Head of Information Security
Burlingame, California /
Recently named by Rock Health as the 'Best Digital Health Company to Work For,' Color is a leading healthcare technology company. Color makes population-scale healthcare programs accessible, convenient, and cost-effective for everyone. Color works with health systems, employers, and national health initiatives around the world including the million-person All of Us Research Program by the National Institutes of Health.
Since March, Color has mobilized to repurpose core parts of its infrastructure for a massive COVID-19 response and helped fundamentally change the access model for COVID-19 testing across massive public health programs (including the City of San Francisco and community-based efforts in Oakland), major U.S. employers, and universities. For more information about Color and its response to COVID-19, visit www.color.com.
Color's current engineering team spans a wide range of interests, skills, and backgrounds. Many of us are infosec savvy and capable, but none of us do security full time. That's why we need you!
As Color's executive head of security, you will take the lead on defining and implementing the company's overall security posture. You'll work with our CEO, Head of Engineering, and the rest of the leadership team to secure our third party tools, in house code, production systems, data, and human processes.
This is an exciting opportunity to drive security and privacy for a company with unique assets and challenges: a genetic testing product, sensitive health data, a full in house clinical laboratory, and a wide range of other needs. You'll spend plenty of time on leadership, but you'll also have opportunities to dive in and get hands on, applying threat modeling to on site clinical health care, teaching engineers how to think like black hats, running fuzzers and scanners, and much more.
Show us you have the security mindset and see everything as a system to be exploited...and protected!
How You'll Contribute:
- Own and improve our company's overall security posture
- Work with other executive leaders to define our overall privacy posture
- Apply threat modeling as a primary tool to understand and secure our systems
- Help the entire Color engineering team learn and apply the security mindset to designing systems and writing code
- Drive company-wide efforts to improve our securityEvaluate, integrate, and manage third party security tools and processes
- Design and drive secure audit logging for all employee access to PHI (personal health information)
- Analyze, quantify, and protect public datasets like Color Data from re-identification attacksCoordinate external penetration tests. Triage, prioritize, implement, and help other engineers fix issues that arise.
- Evaluate, select, and help integrate modern security tools (eg IDSes) into our production and employee IT environments
- Help engineers run fuzzers, scanners, static analyses, and other tools on our code and systems to discover vulnerabilities
- Review and triage security disclosures from external researchers
- Support and lead security compliance efforts, eg FISMA and HIPAA
- Maintain resources for customers on our security posture and practices. Support our sales team when they answer questions.
Our Ideal Candidate Will Have:
- You have the security mindset ingrained and see everything as a system to be exploited...and protected!
- You understand that security is a spectrum of risk vs cost, and that nothing is bulletproof or unbreakable
- You believe in craft and pragmatism: solving the problem at hand with the best tools for the job, whether that's custom code, third party tools, human processes, or watchful waiting
- You are excited about collaborating with product engineers, lab scientists, academic researchers, business people, and others across Color
- You have strong opinions (loosely held) about modern security practices and techniques
- You are intrinsically motivated, able to execute independently, while being proactive about seeking input from colleagues
- You're confident in modern cloud environments like AWS and GCP, and with web app tools like Python and Django, Docker and containerization, data processing pipelines, etc.
- You enjoy teaching engineers - and everyone - about security!
Color is an equal opportunity employer. In accordance with anti-discrimination law, it is the purpose of this policy to effectuate these principles and mandates. Color prohibits discrimination and harassment of any type and affords equal employment opportunities to employees and applicants without regard to race, color, religion, sex, national origin, disability status, protected veteran status, or any other characteristic protected by law. Color conforms to the spirit as well as to the letter of all applicable laws and regulations.