Senior Security Engineer

<div class="content-intro"><p>UserGems is the AI command center for go-to-market teams (think of it as an AI brain for sales and marketing). Powered by best-in-class contact data, its AI agents (Gem-E) automatically surface high-intent buyers, prioritize them, deploy personalized outbound, create ad audiences and ABM to drive more pipeline.</p> <p>We’re backed by top Silicon Valley VCs (Craft Ventures, Uncork Capital, Battery Ventures, Tiger Global, and more) and have hundreds of happy customers from startups to public enterprises.</p></div><p><strong>Operate UserGems' security and compliance program day-to-day, partnered with the Sr. Director on direction and strategy.</strong></p> <p>UserGems is an AI platform helping sales and marketing teams double pipeline impact. Our AI agent Gem-E turns signals from CRMs, buying intent, and public data into precise outreach - generating $4B in pipeline and $950M in revenue for customers like CrowdStrike, UserTesting, and SAP LeanIX (15X+ ROI).</p> <p>UserGems is a ~70-person company with around 25 engineers across Europe and 45 team members in sales and marketing based in the U.S. Several of our customers are top-tier security companies themselves (e.g. CrowdStrike), so our own security posture directly influences how fast revenue can move.</p> <h4>The Role</h4> <p>You will be UserGems' <strong>single dedicated security person</strong>, taking over the operational majority of the security work the Sr. Director currently owns. This is a <strong>compliance-led role with hands-on operational components</strong> - heavy on SOC 2 / ISO ownership, customer security reviews, day-to-day program operations, and Drata-driven remediation in AWS. Compliance is the primary focus and over time you'll own the full technical scope described below as well. <strong>The Sr. Director approves direction; you propose, shape, and execute the program.</strong> Cadence is a bi-weekly 1:1 with the Sr. Director plus a weekly work discussion, same as every UserGems employee.</p> <p>UserGems' security program is in great shape - no fires to put out. SOC 2 Type II is in place for years already, all compliance monitoring is centralized in <strong>Drata</strong>, scanner findings auto-flow into Linear and are auto-triaged by an in-house automation, and <strong>CrowdStrike Complete (managed MDR)</strong> handles runtime protection. There's no on-call rotation at UserGems - incident response is a whole-team effort, and the Sr. Director continues to cover during your time off.</p> <p>The Sr. Director currently runs the whole program in roughly 25% of one person's time, so a dedicated owner has real headroom. Expect your time to split roughly <strong>2–3 days per week on baseline operations</strong> and the remainder on <strong>new initiatives</strong>. The biggest near-term programs are <strong>ISO 27001</strong> and likely <strong>ISO 42001 (AI management)</strong> - both held back today because no one has the dedicated capacity to drive them. That's the gap you fill.</p> <h4>You'll thrive here if you:</h4> <ul> <li>Lean strongly into compliance/GRC operations - with enough hands-on AWS comfort to action Drata-flagged remediations independently.</li> <li>Want to <strong>own operations end-to-end and influence direction</strong> - you propose, the Sr. Director approves, you ship.</li> <li>Like a startup environment where priorities are clear, ownership is real, and you ship and move on.</li> </ul> <h4>What You'll Do</h4> <ul> <li><strong>Own SOC 2</strong> - keep Drata green and audits clean.</li> <li><strong>Lead ISO 27001 implementation</strong>, then ISO 42001.</li> <li><strong>Run the customer security questionnaire process</strong> (SafeBase + Trust Center) - fast turnaround directly unblocks revenue.</li> <li><strong>Drata-driven AWS remediation.</strong> Action simple Drata findings directly in AWS yourself - IAM tweaks, S3 settings, secrets hygiene, audit-trail follow-ups. Larger or higher-risk changes go to engineering.</li> <li><strong>Vulnerability management.</strong> Oversee and extend the existing scanner-findings automation in Linear; hit SLAs.</li> <li><strong>Light secure code review.</strong> Spot-check high-risk features and new repositories (especially AI/LLM systems) before they go to production; escalate deeper AppSec questions to engineering and external pen testers.</li> <li><strong>Threat detection &amp; response.</strong> Tune GuardDuty findings, evaluate central logging / SIEM options, run tabletop exercises, mature the IRP from written to rehearsed.</li> <li><strong>Offensive security.</strong> Run the annual external pen test, perform regular internal pen tests yourself, handle external researcher reports and bug bounty payouts.</li> <li><strong>Onboarding &amp; offboarding.</strong> Own access provisioning and revocation.</li> <li><strong>Be the security person at UserGems.</strong> Internally and externally, you are the face of security - questions, escalations, customer security reviews, and audit conversations come to you.</li> </ul> <h4>AI Security &amp; Governance</h4> <p>UserGems is an AI company, and AI risk shows up in nearly every customer security review. A meaningful portion of this role is <strong>shaping how a modern, AI-native company secures both its product and its own internal AI usage</strong> - not just answering questionnaires about it.</p> <p>We're already <strong>EU AI Act compliant</strong> - so you're extending a working baseline, not starting from zero.</p> <p>You'll own:</p> <ul> <li><strong>ISO 42001 readiness from scratch.</strong></li> <li><strong>Model &amp; data governance</strong> for Gem-E and our self-hosted LLMs on Azure: data residency posture, prompt-injection threat modeling, access controls on training/inference data.</li> <li><strong>Internal AI tooling built by non-engineering teams.</strong> Sales, marketing, and ops are building their own AI-powered internal tools. You'll shape how this scales safely - guardrails, access boundaries, monitoring, and review.</li> <li><strong>AI in our own security stack</strong> - extending our in-house Linear/scanner automations, AI-assisted questionnaire workflows, and security review of AI-generated code.</li> <li><strong>Customer-facing AI security narrative</strong> - shaping the answers, Trust Center statements, and policies that prospects' security teams will scrutinize.</li> </ul> <h4>Our Tech Stack</h4> <ul> <li><strong>Cloud:</strong> AWS (primary), some Azure (self-hosted LLMs)</li> <li><strong>Compliance / GRC:</strong> Drata, SafeBase (Trust Center), Linear</li> <li><strong>Detection / Endpoint:</strong> AWS GuardDuty, CrowdStrike Complete (managed MDR)</li> <li><strong>Scanners feeding Linear:</strong> GitHub, AWS Inspector, ZAP</li> <li><strong>Infra (owned by engineering):</strong> Terraform, Kubernetes, Docker, GitHub</li> </ul> <h4>What We're Looking For</h4> <p><strong>Non-negotiable:</strong></p> <ul> <li><strong>You have personally owned a SOC 2 or ISO audit end-to-end</strong> - as the operational owner accountable to the auditor, not "on the team" - and delivered a <strong>zero-exception report</strong>. <strong>If you can't honestly say "yes" to this, please don't apply.</strong></li> <li><strong>Working AWS knowledge</strong> - you can navigate the AWS console, action Drata-flagged remediations yourself (IAM, S3, KMS, audit trails), and read CloudTrail when investigating an alert. You do <strong>not</strong> need to be a cloud-infrastructure engineer.</li> <li><strong>Can understand Terraform with AI help</strong> - fluency isn't required. What matters is that you can drive AI to explain a diff, follow it critically, and catch when AI is wrong about IaC. Engineering owns infrastructure authorship.</li> <li><strong>High ownership and accountability</strong> - you ship audits, questionnaires, and policy work without a project manager keeping you on track.</li> <li><strong>Excellent written English</strong> - questionnaires, Trust Center, and policies are customer-facing.</li> <li>Comfortable with async collaboration across Europe and the U.S. Most US work is async, but some late-afternoon CET availability helps - around once a week, same-day US input turns a multi-day back-and-forth into a 10-minute conversation.</li> </ul> <p><strong>Strongly preferred - you'll likely grow into the gaps:</strong></p> <ul> <li>Solid grasp of attacker techniques and modern application security (web/API, cloud, supply chain).</li> <li>Hands-on secure code review experience, including AI/LLM systems.</li> <li>Comfort tuning detection (GuardDuty / SIEM) and running incident response.</li> </ul> <h4>Nice to Have</h4> <ul> <li>ISO 27001 Lead Implementer or Lead Auditor experience.</li> <li>ISO 42001 / AI governance familiarity.</li> <li>Hands-on Kubernetes / container security.</li> <li>Light coding ability (Java preferred) - our security automation lives in code, and you'll extend it.</li> <li>Experience with auditing LLM security</li> </ul> <h4>How We Work</h4> <p>We're a lean team where everyone owns their work end-to-end. We trust people to manage their own time, and we expect real output plus the basic async hygiene that makes it work: flag blockers early, surface progress, don't go dark.</p> <p>This is a high-commitment role, not a standard 9-to-5. If you're looking to coast, this isn't the right fit.</p> <p><strong>Target annual compensation range for the role is €80k&nbsp;€100k</strong>.Final seniority leveling and compensation package will be determined based on commensurate experience, qualifications, and demonstrated ability to perform in the senior level role.</p> <p>&nbsp;</p> <p></p><div class="content-conclusion"><h5><span style="font-size: 10pt;"><strong>Why you should join:</strong></span></h5> <ul> <li style="font-weight: 400;"><span style="font-weight: 400;">You’ll be part of a fast-growing startup as it scales from 60 employees to 100+</span></li> <li style="font-weight: 400;"><span style="font-weight: 400;">Customers love us! (see our </span><a href="https://www.usergems.com/customers" target="_blank">Customers </a>page and <a href="https://www.g2.com/products/usergems/reviews" target="_blank">G2 Reviews</a>). They see ROI in Closed Won revenue generated</li> <li style="font-weight: 400;">Employees love us! (see our <a href="https://www.glassdoor.com/Overview/Working-at-UserGems-EI_IE6791259.11,19.htm" target="_blank">Glassdoor</a> &amp; <a href="https://www.repvue.com/companies/Usergems" target="_blank">RepVue</a> page)&nbsp;</li> <li style="font-weight: 400;"><span style="font-weight: 400;">We're a remote-first company with employees across the Americas and Europe</span></li> <li style="font-weight: 400;"><span style="font-weight: 400;">We have weekly standups, virtual happy hours, and in-person off-sites around the world so that everyone stays connected</span></li> <li style="font-weight: 400;"><span style="font-weight: 400;">We are customer-focused and data-driven in everything we do</span></li> <li style="font-weight: 400;"><span style="font-weight: 400;">We value individual differences in the workforce and strive to make everyone feel welcomed and accepted, regardless of their skin color, gender, or sexual orientation</span></li> <li style="font-weight: 400;"><span style="font-weight: 400;">We offer a competitive salary and benefits</span></li> </ul></div>