharge & reset.
• A peer-to-peer recognition program: Celebrating our employees’ hard work and success is in our DNA!
• Employee Referral Incentive program
• A robust healthcare package that includes medical, dental & vision benefits as well as a 401(k) program where Linus will match up to 6% of employee contributions

Linus Health is an equal opportunity employer. All qualified candidates will receive consideration for employment without regard to race, religion, color, national origin, sexual orientation, gender, gender identity or expression, age, genetic information, disability or any characteristic protected by law. We believe that diversity is critical to the growth of our company and understand the importance of fostering an environment where everyone has a voice. We are also committed to providing reasonable accommodations for candidates with disabilities during the recruiting process. If you are in need of assistance due to a disability, please contact us.