Security Engineer (GRC, Data Security)

Who We Are:

SmithRx is a rapidly growing, venture-backed Health-Tech company.  Our mission is to disrupt the expensive and inefficient Pharmacy Benefit Management (PBM) sector by building a next-generation drug acquisition platform driven by cutting edge technology, innovative cost saving tools, and best-in-class customer service.  With hundreds of thousands of members onboarded since 2016, SmithRx has a solution that is resonating with clients all across the country.

We pride ourselves for our mission-driven and collaborative culture that inspires our employees to do their best work. We believe that the U.S healthcare system is in need of transformation, and we come to work each day dedicated to making that change a reality. At our core, we are guided by our company values:

• Integrity: Always operate with honesty and transparency so we earn the trust of our clients.
• Courage: Demonstrate the courage needed to take on a broken industry and continuously improve what we offer to optimize health outcomes.
• Together: Foster a collaborative and inclusive environment that values teamwork, respect, and open communication, and encourages creativity and diversity of thought.

Job Summary:

We are seeking a Security Engineer with a strong focus on Governance, Risk, and Compliance (GRC) as well as Automation & Data Security. This role will be responsible for managing and implementing security policies, risk assessments, data protection strategies, and regulatory compliance initiatives across the organization. The ideal candidate will possess a solid understanding of industry security frameworks, data security practices, and emerging threats. They will work closely with cross-functional teams to ensure that the organization adheres to security best practices while maintaining the confidentiality, integrity, and availability of data.

In this role, you will be responsible for: 

GRC Management

• Develop, implement, and maintain security policies, standards, and procedures to ensure compliance with industry standards (e.g., ISO 27001, NIST, GDPR, HIPAA, PCI-DSS).
• Conduct regular security risk assessments and audits to identify gaps in compliance and recommend corrective actions.
• Monitor and report on the effectiveness of the organization’s security posture and risk mitigation efforts.
• Stay up-to-date with regulatory changes and work with relevant departments to ensure compliance with data protection laws and frameworks.

Data Security:

• Implement and manage data security solutions, including encryption, data masking, and secure data transmission protocols.
• Collaborate with IT teams to safeguard sensitive data, such as personally identifiable information (PII) and intellectual property.
• Monitor and respond to data breaches, data loss events, and other security incidents, ensuring rapid containment and investigation.
• Conduct regular vulnerability assessments and data privacy impact assessments to ensure the integrity of organizational data.

Security Awareness and Training:

• Design and deliver security awareness training programs to educate employees on security best practices and compliance requirements.
• Provide guidance on data security measures to teams handling sensitive information across the organization.

Vendor and Third-Party Risk Management:

• Assess the security posture of third-party vendors and partners to ensure they comply with the organization’s security requirements.
• Collaborate with legal and procurement teams to integrate security requirements into third-party agreements.

Incident Response and Risk Mitigation:

• Contribute to the development and execution of incident response plans, focusing on GRC and data security components.
• Collaborate with incident response teams to ensure proper escalation, investigation, and mitigation of security events.

Continuous Improvement:

• Continuously evaluate and improve security controls, GRC processes, and data security practices.
• Research and stay current with emerging threats, technologies, and industry trends to proactively address potential risks.

What you will bring to SmithRx:

• Bachelor's degree in Information Security, Computer Science, Information Technology, or a related field (or equivalent experience).
• 3+ years of experience in Information Security, focusing on GRC and/or Data Security.
• Strong experience with security frameworks (ISO 27001, NIST, COBIT) and regulatory compliance (GDPR, HIPAA, PCI-DSS).
• Hands-on experience with data protection strategies, encryption technologies, and risk management tools.
• Strong analytical and problem-solving skills with the ability to assess complex security risks.
• Familiarity with security tools and technologies (Vanta, Zscaler, Snowflake, Encryption tools, DSPM).
• Excellent verbal and written communication skills to engage with both technical and non-technical teams.
• Ability to manage multiple projects, prioritize tasks, and work effectively in a fast-paced environment.
• Knowledge of cloud security principles and data governance in cloud environments is a plus.
• Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), or similar GRC and data security certifications preferred.

What SmithRx Offers You: 

• Highly competitive wellness benefits including Medical, Pharmacy, Dental, Vision, and Life Insurance and AD&D Insurance
• Flexible Spending Benefits 
• 401(k) Retirement Savings Program 
• Short-term and long-term disability
• Discretionary Paid Time Off 
• 12 Paid Holidays
• Wellness Benefits
• Commuter Benefits 
• Paid Parental Leave benefits
• Employee Assistance Program (EAP)
• Well-stocked kitchen in office locations
• Professional development and training opportunities