Attack Surface Management Engineer, Principal

We are CONNECTING HEALTH AND WEALTH. Come be part of remarkable. 

How you can make a difference  

As a Principal Attack Surface Management Engineer, you will manage technology and security risks across the organization, working closely with various stakeholders. Your thought leadership will guide the direction of our Attack Surface Management team within the Security organization.

What you’ll be doing

• Identify and Remediate Gaps: Independently identify security and program gaps (technical tools, skillset, resources) within the internal and external environment, and offer contextualized remediation guidance to cross-functional teams.
• Lead and Drive Projects: Lead significant security projects from inception to delivery, achieving team consensus among various stakeholders. When consensus cannot be reached, identify the best path forward to meet security objectives while balancing business risk and operations.
• Senior Escalation Point: Serve as a senior escalation point for the Threat & Vulnerability Management program, determining exploitability of vulnerabilities and contextualizing associated risks. Assist with designing remediations and mitigations for complex vulnerability scenarios.
• Influence and Implement: Foster professional relationships with technology/business leaders and SMEs to present, influence, and gain traction on security initiatives. Implement controls consistent with the program’s direction.
• Adapt and Innovate: Multi-task and solution in a changing environment impacted by new threats and competing priorities. Identify security measures and controls when new threats or security gaps are identified.
• Define and Address: Assist in defining the team roadmap and addressing opportunities/weak points, acknowledging broader technology and business strategies and direction.
• Present and Advocate: Present to executives, senior leaders and technical peers on complex security topics, risks, and issues, including external Cybersecurity forums/conferences.
• Build Business Cases: Develop business cases to procure and implement new technologies to address emerging risks.
• Set Security Standards: Lead security control definition and document requirements for technology and business initiatives. Influence peer groups and integrate security standards across business and technology initiatives.
• Apply Frameworks: Apply cybersecurity framework-based controls to on-premise and cloud components, leveraging expert-level knowledge of leading frameworks (NIST, ISO27001, OWASP, CISA KEV, CIS Top 20 Controls).
• Consult and Recommend: Function as an internal consultant with respect to technical specialties (application, data, security, infrastructure, cloud). Recommend changes to enhance security and reduce risk.
• Stay Updated: Stay apprised of emerging threats applicable to HealthEquity’s business and technology stack, working closely with the Cyber Threat Intelligence team.
• Manage External Risks: Monitor and manage risks associated with the external attack surface.
• Penetration Testing: Assist in penetration testing activities through a Purple Team lens, focusing on validating vulnerabilities, controls, and remediation.
• Mentor and Develop: Mentor junior team members to help upskill and foster knowledge sharing.

What you will need to be successful

• Extensive Experience: Minimum of 8 years of consistent information security experience.
• Hands-On Expertise: Experience with security tools such as Tenable, Tanium, Defender for EASM, Shodan, Azure, Splunk, Kali.
• Technical Proficiency: Automation, scripting, and business intelligence experience (PowerShell, Python, PowerBI, Tableau, API configuration).
• Strong Communication: Demonstrated experience presenting to senior leaders and technical peers on complex security topics.
• Framework Knowledge: Expert-level knowledge of leading cybersecurity frameworks and best practices.
• Certifications: CISSP, CISM, or similar security certification. OSCP, CCSP, or other advanced certifications highly preferred.
• Educational Requirements: Bachelor’s degree in information systems, computer science, or a related field, or equivalent experience.

#LI-Remote

This is a remote position.

The compensation range describes the typical minimum or maximum base pay range for this position. The actual compensation offer is determined based on job-related knowledge, education, skills, experience, and work location. This position will be eligible for performance-based incentives as part of the total compensation package, in addition to a full range of benefits including:

• Medical, dental, and vision
• HSA contribution and match
• Dependent care FSA match
• Uncapped paid time off
• Adventure accounts
• Paid parental leave
• 401(k) match
• Personal and healthcare financial literacy programs
• Ongoing education & tuition assistance
• Gym and fitness reimbursement
• Wellness program incentives

Why work for HealthEquity 

HealthEquity has a vision that by 2030 we will make HSAs as wide-spread and popular as retirement accounts. We are passionate about providing a solution that allows American families to connect health and wealth. Join us and discover a work experience where the person is valued more than the position. Click here to learn more. 

Come be your authentic self

HealthEquity, Inc. is an equal opportunity employer that is committed to inclusion and diversity. We take affirmative action to ensure equal opportunity for all applicants without regard to race, age, color, religion, sex, sexual orientation, gender identity, national origin, status as a qualified individual with a disability, veteran status, or other legally protected characteristics. HealthEquity is a drug-free workplace. For more information about our EEO policy, or about HealthEquity’s applicant disability accommodation, drug-free-workplace, background check, and E-Verify policies, please visit our Careers page.

HealthEquity is committed to your privacy as an applicant for employment.  For information on our privacy policies and practices, please visit HealthEquity Privacy.