Senior Security Engineer

The Security Engineer is a member of PG Forsta’s Information Security team and is responsible for building and maintaining controls that manage information risk and security. The engineer is expected to build and maintain administrative, technical, and physical controls to secure PG Forsta data and keep PG Forsta in compliance with applicable laws, regulations, and contractual terms.We are seeking a Senior Security Engineer with a strong software development background to help us design, build, and scale secure systems. You will play a critical role in researching, architecting, and implementing innovative security solutions while working closely with product engineering teams to ensure security is embedded throughout the development lifecycle.Skills We Are Looking ForSoftware development, including automated CI/CD pipelinesSBOM, SCA, SAST, DAST (Software Bill of Materials, Software Composition Analysis, Static Analysis Security Testing, Dynamic Analysis Security Testing)Identity management best practicesVulnerability management, specifically with software dependenciesIncident response and troubleshootingITSM workflow and processThis position has no direct reports. It is a remote position that may require coordination with US working hours, occasional travel (1-2 times per year) and on-call support every 6-8 weeks.Ideal Candidate: Application developer/engineer with experience with build pipelines, security testing, SBOMs, vulnerability management, and coordinating with product, engineering, and security teams.About The TeamThe Risk and Security team is part of the Legal Department. The team reports to the SVP, Risk and Security who reports to the General Counsel. It consists of people with technical security skills and non-technical audit and compliance skills.PG Forsta’s security team is well-funded and supported by management. We have meaningful influence on how systems are designed and implemented. The department is structured to allow internal staff to leave work at work. While the job will require setting goals and meeting deadlines, it rarely requires more than 45 hours of work per week.Duties And ResponsibilitiesStrategy & VisionParticipate in vision, principles, and security strategy for projects or specific technologies, ensuring alignment with organizational goals.Operational ExecutionIntegrate and manage security tooling across the SDLC and CI/CD pipelines, including:Software Composition Analysis (SCA)Static Application Security Testing (SAST)Dynamic Application Security Testing (DAST)Secrets detection, Infrastructure-as-code scanning, API security testing, and vulnerability correlation platformsSafeguard the software development lifecycle by securing dependencies, container images, build processes, and third-party integrations.Embed security into new CI/CD pipelines and maintain existing security testing in CI/CD pipelines and troubleshoot them as needed.Contribute hands-on to codebases where needed, providing guidance on secure coding practices and reviewing critical code paths.Champion container security by ensuring secure image creation, scanning, and runtime protections across platforms like Docker and Kubernetes.Drive adoption of secure coding practices, supported by threat modelling, code reviews, and developer training programs.Drive security awareness and best practices across engineering teams by mentoring developers and empowering Security Champions.Establish and track key metrics for AppSec maturity, risk reduction, and remediation SLAs.Cross-Functional CollaborationLiaise with Legal to define and communicate security controls required for regulatory compliance and contractual obligations.Working with product engineering, design and implement security for microservices architectures, including mTLS, service-to-service authentication, secrets management.Working with product engineering, Research, design, and apply innovative security solutions to both new and existing systems.Partner with DevOps and Infrastructure teams to secure Azure cloud-native environments, including container orchestration and deployment layers.Partner with GRC and Client Response teams to prepare for audits, provide standardised answers to security questionnaires, and represent pipeline and platform controls to clients and external assessors.Engage with Pre-Sales Engineering, where required, to support security discussions with strategic prospects and customers.Create transparency and trust around security posture through consistent reporting, dashboards, and stakeholder communication.Continuous ImprovementIdentify gaps in security posture and propose enhancements to architecture, processes, and tooling.Required QualificationsStrong background in software development (experience with at least one major language such as Go, Java, Python, or C#).Hands-on experience in building and troubleshooting CI/CD pipelines (Jenkins, Azure DevOps, GitLab CI, GitHub Actions, or similar).Deep understanding of secure architecture patterns (microservices, APIs, authentication, authorization).Experience with mTLS, PKI, and cryptographic protocols.Hands-on experience with IaC security and secure automation.Ability to effectively communicate complex security concepts to both technical and non-technical audiences.Familiarity with modern infrastructure (Kubernetes, Docker, cloud-native environments).Knowledge of modern DevSecOps practices and CI/CD security integration.Preferred QualificationsThreat modeling and risk assessment experience.Experience with tools like Sigstore, SLSA, or in-toto for supply chain security.Contributions to open-source security tools or research.Experience building or driving a Security Champion program is a plus.Experience6+ years' experience in Application Development or similar technical role(Preferred) Experience in a healthcare environment.Compliance & Ethics ExpectationsParticipates and successfully completes the company's compliance program requirements and adheres to the Code of Conduct, Company policies, and applicable federal and state requirements.Sets an example for other employees regarding how the Company's Code of Conduct and Compliance Program is applied and observed every day when dealing with customers, business operations, or other teammates.Reports potential violations of company policy, Code of Conduct, and/or applicable laws and regulationsPromotes an environment in which other employees are encouraged to report potential violations.As appropriate, provides input and suggestions regarding areas in which policies, procedures, workflows, and/or controls can be improved to enhance compliance.Special Working ConditionsThis is a remote-working position. Week-long travel may be required 1-4 times per year.Special Physical RequirementsThe work environment characteristics described here are representative of those an employee encounters while performing the essential functions of this job. Reasonable accommodations may be made to enable individuals with disabilities to perform the essential functions.Requires ability to get to all users' operations and computer facilities.Requires the ability to meet deadlines, frequent assignment changes, periodic heavy workload, rapidly changing environment, and dynamic business growth.Requires ability to concentrate on detailed tasks for sustained periods of time.Requires the ability to operate computer, printer, copy machine, calculator, other general office equipment, and to record written information.Requires the ability to communicate with customers, users and vendor representatives in person, in writing, and on the telephone.Requires the ability to read computer output and printed material.Requires the ability to read complex vendor reference material and written user manuals.Requires the ability to participate in interactive verbal group activities including brainstorming and application design working sessions.Requires the ability to travel occasionally, including domestic flights.Requires ability to withstand mental pressure caused by time deadlines, frequent changes, periodic heavy workload, rapidly changing environment and dynamic business growth.Our privacy policy can be found here: https://www.pressganey.com/legal-privacy/