Information Security Governance and Control Engineer

Job Description

Job Description

Company Description

At Butterfly Network, we're leading a digital revolution in medical imaging, transforming an industry that has long relied on bulky, analog systems. With our proprietary Ultrasound-on-Chip™ technology, we're democratizing healthcare by shifting ultrasound from the expensive, stationary systems of the past to the connected, mobile, and software-enabled platforms of today. In 2018, we launched the world's first handheld, whole-body ultrasound, Butterfly iQ – followed by iQ+ in 2020 and iQ3 in 2024, each more powerful than the last.

Our innovation doesn't stop at hardware. Butterfly combines our advanced device with intelligent software, AI, services, and education to drive adoption of affordable, accessible imaging. Our technology is proving to help clinicians, clinics, and hospitals enhance care, cut costs, and expand imaging access. We've been recognized by Prix Galien USA, Fierce 50, TIME's Best Inventions, Fast Company's World Changing Ideas, among other awards.

We're a team of bold thinkers, problem-solvers, and innovators ready to shape the future of medical imaging. Let's build something extraordinary together!

Job Description

You will be working in Butterfly's fast-growing Information Security (InfoSec) team to better meet the needs of our customers in the global healthcare sector. As a Security Engineer, you will have the opportunity to work closely with our DevOps, Hardware, Software, AI, Risk Management, Audit, Quality Team, and Cloud Engineering Teams to secure our product and our cloud security architecture. As we scale our business internationally and into large enterprises, security has never been more important to our company and those patients we help every day. Manage, Monitor, and Maintain Global Security Certifications rooted in National Institute of Standards and Technology (NIST) - International Organization for Standardization (ISO) - Health Information Technology for Economic and Clinical Health (HITECH) - International Electrotechnical Commission (IEC).

As part of our team, your core responsibilities will be :

• Assess, triage, and prioritize security alerts from logging and monitoring systems.
• Incident response management and breach mitigation.
• Conduct vulnerability assessment, determine deviations from acceptable configurations, and assess the level of risk; recommend appropriate mitigation countermeasures.
• Work in collaboration with IT, Cloud Operations, and Engineering Teams to secure our AWS environment.
• Keep abreast of tools, techniques, and process improvements in support of security detection and analysis in accordance with current and emerging threat and attack vectors.
• Support digital forensic activities including collecting, processing, preserve, analyze, and present evidence in support of vulnerability mitigation, and investigations.
• Help mature and maintain an Incident Response Program.
• Develop playbooks, work instructions, process flow, Risk Assessments, and automation solutions.
• Evidence and artifact collection and articulation for purpose of Audit and Accreditations.
• Supports Routine Governance and Control Meetings (e,g. Security Steering Committee, etc.)
• Performs Third Party Risk Management of a selection of vendors via automated tool (e.g. VisoTrust).
• Writing and maintaining a robust portfolio of prescribed Information Security Policies and Procedures.
• Management of the Annual and Intermittent Security Training Curriculum (working with the Learning Management System (LMS) Admin.
• Lead the administration Information Security Committee
• Lead the administration of the BC / DR / IR Plans and Testing
• Manage and Submit routine Con-Mon Reports to issue certification authorities.
• Management of the Routine User Access Reviews and validation approvals.
• Partnership with Internal / External Auditors on Statement of Compliance (SOC-2), ISO27001, C5 Germany, NHS DSPT England, GovRAMP, TX-RAMP, FedRAMP, HITRUST.
• Contributes to Executive Presentations of the InfoSec state and environment.
• Will require working nights (at times), weekends (at times), or holidays (at times) on a rotational basis with the rest of the team to ensure 24x7 coverage.
• Supports our CISO in additional security initiatives and projects, as needed.

Qualifications

Values

Innovation is what we do. Our values are how we make it happen. Butterflies are and believe in…

Location

Butterfly offers a hybrid work model for most positions, with team members spending two or more days a week in the office. While flexibility is key, we value in-person connections that spark creativity and teamwork. Our offices are designed for collaboration, with comfortable workspaces, stocked kitchens, and opportunities to connect with peers.

This is a hybrid position and will be based out of our office in New York City Office two to three days every week.

Benefits and Perks

Compensation

Our estimated salary for this role based in NYC is around $100,000 base + bonus + equity + benefits. Actual pay is determined by multiple factors such as skills, qualifications, experience and market demand.

For this role, we are only considering candidates who are legally authorized to work in the United States and who do not now or in the future require sponsorship for employment visa status.

Butterfly Network does not accept agency resumes.

Butterfly Network is an E-Verify Company.

Butterfly Network is an equal opportunity employer. Regardless of race, traits associated with race, color, ancestry, religion, gender, national origin, sexual orientation, age, citizenship, marital status, disability or Veteran status. All your information will be kept confidential according to EEO guidelines.

Butterfly requires security adherence responsibilities from all employees. These include : adhering to all company security policies and procedures, utilize provided company assets securely, and complete all required security awareness training programs. Safeguarding company data and systems from unauthorized access, modification, or destruction, contributing to the overall security posture of the organization. Immediately reporting any suspected or actual security incidents, including phishing attempts, malware infections, or unauthorized access, following the established incident response procedures.

#LI-KG

#KG-LI