Senior Security Operations Engineer

The Senior Security Operations Engineer is responsible for designing, implementing, and improving Data Loss Prevention (DLP) protections across Included Health's corporate and cloud environments. You will lead hands-on deployment and tuning of DLP controls, including endpoint, network, and SaaS. You will investigate and respond to potential data exfiltration events. Additionally, you will drive remediation and hardening based on real-world incidents and detections. You will own the operational lifecycle of our DLP stack. It involves building and refining policies, partnering with stakeholders to validate business-safe controls, automating response playbooks, and turning signal from alerts and logs into durable security improvements. You will also contribute to adjacent security operations functions, including incident response and vulnerability management, where they intersect with data protection. You will play a crucial role within the Security Engineering team, reporting directly to the Senior Manager, Security Engineering. This is a remote role. Responsibilities:

Lead the response to DLP and data security incidents, including investigation, containment, remediation, and root cause analysis for suspected data exfiltration or improper data handling.

Own the deployment, configuration, and continuous tuning of DLP controls across endpoints, network egress, SaaS applications, and cloud storage to protect PHI, PII, PCI, and other sensitive data.

Develop and maintain DLP policies, rules, and classifications that balance security, usability, and regulatory/client requirements.

Build and refine automated response playbooks and workflows that enrich, triage, and respond to DLP alerts, reducing manual effort and mean time to respond.

Perform proactive hunting for anomalous data movement, including unusual destinations, channels, or volumes, using DLP telemetry, EDR, SIEM, and identity signals.

Partner with Security Engineering, IT, Legal, Privacy, Compliance, and business stakeholders to design and enforce secure data-handling patterns and exception processes.

Contribute to broader incident response activities where data exposure or regulatory impact is a concern, including evidence handling and stakeholder communication.

Define and track key DLP metrics (coverage, detection quality, MTTD/MTTR, false positive rate) and communicate progress to security leadership and cross-functional partners.

Qualifications:

Minimum 5+ years of hands-on experience in security operations, incident response, or security engineering roles, with a strong emphasis on data protection and DLP.

Direct, hands-on experience deploying, tuning, and operating DLP tools (endpoint, network, SaaS, and/or cloud) in a production environment.

Experience implementing and operating Cloud Access Security Broker (CASB) or similar SaaS security controls

Deep experience integrating DLP signals into SIEM/SOAR workflows (e.g., CrowdStrike, Splunk, Sentinel)

Advanced scripting/automation skills (e.g., Python, PowerShell, KQL/SQL) used to enrich, tune, and report on DLP/IR telemetry at scale.

Proven experience with Endpoint Detection and Response (EDR) platforms (e.g., CrowdStrike, SentinelOne) and using them alongside DLP to investigate and contain data-focused incidents.

Strong experience with cloud data protection in AWS, including identifying and remediating misconfigurations, and leveraging native security services (e.g., GuardDuty, Security Hub) and CSPM tooling.

Experience designing and maintaining data classification and policy frameworks for PHI, PII, PCI, and other sensitive data types.

Physical/Cognitive Requirements:

Capability to remain seated in a stationary position for prolonged periods.

Eye-hand coordination and manual dexterity to operate keyboard, computer and other office-related equipment.

Capability to work with leadership, employees, and members in an appropriate manner.