Staff Information Security Specialist

<p dir="auto">At Carrum, we are transforming how we pay for, deliver and experience healthcare. If you are passionate about changing healthcare and want to finally get rid of surprise bills, poor quality, and high prices, while thriving in an entrepreneurial, cutting-edge environment, we would love to connect with you.</p><p dir="auto"></p><p dir="auto">In 2014 Carrum reinvented the Centers of Excellence (COE) category in digital health. Today, 95% of the US population lives within 50 miles of a Carrum COE and our providers rank in the top 10% nationally. Our team’s execution has been recognized by the venture community and we’ve raised more than $96M in aggregate from investors like OMERS, Tiger Global Management and Wildcat Ventures. Our impact has been externally proven in a 2021 <a target="_blank" rel="noopener noreferrer nofollow" href="https://www.carrumhealth.com/rand-corp-study-bundled-payments-save/">RAND Corporation study</a> and featured as a <a target="_blank" rel="noopener noreferrer nofollow" href="https://www.hbs.edu/faculty/Pages/item.aspx?num=51867">Harvard Business School (HBS) case study</a>.</p><p dir="auto"></p><p dir="auto">We are not hiring for a standard operational support role; we are seeking a senior-level "force multiplier" to join our Cybersecurity & IT team as a permanent, full-time member. Our team's focus on maintaining mission-critical operations requires a strategic partner who can execute with high agency. This is a unique opportunity for a seasoned security generalist to work directly with the Director of Cybersecurity & IT to mature our program, apply deep technical expertise, provide leadership, and deliver immediate value across the organization.</p><p dir="auto"></p><p dir="auto">This role is designed for a specific profile: a builder who is ready to put down roots. You are an experienced technology generalist with a proven blend of Senior IT/Security and Senior DevOps/Engineering expertise. You are humble enough to handle audit evidence, access requests, and security questionnaires, but technical enough to dive into code reviews and cloud architecture. You thrive on execution and are wired to deliver results with minimal supervision.</p><p dir="auto">We know that exceptional candidates don't always fit a perfect mold, and the list of qualifications below represents our ideal profile. If you're excited about this mission and believe you have a strong foundation in several of these areas—plus the willingness and desire to learn the systems you are not yet familiar with—we strongly encourage you to apply.</p><p dir="auto"></p><p dir="auto"><strong><em>This is a full time position, the salary range for this role is $150,000 - $175,000 depending on level of experience and geographic location.</em></strong></p><p dir="auto"><strong>You’re excited about this opportunity because you will...</strong></p><ul dir="auto"><li dir="auto"><p dir="auto">Act as a Strategic Partner: Operate as a force multiplier for the Director and second-in-command, executing high-impact security initiatives and identifying opportunities to operationalize security strategy. Over time, you will grow into ownership and rollout of defined strategic projects.</p></li><li dir="auto"><p dir="auto">Support Compliance & Business Enablement: Execute the compliance lifecycle for HITRUST, SOC 2, and HIPAA using automation platforms like Vanta. You will also play a critical role in revenue enablement by performing vendor reviews and taking the "first pass" on client security questionnaires to unblock sales deals.</p></li><li dir="auto"><p dir="auto">Architect & Automate Identity Access Management (IAM): Lead the design and restructuring of complex access controls to enforce Least Privilege across our SaaS and Cloud ecosystem. Crucially, you will move us away from manual provisioning by implementing lifecycle automation and Identity Governance (IGA) workflows. While you will initially handle operational requests, your primary goal is to engineer the systems that eliminate the need for manual intervention. (e.g. AWS, Azure, Google Workspace, GitHub, Atlassian, Slack Enterprise)</p></li><li dir="auto"><p dir="auto">Lead AppSec & DevSecOps: Function as an Application Security lead by conducting automated and manual code security reviews, performing threat hunting, and tracking remediation tasks directly with the Engineering and DevOps teams.</p></li><li dir="auto"><p dir="auto">AI Tooling & Innovation: Proactively identify, evaluate, and leverage AI-driven security tools to automate manual tasks, improve threat detection, and enhance internal knowledge management.</p></li><li dir="auto"><p dir="auto">Partner on AI Governance & Security Strategy: Collaborate with cross-department leadership to define and execute the security posture for our adoption of emerging AI technologies. While we don't expect a decade of experience in this new field, you must possess a strong grasp of AI Governance principles, including securing LLM implementations and managing data privacy in AI workflows. You will be responsible for researching and implementing the "guardrails" that allow us to innovate safely.</p></li><li dir="auto"><p dir="auto">Handle Security Operations: Configure and analyze logs for our defensive stack, including tools such as SentinelOne, AWS Security Hub/GuardDuty, and Spin.ai.</p></li><li dir="auto"><p dir="auto">Incident Response Leadership: Act as a technical lead during security incidents. You will coordinate the initial response, lead investigation efforts, and communicate technical findings to Engineering and Leadership to ensure rapid remediation and minimal business impact.</p></li><li dir="auto"><p dir="auto">Drive Policy Governance: Contribute to the security policy lifecycle by participating in regular reviews and updating internal documentation to ensure it remains current, effective, and aligned with the evolving threat landscape.</p></li><li dir="auto"><p dir="auto">Organizational Rollouts & Education: Act as the lead for rolling out new security tools or processes. You will drive a "security-first" culture by leading internal awareness sessions and educating team members on best practices.</p></li></ul><p dir="auto"><strong>We’re excited about you because…</strong></p><ul dir="auto"><li dir="auto"><p dir="auto">You have 8+ years of relevant experience in senior-level IT, DevOps, Engineering, or Security roles.</p></li><li dir="auto"><p dir="auto">You value practical application. We prioritize hands-on experience over certifications. While certifications are valuable, they are less desirable without the demonstrable, battle-tested experience to back them up.</p></li><li dir="auto"><p dir="auto">You are comfortable working independently as a Full-Time Employee (FTE), with clear deliverables and minimal day-to-day supervision.</p></li><li dir="auto"><p dir="auto">You have deep experience with compliance automation platforms (Vanta is preferred, but experience with Drata or Secureframe is acceptable), including system integration, control automation, and evidence collection.</p></li><li dir="auto"><p dir="auto">You possess a "builder" mindset but understand the importance of administrative security work; you are willing to dive into security questionnaires and vendor assessments to support business growth.</p></li><li dir="auto"><p dir="auto">You bring expert-level knowledge of Identity and Access Management (IAM) principles, specifically for re-architecting roles and enforcing the principle of least privilege in complex environments.</p></li><li dir="auto"><p dir="auto">You can communicate technical security risks and incident status clearly across both written and oral formats to non-technical stakeholders and clients. You are skilled at advocating for security priorities and negotiating "secure-by-default" solutions with Engineering and Product teams.</p></li><li dir="auto"><p dir="auto">You are highly organized and comfortable using task management tools (preferably Jira) to structure your work and track deliverables.</p></li><li dir="auto"><p dir="auto">You have hands-on experience with AppSec workflows, including code scanning, vulnerability management, and translating security findings into actionable engineering tickets.</p></li></ul><p dir="auto"><strong>Other Preferred Skills:</strong></p><ul dir="auto"><li dir="auto"><p dir="auto">Rippling management and configuration.</p></li><li dir="auto"><p dir="auto">Hands-on experience configuring and managing Zscaler environments.</p></li><li dir="auto"><p dir="auto">Administration and policy configuration for SentinelOne or similar EDR platforms.</p></li><li dir="auto"><p dir="auto">Experience with SaaS Security Posture Management (SSPM) tools like Spin.ai.</p></li><li dir="auto"><p dir="auto">Microsoft Azure Security design and hardening.</p></li><li dir="auto"><p dir="auto">Interest in leveraging AWS AI tools (Amazon Q Business, Bedrock, Kendra) for internal knowledge management.</p></li></ul><p dir="auto"><strong>Why you’ll love working with us...</strong></p><ul dir="auto"><li dir="auto"><p dir="auto">We’re a hard-working, humble, and compassionate group motivated to solve the hard problems in healthcare today. You’ll work with talented, experienced co-workers from companies like Booz & Company, Livongo, 98point6, Google, and Optum. We believe in using data to inform decisions, technology to make our jobs easier, and creative thinking to pave the future.</p></li><li dir="auto"><p dir="auto">We are working with some of the most recognized and esteemed names in the country. Top hospitals like Johns Hopkins, Mayo Clinic, Stanford Health Care, Scripps Health, and Rush Health have joined our platform. Employers who use our benefit include US Foods, United Airlines, and large public sector organizations like the self-insured schools of California, and the State of Maine.</p></li><li dir="auto"><p dir="auto">We empower team members to be autonomous and provide a collaborative environment where you get support and healthy feedback. You can bring your authentic self to work every day and are encouraged to help others do the same.</p></li><li dir="auto"><p dir="auto">We carve out time to let go of work to celebrate our successes and have fun. We’re a remote-first company with employees all over the United States and two office locations in San Francisco and Chicago. We support our employees during the work day and beyond with flexible working hours, generous time off, paid parental leave, and opportunities to connect with coworkers both virtually and in-person.</p></li><li dir="auto"><p dir="auto">We embrace our team’s diversity of thought, experience, and interests and know that doing so makes us stronger as a company. Carrum has an active employee-led Diversity, Equity, Inclusion, and Justice (DEIJ) committee and several employee resource groups (ERGs). Our ERGS help employees build stronger connections through social, educational, and community activities.</p></li><li dir="auto"><p dir="auto">You’ll feel proud that the work you do each day directly impacts people’s lives in big and meaningful ways.</p></li></ul><p dir="auto">Other benefits:</p><ul dir="auto"><li dir="auto"><p dir="auto">Stock option plan</p></li><li dir="auto"><p dir="auto">Flexible schedules and remote work</p></li><li dir="auto"><p dir="auto">Chicago and San Francisco offices available</p></li><li dir="auto"><p dir="auto">Self-managed vacation days, within reason</p></li><li dir="auto"><p dir="auto">Paid parental leave</p></li><li dir="auto"><p dir="auto">Health, vision, and dental insurance</p></li><li dir="auto"><p dir="auto">401K retirement plan</p></li></ul><p dir="auto"><strong>About Carrum</strong></p><p dir="auto">We’re a health tech company that brings value-based care to the masses. We help employers deliver a memorable patient experience, immediately lower healthcare costs, and drive better outcomes and achieve this through the power of technology and human-centered design. Since launching in 2014, we’ve partnered with Fortune 500 employers and top hospitals across the nation. We’ve been recognized by Harvard Business School and featured in TechCrunch, The Los Angeles Times, Washington Post, and Modern Healthcare. We believe we’re only scratching the surface of our opportunity and we’re looking for incredible people like you to help us realize our full impact.</p><p dir="auto">Carrum Health is an equal opportunity employer and encourages all applicants from every background and life experience.</p>

Back to blog

Common Interview Questions And Answers

1. HOW DO YOU PLAN YOUR DAY?

This is what this question poses: When do you focus and start working seriously? What are the hours you work optimally? Are you a night owl? A morning bird? Remote teams can be made up of people working on different shifts and around the world, so you won't necessarily be stuck in the 9-5 schedule if it's not for you...

2. HOW DO YOU USE THE DIFFERENT COMMUNICATION TOOLS IN DIFFERENT SITUATIONS?

When you're working on a remote team, there's no way to chat in the hallway between meetings or catch up on the latest project during an office carpool. Therefore, virtual communication will be absolutely essential to get your work done...

3. WHAT IS "WORKING REMOTE" REALLY FOR YOU?

Many people want to work remotely because of the flexibility it allows. You can work anywhere and at any time of the day...

4. WHAT DO YOU NEED IN YOUR PHYSICAL WORKSPACE TO SUCCEED IN YOUR WORK?

With this question, companies are looking to see what equipment they may need to provide you with and to verify how aware you are of what remote working could mean for you physically and logistically...

5. HOW DO YOU PROCESS INFORMATION?

Several years ago, I was working in a team to plan a big event. My supervisor made us all work as a team before the big day. One of our activities has been to find out how each of us processes information...

6. HOW DO YOU MANAGE THE CALENDAR AND THE PROGRAM? WHICH APPLICATIONS / SYSTEM DO YOU USE?

Or you may receive even more specific questions, such as: What's on your calendar? Do you plan blocks of time to do certain types of work? Do you have an open calendar that everyone can see?...

7. HOW DO YOU ORGANIZE FILES, LINKS, AND TABS ON YOUR COMPUTER?

Just like your schedule, how you track files and other information is very important. After all, everything is digital!...

8. HOW TO PRIORITIZE WORK?

The day I watched Marie Forleo's film separating the important from the urgent, my life changed. Not all remote jobs start fast, but most of them are...

9. HOW DO YOU PREPARE FOR A MEETING AND PREPARE A MEETING? WHAT DO YOU SEE HAPPENING DURING THE MEETING?

Just as communication is essential when working remotely, so is organization. Because you won't have those opportunities in the elevator or a casual conversation in the lunchroom, you should take advantage of the little time you have in a video or phone conference...

10. HOW DO YOU USE TECHNOLOGY ON A DAILY BASIS, IN YOUR WORK AND FOR YOUR PLEASURE?

This is a great question because it shows your comfort level with technology, which is very important for a remote worker because you will be working with technology over time...