Cybersecurity Engineer

We're hiring our first dedicated Cybersecurity Engineer to own the full security posture of a growing multi-vertical telehealth platform and EHR system handling Protected Health Information (PHI). This is a senior, hands-on build-and-maintain role — not a compliance checkbox or one-time audit. You'll embed security across our engineering culture, CI/CD pipeline, and GCP (Google Cloud Platform)-native cloud infrastructure, and keep us defensible as we scale across multiple healthcare verticals.

You'll serve as Sphere's first security hire, building the foundation ahead of a CISO (Chief Information Security Officer) joining in 2027. Everything you build should be documented, scalable, and transferable. You'll report directly to engineering leadership and partner closely with product and backend engineers daily.

Schedule: 9 AM to 6 PM EST

• Application & Cloud Security — Continuously assess and harden web apps, APIs, and GCP-native infrastructure; implement security controls across all environments and healthcare verticals
• DevSecOps & Secure SDLC — Integrate security gates into the CI/CD pipeline: SAST/DAST, dependency scanning, secrets detection, container image scanning, and secure coding standards
• HIPAA/HITECH Compliance — Maintain and improve our compliance posture including technical safeguards, access controls, audit logging, encryption standards, and BAA oversight; lay groundwork for HITRUST CSF certification
• Vulnerability & Threat Management — Run ongoing vulnerability assessments, manage a risk register, triage findings, and drive remediation with engineering
• Incident Response — Own the IR plan; lead detection, containment, and post-mortem for security incidents
• Security Foundation Building — Document all security policies, controls, and architecture decisions to enable a smooth handoff to an incoming CISO in 2027
• Security Culture — Be the go-to security resource for engineering and product — make PHI protection a default, not an afterthought

• 5+ years of experience in application security, cloud security, or security engineering
• Hands-on experience with DevSecOps tooling (e.g., Snyk, Trivy, Semgrep, GitHub Advanced Security, HashiCorp Vault, OWASP ZAP)
• Strong GCP security fundamentals — GCP Security Command Center, Cloud Armor, Chronicle SIEM, VPC Service Controls, IAM, and Cloud Logging
• Direct experience with HIPAA, HITECH, or comparable regulated environments (SOC 2, PCI-DSS, ISO 27001 a plus)
• Proficiency in at least one scripting/automation language (Python, Bash, or similar)
• Solid understanding of web application security (OWASP Top 10, API security, auth/authz patterns)
• Ability to work independently and cross-functionally — you'll be the sole security voice for 12–18 months
• Excellent written communication — able to document policies, explain risk to non-technical stakeholders, and write clear incident reports
• Comfortable working with meaningful overlap with US Eastern or Pacific hours

• Security certifications: CISSP, CISM, CEH, Security+, GCP Professional Cloud Security Engineer, or equivalent
• Familiarity with HITRUST CSF framework
• Experience in healthcare tech, telehealth, or multi-vertical health platforms
• Familiarity with FHIR/HL7 data standards and EHR security considerations
• Experience conducting or managing third-party penetration tests
• Exposure to Zero Trust architecture or SASE frameworks