Security Engineer

About HighLevel: HighLevel is an AI powered, all-in-one white-label sales & marketing platform that empowers agencies, entrepreneurs, and businesses to elevate their digital presence and drive growth. We are proud to support a global and growing community of over 1 million businesses, comprised of agencies, consultants, and businesses of all sizes and industries. HighLevel empowers users  with all the tools needed to capture, nurture, and close new leads into repeat customers. As of mid 2025, HighLevel processes over 4 billion API hits and handles more than 2.5 billion message events every day. Our platform manages over 470 terabytes of data distributed across five databases, operates with a network of over 250 microservices, and supports over 1 million hostnames.   Our People With over 1,500 team members across 15+ countries, we operate in a global, remote-first environment. We are building more than software; we are building a global community rooted in creativity, collaboration, and impact. We take pride in cultivating a culture where innovation thrives, ideas are celebrated, and people come first, no matter where they call home.   Our Impact As of mid 2025, our platform powers over 1.5 billion messages, helps generate over 200 million leads, and facilitates over 20 million conversations for the more than 1 million businesses we serve each month. Behind those numbers are real people growing their companies, connecting with customers, and making their mark - and we get to help make that happen. Responsibilities

Lead end-to-end PCI DSS compliance, including CDE scoping and reduction, control implementation/validation, and audit management (RoC/SAQ, QSAs).

Lead and support SOC 2 Type II attestation initiatives, including TSC mapping, evidence collection, control testing, and remediation tracking

Support and maintain ISO 27001 ISMS, including risk assessments, SoA, internal audits, and continuous improvement activities

Develop and enforce security policies, standards, and procedures aligned with PCI DSS, SOC 2, and ISO 27001

Partner with Security, Platform, and Application teams to ensure controls are technically implemented and continuously operating

Collaborate with Security Architecture to review and validate security exceptions and ensure compliance alignment

Track, review, and periodically reassess approved exceptions to minimize long-term risk exposure

Own the Third-Party Risk Management (TPRM) program, including vendor tiering, risk assessments, and security reviews

Evaluate vendor compliance posture, including PCI DSS requirements, and define remediation or contractual controls

Design and manage scalable GRC workflows for risk assessments, vendor reviews, evidence management, and control testing

Perform business impact analysis and support BCDR planning and tabletop exercises

Prepare and present risk, compliance, and third-party security reports to senior leadership

Translate technical risks into business-impact language to support decision-making

Qualifications

Bachelor’s degree in Information Systems, Computer Science, Cybersecurity, or a related field.

4.5+ years of experience in GRC, risk management, or compliance, with exposure to technical security controls.

Strong hands-on experience with PCI DSS, including audits, CDE scoping, and control validation

Working knowledge of SOC 2 Type II Trust Services Criteria and audit processes

Experience implementing and maintaining ISO 27001 ISMS, including risk assessments and Annex A controls

Hands-on experience with third-party vendor risk assessments, tiering, and remediation tracking

Ability to interpret technical security concepts such as cloud architecture, network segmentation, access controls, and vulnerability reports

Strong analytical, documentation, and stakeholder communication skills

Experience working in cloud-native or SaaS environments

Certifications such as IPCIP, QSA, CISA, ISO 27001, TPRA or equivalent.

Experience with GRC tools such as Vanta, or ServiceNow GRC

Knowledge of data protection and privacy regulations such as GDPR and CCPA

Familiarity with NIST, CIS Controls, or similar frameworks

Experience in SaaS environments with PCI-in-scope systems