Senior Security Engineer I, GRC

Hi, we're Oscar. We're hiring a Senior Security Engineer 1, GRC to join our Security Team.

Oscar is the first health insurance company built around a full stack technology platform and a relentless focus on serving our members. We started Oscar in 2012 to create the kind of health insurance company we would want for ourselves-one that behaves like a doctor in the family.

About the role:

The Principal GRC Engineer designs and operates the systems that enable continuous security assurance, deep risk visibility, and scalable regulatory compliance. Rather than managing documentation or preparing for audits, this role engineers the infrastructure that allows the organization to demonstrate security and compliance continuously through automation, telemetry, and self-evidencing controls.

Operating at the intersection of security engineering, platform engineering, risk management, and regulatory assurance, you will embed governance and control validation directly into how systems are built and operated. By connecting controls, operational telemetry, engineering workflows, and risk signals, you will surface patterns and relationships that traditional GRC programs cannot see, creating a feedback loop where security intelligence continuously informs engineering guardrails and platform architecture.

You will report into the Sr. Manager GRC.

Work Location: This position is based in our New York City office, requiring a hybrid work schedule with 3 days of in-office work per week. Thursdays are a required in-office day for team meetings and events, while your other two office days are flexible to suit your schedule.


Pay Transparency: The base pay for this role is: $163,944 per year - $215,176 per year. You are also eligible for employee benefits, participation in Oscar's unlimited vacation program, company equity grants and annual performance bonuses.

Responsibilities:

• Design systems that continuously measure and validate security controls through operational telemetry, automated evidence generation, and control health monitoring.
• Build automation and orchestration across security tools, cloud platforms, and engineering systems to eliminate manual compliance processes and reduce audit overhead.
• Translate governance expectations into machine-enforceable guardrails embedded within infrastructure platforms, CI/CD pipelines, and engineering workflows.
• Apply automation, orchestration, and AI-assisted capabilities to scale governance workflows, enabling intelligent analysis and adaptive control systems.
• Architect control and telemetry pipelines where operational systems produce the evidence required for regulatory assurance and audit readiness.
• Compliance with all applicable laws and regulations
• Other duties as assigned

Requirements:

• 4+ years experience in Technology related field.
• 4+ years experience in Security Engineering.

Bonus points:

• Familiarity with industry standards and compliance frameworks (such as SOC, SOX., NIST, HIPAA) and experience in ensuring organizational adherence to these standards.
• Certifications such as CISSP, CISM, CISA, CEH, or vendor-specific certifications.
• Proficiency in managing security projects, including planning, execution, and successful delivery within timelines and budgets.
• 4+ years of experience in Security Engineering, DevSecOps, or Site Reliability Engineering (SRE), with at least 3 years specifically focused on GRC automation or internal security tooling.

This is an authentic Oscar Health job opportunity. Learn more about how you can safeguard yourself from recruitment fraud here.


At Oscar, being an Equal Opportunity Employer means more than upholding discrimination-free hiring practices. It means that we cultivate an environment where people can be their most authentic selves and find both belonging and support. We're on a mission to change health care -- an experience made whole by our unique backgrounds and perspectives.

Pay Transparency: Final offer amounts, within the base pay set forth above, are determined by factors including your relevant skills, education, and experience. Full-time employees are eligible for benefits including: medical, dental, and vision benefits, 11 paid holidays, paid sick time, paid parental leave, 401(k) plan participation, life and disability insurance, and paid wellness time and reimbursements.

Artificial Intelligence (AI): Our AI Guidelines outline the acceptable use of artificial intelligence for candidates and detail how we use AI to support our recruiting efforts.

Reasonable Accommodation: Oscar applicants are considered solely based on their qualifications, without regard to applicant's disability or need for accommodation. Any Oscar applicant who requires reasonable accommodations during the application process should contact the Oscar Benefits Team (View email address on click.appcast.io) to make the need for an accommodation known.

California Residents: For information about our collection, use, and disclosure of applicants' personal information as well as applicants' rights over their personal information, please see our Privacy Policy.