Information Security Engineer

Anywhere in France, Belgium, Spain /
Product – Engineering /
Permanent Employment Contract
/ Hybrid
🐼 Who we are

Alan is your friend in health.

Alan's long-term goal is to make personal, proactive and holistic health part of people’s daily life, striving to be the world’s most member-centric healthcare company. Our employees join Alan because they truly believe in this mission. 

As of today, Alan operates in 3 countries (🇫🇷, 🇧🇪, 🇪🇸) and covers more than 400,000 members, representing over €275m+ of annualized revenue. We raised a further €183m in a series E funding round in 2022 bringing the company’s total valuation to €2.7bn. The team is 500+ people and growing. 

🤘 How we do it ?

People joining Alan are always surprised and delighted by our innovative working method. We have a set of cultural values that guide our approach to work, such as:
- Members first. We put our members first, our team second, our shareholders third.
- Radical Transparency. We make all choices in writing and adopt a direct and honest style of communication.
- Personal & Team Growth. We are self-improving whilst helping others grow. We’re no ego-doers and we all edit the company.
- Distributed Ownership. We trust our colleagues to make the right choices. We are not afraid to fail fast individually to learn collectively in the long run.
- Fearless ambition. We shoot for the moon and work backwards. We focus on solving complex problems with simple principles far from ready made ideas.

⭐️ Information Security at Alan ⭐️

The Security function at Alan went from 0 to 1 in 2021 and then 1 to 2 in 2022.
We do security as we do everything else — that is, not quite the traditional way, but always in line with our leadership principles.

We’re members-first: the protection of privacy is integral to our promise of obsessing over member delight. Members entrust us with a sensitive and intimate area of their life: their health. We commit to deserving, earning, and retaining their trust. We aim at being thought leaders and best-in-class when it comes to effectively protecting the security of our members’ data.

We’re radically transparent: we say what we do and we do what we say. We’re not shy of sharing our failures and our opportunities to improve as well as our successes.

We distribute ownership: we give every Alaner a lot of trust, great powers, and great responsibility. We favor empowerment over restraint. We hold ourselves individually and collectively accountable, rather than relying on bureaucracy and gatekeepers that add friction without actually addressing risks.

We’re fearlessly ambitious: we make bold bets and we’re happy to take (smartly calculated) risks. We shoot for the moon, and when we fail we walk away with new learnings.

⭐️ What you'll be doing⭐️

Within the Security team, you will contribute to bringing Alan’s Security and Privacy frameworks to the next level, in line with the industry’s best practices and standards, so that the company is recognized as best in class.
You will work closely with the Security lead and the DPO task force. You will also maintain close collaboration with members of other communities (Engineering, Data, Customer Care, Product, Insurance, Operations, Corporate…), with an impact on the entire company and beyond.

Participating in building and running the Security organization

Along with the current security team, be a key contributor to Security initiatives:

- Risk assessment
* At the company level
* At the product level, supporting product team during framing and development, fostering a security and privacy by design mindset
* In the supply chain (vendor security assessments)
- Definition, documentation, and implementation of Alan’s security posture, policies, and procedures
- Security and data protection audits (whether commissioned internally, by business partners, investors, or regulatory bodies; also including security reviews from customers)
- Generating and maintaining useful, structured, and reusable documentation
* As a means to improve the solidity of our posture
* As a means of iteratively reducing the cost of audits and reviews
- Security Ops
* Define, generate and maintain useful security metrics/indicators
* Receive escalation and review of access management requests (accounts, roles, permissions)
* First response on security related events (investigation, assessment, forensics)

Improving Alan’s security

- Remove blind spots on our own vulnerabilities
* Red team/internal pen test
* Bug bounty
* Interaction with independent security researchers
* Internal technical audit
- Provide input and support to product teams and track progress on identified opportunities for improvement
* Whether targeted or system-wide
* Whether organizational or technical

⭐️ If you have some of the following, you may be a great fit ⭐️

We are a small security team (currently 2 people), so we are looking for someone who is comfortable taking a broad variety of tasks, and is willing to grow.

Hard Skills:
- Security organization and governance
* Ability to build simple, pragmatic, actionable policies & processes:
Create processes and guidelines that maximize meaningful impact with minimal friction
Write them up in a simple, concise, digestible format
Explain risks and trade-offs
Keep us away from bureaucracy
* Ability to prioritize, organize, communicate plans and iterate on them

- Technology
* General technical culture in network and cloud infrastructure: TCP/IP networks, UNIX/Linux, Web applications (front & back), public cloud infrastructure. Our stack is AWS, Python, React and React Native.
* Security technical culture: fundamental security principles, common technical vulnerabilities (at least OWASP Top 10) and mitigations

- Full working proficiency in English

Soft skills/ Behavioral traits
- Learning mindset
* Ability to adjust to shifting context
* Appetite for innovating and digging deep in new domains (AI/ML)
- Engineering mindset: methodical approach to problem solving with a concern for correct, elegant, robust, and economical design
- Excellent communication (both written and oral):
* Be able to educate the entire company on security and privacy matters
* Adaptation to audience, ability to understand other points of view, and adapt discourse vis-à-vis:Product developmentOperationsCorporate/complianceTop management/board Regulatory authoritiesCustomers
- Pragmatism: be smart about security, focus on what is the most important and efficient
- Hands-on: be able to drive change all the way through (both functional and technical) and own initiatives from A to Z

Additional nice-to-have hard skills
- Software development: although this isn’t a software engineer profile, software development experience will be an additional useful asset to:
* Understand and review code to suggest secure design options and surface vulnerabilities
* Build and integrate tools
* Code scripts to automate security related activities.
- Experience with a security compliance framework: e.g. ISO 27001, PCI-DSS, ISAE/SOC…
- Experience with a risk assessment methodology: e.g. ISO 27005, EBIOS RM…
- Experience with GDPR
- Experience with regulated environments (healthcare, finance/insurance)
🙌   Perks & Benefits

At Alan, we believe that being in good health is a basic need, and it starts with our employees. This is why Alaners are provided with a stimulating environment and perks ensuring they are happy, efficient and spend only high-quality time with co-workers. 

Therefore, we offer:
- Fair rewards. Generous equity packages complement your base salary.
- Flexible Office. Amazing office space at our HQ, sponsored co-working hubs or a full-remote experience with home office equipment sponsorship, we want you to live where you’re the happiest.
- All the tools you need. Top of the range equipment: Macbook Pro, keyboard, laptop stand, monitor, and Bose noise-canceling headphones.
- Flexible vacation policy and flexible working hours. organize your  time as you  wish.
- Delightful healthcare insurance. Extremely comprehensive health insurance - 100% of the contribution covered by Alan for you and your family.
- Transport. Country-specific commuter benefits.
- Learning & Training opportunities. A highly  flexible Training policy free books and budget to attend and speak at conferences if the opportunity arises.
- Parental leave. Extended parental leave for all new parents.

Important note: we hire people not roles. 

After reading this job description, if you feel like you don’t have all the necessary prerequisites but that it matches where you are now or what you'd like to grow into in your next position, we encourage you to apply!

Not everybody will enter our recruitment process, but all, no matter how underrepresented, should feel free to apply as it can only bring learnings or success.

🔖 Check out our About Alan and Career pages, as well as our Medium, blog and Glassdoor page for more info.