Lead Security Engineer

Job Description

Why Charlie Health?

Millions of people across the country are navigating mental health conditions, substance use disorders, and eating disorders, but too often, they’re met with barriers to care. From limited local options and long wait times to treatment that lacks personalization, behavioral healthcare can leave people feeling unseen and unsupported.

Charlie Health exists to change that. Our mission is to connect the world to life-saving behavioral health treatment. We deliver personalized, virtual care rooted in connection—between clients and clinicians, care teams, loved ones, and the communities that support them. By focusing on people with complex needs, we’re expanding access to meaningful care and driving better outcomes from the comfort of home.

As a rapidly growing organization, we’re reaching more communities every day and building a team that’s redefining what behavioral health treatment can look like. If you’re ready to use your skills to drive lasting change and help more people access the care they deserve, we’d love to meet you.

About the Role

Charlie Health is seeking an experienced Lead Security Engineer to join our Information Security team. In this role, you will partner closely with engineering and product teams to embed secure development practices across the entire software development lifecycle (SDLC). You will be the subject matter expert on application security, guiding the business in building secure, scalable and HIPAA-compliant software solutions.

We’re a team of passionate, forward-thinking professionals eager to take on the challenge of the mental health crisis and play a formative role in providing life-saving solutions. If you’re inspired by our mission and energized by the opportunity to increase access to mental healthcare and impact millions of lives in a profound way, apply today.

Responsibilities

• Security Integration & Guidance

  • Collaborate with product and IT engineering teams to design secure applications and features.
  • Educate developers on secure coding practices and security testing.
  • Serve as a subject matter expert on internal application security and SDLC controls.

• Assessment & Threat Modeling

  • Conduct code reviews, threat models and risk assessments to identify and mitigate vulnerabilities early.
  • Perform internal penetration testing and support incident response for application-level issues.
  • Continuously monitor the threat landscape to proactively adjust defenses and strategies.

• Tooling & Automation

  • Develop and implement tools and frameworks to integrate security into CI/CD pipelines.
  • Work with teams to build and enforce secure SDLC controls in a fast-paced agile environment.
  • Own and enhance application vulnerability management and remediation processes.

• Collaboration & Policy

  • Lead implementation of security policies, standards and remediation processes.
  • Work cross-functionally to balance security risks with business objectives and product timelines.
  • Participate in security incident response, forensic investigations and security incident postmortems related to applications and systems.

Requirements

• 5+ years of experience in application security, secure software development, or related roles.
• Bachelor’s degree in Computer Science or related field, or equivalent experience.
• Proficiency in secure coding practices and languages such as TypeScript, Node, Python, Java, C++ or similar.
• Ability to contribute code changes to production applications as needed, including debugging, fixing security vulnerabilities, and collaborating with engineering teams on secure feature development.
• Hands-on experience with application security tools (e.g., Burp Suite, OWASP ZAP, Fiddler).
• Deep understanding of web application vulnerabilities: XSS, CSRF, SQLi, session management, etc.
• Experience implementing security in CI/CD pipelines such as GitHub Action and agile development workflows.
• Familiarity with management and deployment of SAST, DAST, and SCA tooling
• Knowledge of authentication technologies (i.e. Auth0, Okta, etc) and how to securely integrate them with applications
• Strong communication skills with ability to clearly articulate risk to technical and non-technical audiences.
• Please note: candidates located within a 75-minute commute of our NYC office are expected to work onsite 4 days/w

Nice to Have

• Experience with HIPAA and securing applications in healthcare environments.
• OSCP, OSWE or other relevant security certifications.
• Experience securing custom software collaboratively on a team.
• Familiarity with AWS cloud platform.
• Experience contributing to or managing bug bounty programs.
• Knowledge of security standards such as SOC2, ISO ²⁷⁰⁰¹⁄₂, NIST 800-53, HITRUST, or HIPAA Security Rule.
• Ability to write proof-of-concept exploits and perform advanced security analysis.

Benefits

Charlie Health is pleased to offer comprehensive benefits to all full-time, exempt employees. Read more about our benefits here.

The total target base compensation for this role will be between $180,000 and $240,000 per year at the commencement of employment. Please note, pay will be determined on an individualized basis and will be impacted by location, experience, expertise, internal pay equity, and other relevant business considerations. Further, cash compensation is only part of the total compensation package, which, depending on the position, may include stock options and other Charlie Health-sponsored benefits. #LI-Remote #LI-Hybrid

Our Values

• Connection: Care deeply & inspire hope.
• Congruence: Stay curious & heed the evidence.
• Commitment: Act with urgency & don’t give up.

Please do not call our public clinical admissions line in regard to this or any other job posting.

Please be cautious of potential recruitment fraud. If you are interested in exploring opportunities at Charlie Health, please go directly to our Careers Page: https://www.charliehealth.com/careers/current-openings. Charlie Health will never ask you to pay a fee or download software as part of the interview process with our company. In addition, Charlie Health will not ask for your personal banking information until you have signed an offer of employment and completed onboarding paperwork that is provided by our People Operations team. All communications with Charlie Health Talent and People Operations professionals will only be sent from @charliehealth.com email addresses. Legitimate emails will never originate from gmail.com, yahoo.com, or other commercial email services.

Recruiting agencies, please do not submit unsolicited referrals for this or any open role. We have a roster of agencies with whom we partner, and we will not pay any fee associated with unsolicited referrals.

At Charlie Health, we value being an Equal Opportunity Employer. We strive to cultivate an environment where individuals can be their authentic selves. Being an Equal Opportunity Employer means every member of our team feels as though they are supported and belong. We value diverse perspectives to help us provide essential mental health and substance use disorder treatments to all young people.

Charlie Health applicants are assessed solely on their qualifications for the role, without regard to disability or need for accommodation.

By clicking “Submit application” below, you agree to Charlie Health’s Privacy Policy and Terms of Service.

By submitting your application, you agree to receive SMS messages from Charlie Health regarding your application. Message and data rates may apply. Message frequency varies. You can reply STOP to opt out at any time. For help, reply HELP.