Staff Endpoint Security Engineer

The Staff Endpoint Security Engineer is a critical, hands-on technical role responsible for designing, implementing, and maintaining robust security controls and detection mechanisms across all company and Bring-Your-Own-Device (BYOD) endpoints, including laptops, desktops, mobile phones, and other devices used by staff and contractors. This role is pivotal in protecting Included Health's sensitive data, particularly Protected Health Information (PHI), by preventing unauthorized exfiltration from endpoints and ensuring the security of devices accessing company resources. You will be instrumental in architecting and deploying advanced endpoint defenses, managing security tools, and contributing to threat response to reduce the number and criticality of HIPAA-related incidents. We are looking for deep technical expertise in endpoint security across diverse operating systems (Windows, macOS, ChromeOS, iOS, Android), strong automation skills for building and maintaining defenses, and a proactive approach to identifying and remediating vulnerabilities. This is a remote role reporting to the Chief Information Security Officer. 

Responsibilities:

• Develop, implement, and maintain a comprehensive endpoint security strategy, architecture, and roadmap covering all corporate and BYOD endpoints, with a focus on proactive defense and detection engineering.
• Design and enforce security configurations, hardening standards, and baselines for diverse operating systems (Windows, macOS, ChromeOS, iOS, Android, and potentially others) to minimize attack surfaces.
• Lead the selection, deployment, administration, and optimization of endpoint security solutions, including Endpoint Detection and Response (EDR/XDR) for threat detection, Mobile Device Management (MDM/UEM) for policy enforcement, Data Loss Prevention (DLP) for data protection, anti-malware, and endpoint encryption.
• Develop and implement robust DLP policies and controls to prevent PHI and other sensitive data from leaving authorized systems via endpoints.
• Manage endpoint encryption technologies (e.g., BitLocker, FileVault, mobile encryption) to ensure data at rest is protected.
• Proactively look for threats on endpoints to identify gaps in defenses and inform the development of new detection capabilities.
• Support and provide expertise during incident response activities for endpoint-related security events, with a focus on root cause analysis to enhance preventative and detective controls.
• Conduct vulnerability assessments, manage endpoint patching and remediation efforts to address identified weaknesses in a timely manner, strengthening overall endpoint resilience.
• Develop, document, and enforce endpoint security policies, standards, and procedures, particularly for BYOD environments, ensuring compliance with HIPAA and other relevant regulations.
• Automate endpoint security tasks, compliance checks, defensive measure deployments, and reporting using scripting languages (e.g., Python, PowerShell, Bash) and security orchestration tools.
• Collaborate closely with IT operations, network security, application development, and legal/compliance teams to ensure a cohesive security posture and integrate endpoint defenses.
• Provide expert consultation and support to end-users and IT staff on endpoint security matters and best practices.
• Stay current with the latest endpoint threats, vulnerabilities, and security technologies to continuously improve our defenses.

Qualifications:

• Bachelor's degree in Computer Science, Information Technology, Cybersecurity, or a related field.
• 5+ years of experience in endpoint security, with a strong emphasis on designing, building, implementing, and managing security controls, detection mechanisms, and defensive capabilities across a diverse range of endpoint operating systems (Windows, macOS, iOS, Android).
• Proven hands-on experience with leading Endpoint Detection and Response (EDR/XDR) solutions (e.g., CrowdStrike, SentinelOne, Microsoft Defender for Endpoint, Carbon Black) for threat detection engineering and security policy enforcement.
• Demonstrable experience with Mobile Device Management (MDM) / Unified Endpoint Management (UEM) platforms (e.g., Microsoft Intune, Jamf Pro, VMware Workspace ONE, Kandji, MobileIron) for enforcing security configurations and policies.
• Strong knowledge of endpoint hardening techniques, security configuration management, and policy enforcement across multiple OS platforms, with a focus on building resilient systems.
• Experience designing and implementing endpoint Data Loss Prevention (DLP) strategies and tools.
• Proficiency in scripting languages (e.g., Python, PowerShell, Bash) for automating endpoint security tasks, tool integrations, and deployment of defensive measures.
• Experience with endpoint attack vectors, malware, persistence mechanisms, and designing effective mitigation and detection techniques.
• Experience with endpoint vulnerability management, patch management processes, and tools, focused on proactive remediation.
• Experience with network security principles (TCP/IP, DNS, DHCP, VPNs, firewalls) as they relate to designing and implementing endpoint security controls.
• Experience working in regulated environments and a strong understanding of HIPAA compliance requirements as they apply to endpoint protection and data handling.

Pay:
The United States new hire base salary target ranges for this full-time position are:
Zone A: $174,320 - $246,230 + equity + benefitsZone B: $191,752 - $270,853 + equity + benefitsZone C: $209,184 - $295,476 + equity + benefitsZone D: $226,616 - $320,099 + equity + benefits
This range reflects the minimum and maximum target for new hire salaries for candidates based on their respective Zone. Below is additional information on Included Health's commitment to maintaining transparent and equitable compensation practices across our distinct geographic zones.
Starting base salary for you will depend on several job-related factors, unique to each candidate, which may include education; training; skills; years and depth of experience; certifications and licensure; our needs; internal peer equity; organizational considerations; and understanding of geographic and market data. Compensation structures and ranges are tailored to each zone's unique market conditions to ensure that all employees receive fair and great compensation package based on their roles and locations. Your Recruiter can share your geographic zone upon inquiry.
Benefits & Perks:
In addition to receiving a great compensation package, the compensation package may include, depending on the role, the following and more:Remote-first culture401(k) savings plan through FidelityComprehensive medical, vision, and dental coverage through multiple medical plan options (including disability insurance)Paid Time Off ("PTO") and Discretionary Time Off (“DTO")12 weeks of 100% Paid Parental leaveFamily Building & Compassionate Leave: Fertility coverage, $25,000 for surrogacy/adoption, and paid leave for failed treatments, adoption or pregnancies.Work-From-Home reimbursement to support team collaboration home office work
Your recruiter will share more about the salary range and benefits package for your role during the hiring process.
About Included Health
Included Health is a new kind of healthcare company, delivering integrated virtual care and navigation. We’re on a mission to raise the standard of healthcare for everyone. We break down barriers to provide high-quality care for every person in every community — no matter where they are in their health journey or what type of care they need, from acute to chronic, behavioral to physical. We offer our members care guidance, advocacy, and access to personalized virtual and in-person care for everyday and urgent care, primary care, behavioral health, and specialty care. It’s all included. Learn more at includedhealth.com.
-----Included Health is an Equal Opportunity Employer and considers applicants for employment without regard to race, color, religion, sex, orientation, national origin, age, disability, genetics or any other basis forbidden under federal, state, or local law. Included Health considers all qualified applicants with arrest or conviction records in accordance with the San Francisco Fair Chance Ordinance, the Los Angeles County Fair Chance Ordinance, and California law.