Senior Security Engineer I, GRC

About the role

The Principal GRC Engineer designs and operates the systems that enable continuous security assurance, deep risk visibility, and scalable regulatory compliance. Rather than managing documentation or preparing for audits, this role engineers the infrastructure that allows the organization to demonstrate security and compliance continuously through automation, telemetry, and self-evidencing controls. Operating at the intersection of security engineering, platform engineering, risk management, and regulatory assurance, you will embed governance and control validation directly into how systems are built and operated. By connecting controls, operational telemetry, engineering workflows, and risk signals, you will surface patterns and relationships that traditional GRC programs cannot see, creating a feedback loop where security intelligence continuously informs engineering guardrails and platform architecture. You will report into the Sr. Manager GRC. Work Location: This position is based in our New York City office, requiring a hybrid work schedule with 3 days of in-office work per week. Thursdays are a required in-office day for team meetings and events, while your other two office days are flexible to suit your schedule. Pay Transparency: The base pay for this role is: $163,944 per year - $215,176 per year. You are also eligible for employee benefits, participation in Oscar's unlimited vacation program, company equity grants and annual performance bonuses.

Responsibilities

• Design systems that continuously measure and validate security controls through operational telemetry, automated evidence generation, and control health monitoring.
• Build automation and orchestration across security tools, cloud platforms, and engineering systems to eliminate manual compliance processes and reduce audit overhead.
• Translate governance expectations into machine-enforceable guardrails embedded within infrastructure platforms, CI/CD pipelines, and engineering workflows.
• Apply automation, orchestration, and AI-assisted capabilities to scale governance workflows, enabling intelligent analysis and adaptive control systems.
• Architect control and telemetry pipelines where operational systems produce the evidence required for regulatory assurance and audit readiness.
• Compliance with all applicable laws and regulations
• Other duties as assigned

Requirements

• 4+ years experience in Technology related field.
• 4+ years experience in Security Engineering.
• Bonus points:
• Familiarity with industry standards and compliance frameworks (such as SOC, SOX., NIST, HIPAA) and experience in ensuring organizational adherence to these standards.
• Certifications such as CISSP, CISM, CISA, CEH, or vendor-specific certifications.
• Proficiency in managing security projects, including planning, execution, and successful delivery within timelines and budgets.
• 4+ years of experience in Security Engineering, DevSecOps, or Site Reliability Engineering (SRE), with at least 3 years specifically focused on GRC automation or internal security tooling.
• This is an authentic Oscar Health job opportunity. Learn more about how you can safeguard yourself from recruitment fraud here .
• Artificial Intelligence (AI): Our AI Guidelines outline the acceptable use of artificial intelligence for candidates and detail how we use AI to support our recruiting efforts.
• California Residents: For information about our collection, use, and disclosure of applicants' pers

Benefits

Additional Information

Hi, we're Oscar. We're hiring a Senior Security Engineer 1, GRC to join our Security Team. Oscar is the first health insurance company built around a full stack technology platform and a relentless focus on serving our members. We started Oscar in 2012 to create the kind of health insurance company we would want for ourselves-one that behaves like a doctor in the family.

Your Match

How well this role fits your profile.

Company Intel

What employees say

Worked at Oscar? Share your experience