Usergems
Senior Security Engineer
1mo ago
WorldwideSeniorRemotesoc 2iso
Senior Security Engineer role focusing on operating security and compliance programs with hands-on SOC 2 / ISO ownership at UserGems, an AI platform for sales and marketing.
Responsibilities
- You will be UserGems' single dedicated security person , taking over the operational majority of the security work the Sr. Director currently owns. This is a compliance-led role with hands-on operational components - heavy on SOC 2 / ISO ownership, customer security reviews, day-to-day program operations, and Drata-driven remediation in AWS. Compliance is the primary focus and over time you'll own the full technical scope described below as well. The Sr. Director approves direction; you propose, shape, and execute the program. Cadence is a bi-weekly 1:1 with the Sr. Director plus a weekly work discussion, same as every UserGems employee.
- UserGems' security program is in great shape - no fires to put out. SOC 2 Type II is in place for years already, all compliance monitoring is centralized in Drata , scanner findings auto-flow into Linear and are auto-triaged by an in-house automation, and CrowdStrike Complete (managed MDR) handles runtime protection. There's no on-call rotation at UserGems - incident response is a whole-team effort, and the Sr. Director continues to cover during your time off.
- The Sr. Director currently runs the whole program in roughly 25% of one person's time, so a dedicated owner has real headroom. Expect your time to split roughly 2–3 days per week on baseline operations and the remainder on new initiatives . The biggest near-term programs are ISO 27001 and likely ISO 42001 (AI management) - both held back today because no one has the dedicated capacity to drive them. That's the gap you fill.
- Own SOC 2 - keep Drata green and audits clean.
- Lead ISO 27001 implementation , then ISO 42001.
- Run the customer security questionnaire process (SafeBase + Trust Center) - fast turnaround directly unblocks revenue.
- Drata-driven AWS remediation. Action simple Drata findings directly in AWS yourself - IAM tweaks, S3 settings, secrets hygiene, audit-trail follow-ups. Larger or higher-risk changes go to engineering.
- Vulnerability management. Oversee and extend the existing scanner-findings automation in Linear; hit SLAs.
- Light secure code review. Spot-check high-risk features and new repositories (especially AI/LLM systems) before they go to production; escalate deeper AppSec questions to engineering and external pen testers.
- Threat detection & response. Tune GuardDuty findings, evaluate central logging / SIEM options, run tabletop exercises, mature the IRP from written to rehearsed.
- Offensive security. Run the annual external pen test, perform regular internal pen tests yourself, handle external researcher reports and bug bounty payouts.
- Onboarding & offboarding. Own access provisioning and revocation.
- Be the security person at UserGems. Internally and externally, you are the face of security - questions, escalations, customer security reviews, and audit conversations come to you.
Nice to have
- Solid grasp of attacker techniques and modern application security (web/API, cloud, supply chain).
- Hands-on secure code review experience, including AI/LLM systems.
- Comfort tuning detection (GuardDuty / SIEM) and running incident response.
- ISO 27001 Lead Implementer or Lead Auditor experience.
- ISO 42001 / AI governance familiarity.
- Hands-on Kubernetes / container security.
- Light coding ability (Java preferred) - our security automation lives in code, and you'll extend it.
- Experience with auditing LLM security
Other
- UserGems is the AI command center for go-to-market teams (think of it as an AI brain for sales and marketing). Powered by best-in-class contact data, its AI agents (Gem-E) automatically surface high-intent buyers, prioritize them, deploy personalized outbound, create ad audiences and ABM to drive more pipeline.
- We’re backed by top Silicon Valley VCs (Craft Ventures, Uncork Capital, Battery Ventures, Tiger Global, and more) and have hundreds of happy customers from startups to public enterprises.
- Operate UserGems' security and compliance program day-to-day, partnered with the Sr. Director on direction and strategy.
- UserGems is an AI platform helping sales and marketing teams double pipeline impact. Our AI agent Gem-E turns signals from CRMs, buying intent, and public data into precise outreach - generating $4B in pipeline and $950M in revenue for customers like CrowdStrike, UserTesting, and SAP LeanIX (15X+ ROI).
- UserGems is a ~70-person company with around 25 engineers across Europe and 45 team members in sales and marketing based in the U.S. Several of our customers are top-tier security companies themselves (e.g. CrowdStrike), so our own security posture directly influences how fast revenue can move.
- Lean strongly into compliance/GRC operations - with enough hands-on AWS comfort to action Drata-flagged remediations independently.
- Want to own operations end-to-end and influence direction - you propose, the Sr. Director approves, you ship.
- Like a startup environment where priorities are clear, ownership is real, and you ship and move on.
- UserGems is an AI company, and AI risk shows up in nearly every customer security review. A meaningful portion of this role is shaping how a modern, AI-native company secures both its product and its own internal AI usage - not just answering questionnaires about it.
- We're already EU AI Act compliant - so you're extending a working baseline, not starting from zero.
- You'll own:
- ISO 42001 readiness from scratch.
- Model & data governance for Gem-E and our self-hosted LLMs on Azure: data residency posture, prompt-injection threat modeling, access controls on training/inference data.
- Internal AI tooling built by non-engineering teams. Sales, marketing, and ops are building their own AI-powered internal tools. You'll shape how this scales safely - guardrails, access boundaries, monitoring, and review.
- AI in our own security stack - extending our in-house Linear/scanner automations, AI-assisted questionnaire workflows, and security review of AI-generated code.
- Customer-facing AI security narrative - shaping the answers, Trust Center statements, and policies that prospects' security teams will scrutinize.
- Cloud: AWS (primary), some Azure (self-hosted LLMs)
- Compliance / GRC: Drata, SafeBase (Trust Center), Linear
- Detection / Endpoint: AWS GuardDuty, CrowdStrike Complete (managed MDR)
- Scanners feeding Linear: GitHub, AWS Inspector, ZAP
- Infra (owned by engineering): Terraform, Kubernetes, Docker, GitHub
- You have personally owned a SOC 2 or ISO audit end-to-end - as the operational owner accountable to the auditor, not "on the team" - and delivered a zero-exception report . If you can't honestly say "yes" to this, please don't apply.
- Working AWS knowledge - you can navigate the AWS console, action Drata-flagged remediations yourself (IAM, S3, KMS, audit trails), and read CloudTrail when investigating an alert. You do not need to be a cloud-infrastructure engineer.
- Can understand Terraform with AI help - fluency isn't required. What matters is that you can drive AI to explain a diff, follow it critically, and catch when AI is wrong about IaC. Engineering owns infrastructure authorship.
- High ownership and accountability - you ship audits, questionnaires, and policy work without a project manager keeping you on track.
- Excellent written English - questionnaires, Trust Center, and policies are customer-facing.
- Comfortable with async collaboration across Europe and the U.S. Most US work is async, but some late-afternoon CET availability helps - around once a week, same-day US input turns a multi-day back-and-forth into a 10-minute conversation.
- We're a lean team where everyone owns their work end-to-end. We trust people to manage their own time, and we expect real output plus the basic async hygiene that makes it work: flag blockers early, surface progress, don't go dark.
- This is a high-commitment role, not a standard 9-to-5. If you're looking to coast, this isn't the right fit.
- Target annual compensation range for the role is €80k €100k .Final seniority leveling and compensation package will be determined based on commensurate experience, qualifications, and demonstrated ability to perform in the senior level role.
-
- You’ll be part of a fast-growing startup as it scales from 60 employees to 100+
- Customers love us! (see our Customers page and G2 Reviews ). They see ROI in Closed Won revenue generated
- Employees love us! (see our Glassdoor & RepVue page)
- We're a remote-first company with employees across the Americas and Europe
- We have weekly standups, virtual happy hours, and in-person off-sites around the world so that everyone stays connected
- We are customer-focused and data-driven in everything we do
- We value individual differences in the workforce and strive to make everyone feel welcomed and accepted, regardless of their skin color, gender, or sexual orientation
- We offer a competitive salary and benefits