Full Time, Remote

Woebot Health has physical offices in San Francisco, Boston and Dublin, Ireland. If you're not currently based in one of our beautiful flagship cities, please inquire whether your position can be fully remote

Our vision is to make mental health radically accessible.

We are a team of innovators, experts and business builders who have come together to develop advanced technologies that can transform healthcare.

We're focused on addressing the vast, unmet need for improved engagement and outcomes in mental health with Woebot, a digital coach that helps people engage more deeply and continuously in their mental health. Woebot's breakthrough is its ability to form a human-level bond with people using the latest in NLP, ML and other advanced technologies. Leveraging this therapeutic bond, and the expertise of our Stanford-trained clinicians and scientists, Woebot is constantly learning from the experience of more than one million people and hundreds of millions of messages exchanged to deliver high quality CBT-based tools that are psychologically related and responsive to a person's dynamic state of health.

Our work to advance human-centered technology has attracted a lot of attention. Today we've amassed more mentions in the scientific literature than any other digital therapeutic company, and are regularly featured as the architects of a radically new approach to mental health. But we've only just begun. With the backing of some of the world's most forward thinking investors and advisors, we're poised to redefine how people access mental health care.

Are you ready to create a new future for mental health, for everyone? Let's do it together!

How You'll Thrive

Within 1 month you will:

• Learn the Woebot Health's policies and procedures, as well as the architecture and cloud infrastructure for our product(s)
• Conduct an initial security review of the products and document any security improvement opportunities. Then create an actionable plan to address the opportunities you discover.
• Meet with and build relationships with key personnel, such as engineers, product, quality, privacy, data scientists, and clinical teams to understand product, business, and security needs.
• Start taking security design and planning responsibilities to ensure the business is supported in planning for security efforts, including security sprint planning management.
• On an ongoing basis, be responsible for performing cybersecurity risk assessments (CSRAs) and security reviews during Change Requests for our product(s), engaging with colleagues across the company.

Within 3 months you will:

• On an ongoing basis, collaborate with key teams to design secure solutions and security features.
• Align product security with medical device, health, and regional regulatory requirements and best practice, as applicable.
• Incorporate security requirements into the Quality Management System requirements, including but not limited to:
  • 1) Developing Security Requirements 2) Improving and managing Product Vulnerability Management and Disclosure plan.
• Create short and long term roadmaps to address identified security opportunities. Then develop product security standards and procedures with the appropriate teams, translating security requirements into operational success.
• Create and manage a product security risk exceptions process.

Within 6 months you will:

• Continue progress and management on the above mentioned milestones.
• Fully embed yourself in the Total Product and Software Development Lifecycles at each stage from product/feature concept through release to retirement.
• Act on and implement the roadmaps to improve and document product security.
• Implement Secure by Design and Default.
• Work with commercial, engineering, privacy, and security to support security questionnaires from multiple large customers or health organizations.
• Assist leadership in audits pertaining to security and working with product teams to ensure compliance to industry security frameworks and regulatory requirements.
• On an ongoing basis, perform security assessments for all products including but not limited to threat modeling, risk assessments, and penetration testing

Within Year 1 you will:

• Be an advocate for protecting user, customer, and Woebot Health business data.
• Stay up to date on threat landscapes, industry best practice, and regulatory requirements, implementing them into Woebot products that must adhere to the highest security standards.

Key Responsibilities

You will OWN

• Product Security by Design and Default while complying with regulatory security requirements and best practices, such as HIPAA, GDPR, and FDA
• Translation of Security requirements to key personnel and teams, including documentation creation
• Product Security Assessment, Risk , and Exceptions Management, such as but not limited to threat modeling, risk assessments, change management review, security architectural reviews, and penetration testing.
• Product Vulnerability Management, implementing vulnerability identification, such as known vulnerabilities, code weaknesses, incorrect or insecure configuration, insecure architecture, and exception management.

You will ASSIST

• Appropriate teams; from remediation plan to security findings, including Vulnerability Management and Security related Quality Corrective and Preventive Action(CAPAs).
• Security leadership; with internal and external audits, governance and compliance initiatives. Partnering with them to ensure Woebot Health and Woebot is secure.
• Engineering, Product, Quality, Data, and Design; working with appropriate teams for security compliance and implementation within our product, along with documentation of standards and procedures.

Role Specific Competencies

Required

• +5 years in security engineering and architecture roles
• +3 years performing threat modeling, security and vulnerability assessments, and risk reviews.
• +2 years in a regulated environment, adhering to preferably at minimum HIPAA and GDPR.
• Experience working with cloud platforms, such as AWS, Azure, or GCP
• Familiarity with OWASP, MITRE, NIST, ISO frameworks especially 27001/2 and 13495, SOC 2, and STRIDE or equivalent framework

Preferred

• Software as a Medical Device (SaMD) experience, including pre and post market cybersecurity guidance and requirements, AAMI TIR 57/97, IMDRF Medical Device Cybersecurity Guide, and ISO 14971
• Understanding of Quality Management Frameworks, such as ISO 13485
• Exception Management experience
• Security Framework audit experience

Our Core Values:

• Empathic: You're a compassionate person and a team player motivated to understand others and help them be successful, too. You care as deeply for your colleagues as you do for our mission and our users.
• Self-aware: You possess a high level of emotional intelligence, which allows you to understand yourself and others, and to have a healthy emotional life in the workplace.
• Proactive & flexible: You are able to hit the ground running, you take responsibility for finding a way to get the job done. You learn as quickly as possible and sometimes do things outside the immediate scope of your work, giving it all you've got.
• Strong work-ethic: You've mastered healthy habits in your life that allow you to do great things. You exemplify dedication and commitment to coming up with very good results in your work and inspire others to do the same.
• Growth mindset: You believe abilities – like intelligence and talent – can be developed through dedication and hard work. You see failure as an opportunity to grow and welcome feedback as a pathway to your continued success.
• Humble: You recognize that you are one among many, and you hold a genuine desire to discover what other people can offer. You are intrigued by how others think, and how others feel differently from you. You lean into these moments with patience and curiosity.

Benefits

• Competitive Salary
• Stock Options
• Flexible PTO
• Health, Dental & Vision

Woebot is an equal opportunity employer and we deeply value diversity at our company. We do not discriminate on the basis of race, religion, color, national origin, gender, sexual orientation, age, marital status, veteran status, or disability status.