Member of Technical Staff, Security Compliance
About The Position
Envoy is building a security program where controls are embedded in how we build and operate software, risk is clearly owned, and audit readiness is continuous rather than reactive. As a Security Compliance Engineer, you will design and operate the systems that make our security posture measurable, defensible, and scalable as we grow. This is not a documentation-only compliance role. You will work directly with Product and Infrastructure engineering teams to translate real-world cloud and application implementations into unified, cross-framework controls that are automated wherever possible and grounded in technical reality. You will combine security domain expertise with hands-on engineering capability to reduce manual compliance work and build durable assurance systems. Today our compliance program spans ISO 27001, SOC 2, CMMC Level 1, and HIPAA. As we expand our enterprise and public sector footprint, FedRAMP readiness is part of our future accreditation roadmap. This is an on-site position that requires 4 days a week (Monday through Thursday) in our San Francisco HQ office.
Requirements
- 5+ years of experience in security engineering, security assurance, or a related field
- Direct experience owning or leading ISO 27001 and/or SOC 2 audit cycles
- Experience mapping real technical implementations to security control frameworks
- Working knowledge of modern cloud environments such as AWS
- Ability to evaluate access control trade-offs and logging adequacy
- Experience maintaining or operating a security risk register
- Ability to write scripts or small internal tools in languages such as Python, Bash, or similar
- Experience using APIs and cloud integrations to automate workflows or evidence collection
- Comfort working in engineering repositories and collaborating via pull requests
- Curiosity and practical experience experimenting with AI tools to reduce manual operational work
- Strong written and verbal communication skills, with the ability to explain risk in clear, practical terms
- A pragmatic mindset that balances long-term system improvement with real-world delivery constraints
Nice To Haves
- Experience with CMMC Level 1 or federal compliance environments
- Exposure to FedRAMP requirements or public sector security standards
- Experience with HIPAA safeguards and healthcare-related controls
- Experience automating compliance evidence using cloud-native tooling
- Familiarity with infrastructure-as-code and CI/CD security patterns
- Experience designing tiered vendor risk programs
- Experience defining or implementing data classification models
- Experience building security dashboards or reporting frameworks
Responsibilities
- Own and evolve Envoy’s unified cross-framework control model across ISO 27001, SOC 2, CMMC Level 1, HIPAA, and support future FedRAMP readiness
- Maintain and mature the security risk register, ensuring risk decisions are explicit, documented, and visible
- Drive continuous audit readiness without quarterly scramble
- Define and reinforce clear control ownership across Product and Infrastructure teams
- Operate and mature key assurance programs including vendor risk management, data classification, and security awareness
- Build lightweight tooling and automation to continuously validate controls and eliminate manual evidence collection
- Use code, APIs, and cloud integrations to automate recurring compliance workflows
- Leverage AI to accelerate control mapping, questionnaire drafting, evidence summarization, and internal self-serve compliance knowledge
- Define and report on security KPIs to leadership, and streamline enterprise security questionnaire responses
Stand Out From the Crowd
Upload your resume and get instant feedback on how well it matches this job.
What This Job Offers
Job Type
Full-time
Career Level
Mid Level
Education Level
No Education Listed
