Cybersecurity Engineer

DFO · Manila Philippines · Engineering

Posted 2026-06-10

Apply for this role →

About the Role

We're hiring our first dedicated Cybersecurity Engineer to own the full security posture of a growing multi-vertical telehealth platform and EHR system handling Protected Health Information (PHI). This is a senior, hands-on build-and-maintain role — not a compliance checkbox or one-time audit. You'll embed security across our engineering culture, CI/CD pipeline, and GCP (Google Cloud Platform)-native cloud infrastructure, and keep us defensible as we scale across multiple healthcare verticals.

You'll serve as Sphere's first security hire, building the foundation ahead of a CISO (Chief Information Security Officer) joining in 2027. Everything you build should be documented, scalable, and transferable. You'll report directly to engineering leadership and partner closely with product and backend engineers daily.

Schedule: 9 AM to 6 PM EST

What You'll Own

Application & Cloud Security — Continuously assess and harden web apps, APIs, and GCP-native infrastructure; implement security controls across all environments and healthcare verticals

DevSecOps & Secure SDLC — Integrate security gates into the CI/CD pipeline: SAST/DAST, dependency scanning, secrets detection, container image scanning, and secure coding standards

HIPAA/HITECH Compliance — Maintain and improve our compliance posture including technical safeguards, access controls, audit logging, encryption standards, and BAA oversight; lay groundwork for HITRUST CSF certification

Vulnerability & Threat Management — Run ongoing vulnerability assessments, manage a risk register, triage findings, and drive remediation with engineering

Incident Response — Own the IR plan; lead detection, containment, and post-mortem for security incidents

Security Foundation Building — Document all security policies, controls, and architecture decisions to enable a smooth handoff to an incoming CISO in 2027

Security Culture — Be the go-to security resource for engineering and product — make PHI protection a default, not an afterthought

You're a Strong Fit If You Have

5+ years of experience in application security, cloud security, or security engineering

Hands-on experience with DevSecOps tooling (e.g., Snyk, Trivy, Semgrep, GitHub Advanced Security, HashiCorp Vault, OWASP ZAP)

Strong GCP security fundamentals — GCP Security Command Center, Cloud Armor, Chronicle SIEM, VPC Service Controls, IAM, and Cloud Logging

Direct experience with HIPAA, HITECH, or comparable regulated environments (SOC 2, PCI-DSS, ISO 27001 a plus)

Proficiency in at least one scripting/automation language (Python, Bash, or similar)

Solid understanding of web application security (OWASP Top 10, API security, auth/authz patterns)

Ability to work independently and cross-functionally — you'll be the sole security voice for 12–18 months

Excellent written communication — able to document policies, explain risk to non-technical stakeholders, and write clear incident reports

Comfortable working with meaningful overlap with US Eastern or Pacific hours

Nice to Have

Security certifications: CISSP, CISM, CEH, Security+, GCP Professional Cloud Security Engineer, or equivalent

Familiarity with HITRUST CSF framework

Experience in healthcare tech, telehealth, or multi-vertical health platforms

Familiarity with FHIR/HL7 data standards and EHR security considerations

Experience conducting or managing third-party penetration tests

Exposure to Zero Trust architecture or SASE frameworks

Apply for this role →

← Back to all crypto jobs