Cloud Security Engineer

Virta Health is on a mission to reverse metabolic disease in one billion people. Current treatment approaches aren’t working—over half of US adults have either type 2 diabetes or prediabetes, and obesity rates are at an all‑time high. Virta is changing this by helping people reverse their metabolic condition through innovations in technology, personalized nutrition, and virtual care delivery reinvented from the ground up. We have raised over $350 million from top‑tier investors, and partner with the largest health plans, employers, and government organizations to help their employees and members restore their health and take back their lives. Join us on our mission to reverse metabolic disease in one billion people. You’ll be the dedicated Cloud Security Engineer in a growing Foundations team. As we rapidly scale our impact, we’re seeking a passionate and experienced security leader to build and mature our application security program. You’ll have the autonomy to define strategy, implement best practices, and embed security principles across the org. If you thrive on building secure systems, automation, fostering a security‑conscious culture, and making a tangible difference in protecting sensitive health information, this role is for you. Responsibilities As a Cloud Security Engineer, you will be the driving force behind securing Virta’s applications and platform, directly contributing to the trust our members and partners place in us. You’ll collaborate across teams to ensure security is a seamless part of our development lifecycle. Own and Enhance Security Design: Assess our current security controls within GCP and Kubernetes, identify areas for improvement, and drive the maturation of our security posture from good to great. Champion Secure Development: Partner closely with Engineering, Product, and Platform teams to integrate security best practices early and often ("shift-left") into the software development lifecycle. Build and Automate: Design, implement, and manage security tooling and automation to streamline vulnerability detection, remediation, and compliance verification. Replace manual processes with efficient, automated solutions. Refine Access Control: Evolve our identity and access management (IAM) strategy, ensuring least‑privilege access and robust auditing capabilities across our systems. Strengthen Network Security: Continuously improve our network security architecture, policies, and controls within our cloud environment. Develop Clear Standards: Establish, document, and communicate practical security policies, standards, and guidelines for engineering teams. Lead Security Initiatives: Drive vulnerability management efforts and enhance our incident response preparedness, ensuring we are ready to handle potential threats effectively. Cultivate Security Awareness: Act as a security evangelist, promoting security awareness and best practices throughout the engineering organization. 90 Day Plan Joining a new company and stepping into a foundational role takes time. Here’s what you can expect as you get started and begin making your mark: Immerse Yourself: Your initial focus will be on understanding Virta’s culture, our mission, our engineering workflows, and the nuances of our cloud platform (GCP/Kubernetes). You’ll connect with key engineers and stakeholders across different teams. Learn the Landscape: You’ll dive into our existing systems, CI/CD pipelines, and current security tooling and configurations to get a clear picture of where we stand today. Assess & Identify Opportunities: Leveraging your expertise, you’ll begin evaluating our current security posture, including critical areas like our IAM implementation (RBAC), data security practices, network controls, and existing security policies. You’ll identify the highest‑impact areas for initial improvement. Prioritize & Plan: Collaborating with engineering leadership and relevant teams, you’ll help shape the initial priorities for application security, translating your assessments into a tangible action plan or roadmap. Start Building: You won’t just be planning! You’ll quickly transition to hands‑on work, likely starting with foundational projects such as refining IAM roles, enhancing specific security configurations, or beginning to develop key security automation or documentation. Must-Haves Understanding and practical experience in securing cloud‑native applications and infrastructure, particularly in Kubernetes environments. GCP experience is strongly preferred. Strong grasp of networking concepts, identity management (IAM), encryption, and common web application vulnerabilities (e.g., OWASP Top 10). Excellent communication skills with the ability to clearly articulate complex security concepts to diverse audiences and influence technical direction across teams. Significant hands‑on experience in application security, including threat modeling, secure coding practices, vulnerability management, and security testing (SAST, DAST, IAST). Proficiency in Infrastructure as Code (IaC) tools, specifically Terraform. Development experience with Go and Python. Values-driven culture Virta’s company values drive our culture, so you’ll do well if: people first and take care of yourself, your peers, and our patients equally ownership and take initiative while empowering others to do the same positive impact over busy work no ego and understand that everyone has something to bring to the table regardless of experience transparency and promote trust and empowerment through open access of information evidence-based and prioritize data and science over seniority or dogma take risks and rapidly iterate Virta has a location based compensation structure. Starting pay will be based on a number of factors and commensurate with qualifications & experience. For this role, the compensation range is $145,491 - $187,900. Information about Virta’s benefits is on our Careers page at: As part of your duties at Virta, you may come in contact with sensitive patient information that is governed by HIPAA. Throughout your career at Virta, you will be expected to follow Virta’s security and privacy procedures to ensure our patients’ information remains strictly confidential. Security and privacy training will be provided. As a remote‑first company, our team is spread across various locations with office hubs in Denver and San Francisco. Clinical roles: We currently do not hire in the following states: AK, HI, RI. Corporate roles: We currently do not hire in the following states: AK, AR, DE, HI, ME, MS, NM, OK, SD, VT, WI. #J-18808-Ljbffr