Information Security Specialist

About Customer.io

Over 8,000 companies — from scrappy startups to global brands — use our platform to send billions of emails, push notifications, in-app messages, and SMS every day. Customer.io powers automated communication that people actually want to receive. We help teams send smarter, more relevant messages using real-time behavioral data.

About the role

Hi, I'm Bill, VP of Operations at Customer.io. I'm looking for an Information Security Specialist to join our team.

As our first dedicated InfoSec hire, you'll be the go-to person for securing our organizational systems, data, and operations across a globally distributed, remote-first company. Reporting to the VP of Operations, you'll work closely with IT, Compliance, and Platform Security to protect customer data, maintain our compliance posture, and help the company adopt AI tools thoughtfully and securely. This is a experienced individual contributor role — you'll be hands-on with tooling and policy, not managing a team.

We're a company that embraces AI — we use it in our product and want our team to use it to do their best work. We need someone who sees AI as an opportunity to enable, not just a risk to lock down. You'll help us build practical guardrails that let people move fast with AI while protecting customer data and staying compliant. If your instinct is to ban first and ask questions later, this isn't the right fit. If you get excited about figuring out how to say "yes, and here's how we do it safely" — keep reading.

What we value

• Pragmatic security — You focus on real risk reduction, not perfection, and avoid slowing the business down unnecessarily.
• Enablement over restriction — You default to “yes, if…” and help teams adopt tools like AI safely and confidently.
• Ownership and autonomy — You take responsibility for your domain and can operate independently in a fast-moving environment.
• Clarity and usability — You create policies and guidance that are simple, practical, and actually followed.
• Cross-functional partnership — You build trust and work effectively across IT, Engineering, Legal, and GTM teams.
• Curiosity and adaptability — You stay current on evolving threats, especially in AI and SaaS environments.
• Calm under pressure — You bring structure and clear thinking during incidents and audits.
• High standards, right-sized — You balance quality with speed and scale appropriately for a growing company.

What you’ll do

• AI Governance & Enablement — Develop and maintain a practical framework for evaluating, approving, and securely deploying AI tools across the organization. Assess data exposure risks, establish acceptable use guidelines, and help teams adopt AI confidently — not fearfully.
• Vulnerability Management — Own our vulnerability management program — scanning, triaging, coordinating remediation, and tracking resolution across infrastructure, applications, and endpoints.
• Compliance — Support and improve our compliance posture (SOC 2, ISO 27001), including evidence collection, control monitoring, and audit support. Ensure AI usage aligns with our regulatory and contractual obligations.
• Incident Response — Lead security incident response — investigate alerts, coordinate containment, document root causes, and drive improvements.
• Security Tooling — Manage and tune security tooling (EDR, SIEM/logging, DLP, email security, identity and access management controls).
• Vendor & Third-Party Risk — Conduct security reviews of third-party vendors, SaaS integrations, and AI services — evaluating data handling, model training policies, and privacy commitments.
• Policy & Standards — Develop and maintain security policies, standards, and runbooks that are practical and right-sized for our environment — including clear, usable AI usage policies that people actually follow.
• Application Security Partnership — Partner with Platform Security and Engineering on application security topics — advising on secure architecture, reviewing configurations, and supporting penetration testing efforts.
• Security Awareness — Drive security awareness initiatives — phishing simulations, training programs, AI literacy education, and ongoing guidance for the team.
• Threat Intelligence — Monitor and assess emerging threats (including AI-driven attack vectors), and translate them into actionable recommendations for leadership.

What we're looking for

• 4+ years of experience in information security, cybersecurity, or a related technical discipline.
• A pragmatic, enabling mindset toward AI — you understand the risks but you're not reflexively restrictive. You've thought critically about how organizations can use AI tools like LLMs, coding assistants, and automation responsibly.
• Hands-on experience with compliance frameworks (SOC 2, ISO 27001) — you've been through audits and know how to keep controls healthy.
• Strong knowledge of cloud security fundamentals (AWS, GCP, or similar), endpoint protection, and identity/access management.
• Experience with security tooling — EDR, SIEM, vulnerability scanners, DLP, and email security platforms.
• Solid understanding of incident response processes and the ability to stay calm under pressure.
• Familiarity with SaaS environments, remote-first operations, and the security challenges that come with them.
• Strong written communication skills — you can write a clear policy, a concise incident report, and a Slack message that people actually read.
• Self-starter mentality — you're comfortable working autonomously and prioritizing across competing demands.
• Experience evaluating AI/ML tools for data privacy and security risks is a strong plus.
• Experience in vendor risk assessment and third-party security reviews.
• Security certifications (CISSP, CISM, CompTIA Security+, or similar) are a plus but not required.

Compensation & Benefits

We believe in transparency. Starting salary for this role is $151,000 to $170,000 (or equivalent in local currency) depending on experience and subject to market rate adjustment.

We know our people are what make us great, and we’re committed to taking great care of them. Our inclusive benefits package supports your well-being and growth, including 100% coverage of medical, dental, vision, mental health, and supplemental insurance premiums for you and your family. We also offer 16 weeks paid parental leave, unlimited PTO, stipends for remote work and wellness, a professional development budget, and more.

See full benefits here →

Our Process

No gotchas, no trick questions - just a clear, human process designed to help both of us make an informed decision.

• 30-minute call with Recruiter
• 45-minute video call with Hiring Manager
• 3 x 30-minute video calls with Cross-Functional Partners (IT, Compliance, Platform Security)
• 45-minute Case & Case Review Call with Team

All final candidates will be asked to complete a background check and employment verifications as part of our pre-employment process.

Customer.io recognizes the stifling impact of systemic injustice on diverse communities. We commit to using our influence to increase inclusion and equity within the tech industry. We strive to build an inclusive team culture, implement bias-free hiring practices, and develop community partnerships to expand our global impact.

Zoom is the only video conference platform that we use, virtual interviews will be conducted using the video capability (i.e., not via the chat), and offers will be extended in writing on official Customer.io letterhead. Please be vigilant in all of your job search activity, and if you have any questions please contact jobs@customer.io.

Join us!

Check out our careers page for more information about why you should come work with us! We believe in empathy, transparency, responsibility, and, yes, a little awkwardness. If you’re excited by what you read — apply now.