About League

Founded in 2014, League is the leading healthcare consumer experience (CX) platform, powered by artificial intelligence (AI), reaching more than 63 million people around the world and delivering the highest level of personalization in the industry. Payers, providers, and consumer health partners build on League’s platform to deliver high-engagement healthcare solutions proven to improve health outcomes. League has raised over $285 million in venture capital funding to date, powering the digital experiences for some of healthcare’s most trusted brands, including Highmark Health, Manulife, Medibank, and Shoppers Drug Mart.

Position Summary

League’s security engineering teams are responsible for scaling security in the development lifecycle and vulnerability management. We believe in security by design and follow a paved road philosophy by building or buying tools that we can integrate into our platform to ultimately make it easier for our engineers to do the right thing. Security is everyone’s responsibility, but security engineering is how we make it possible for engineers to ship high quality code to production several times per day with security baked in.

As a Staff Security Engineer at League, you will be a principal technical leader helping to set the long-term security architecture and strategy across our entire platform, infrastructure, and engineering organization.

You will move beyond incremental improvement to solve the highest-impact, most ambiguous, and most foundational security problems. You will define the "paved road" by designing common security components, frameworks, and reference architectures that make it nearly impossible for engineers to ship insecure code. You are expected to not only execute but also to help define the technical strategy for scaling security by design across a high-growth health tech environment. This role has system-level impact, driving security and compliance controls directly into the foundational fabric of League’s technology

About the Role

Architectural Leadership: Help define and champion the long-term technical security roadmap, architecture patterns, and standards for League's applications, infrastructure, and multi-cloud environment.
Cross-Functional Strategy: Act as the primary security technical partner and consultant to Platform, Product, and executive leadership, driving alignment on multi-quarter security initiatives.
Security Design Governance: Lead high-stakes, complex security design and architecture reviews (STRIDE/threat modeling) for new services and core platform migrations, ensuring all foundational systems meet strict health data compliance requirements.
Risk & Vulnerability Strategy: Design, implement, and automate organization-wide frameworks for continuous vulnerability management and detection, moving beyond manual triage to scalable remediation systems.
Due Diligence Expertise: Architect the security due diligence program for critical third-party vendors and partnerships that handle sensitive customer data, setting non-negotiable architectural requirements.
Mentorship & Elevation: Actively mentor Senior and mid-level security engineers, fostering a culture of security architecture excellence and technical leadership within the team and across the organization.

About You

8+ years of progressive experience in security engineering, with at least 2 years operating at the Senior or Principal Engineer level.
Deep expertise in cloud security architecture (AWS, GCP, or Azure), focusing on securing containerization (Kubernetes), cloud IAM, and infrastructure as code (Terraform).
Proven track record of successfully leading and delivering large-scale, cross-organizational security initiatives from concept through production deployment.
Ability to write secure, production-grade code in languages like Python, Go, Java, or TypeScript to build automation tools and scalable security services.
Demonstrates experience designing and implementing controls and architectural mandates to achieve and maintain compliance with HIPAA or HITRUST.
Mastery of application security, including secure development lifecycle (SDLC) integration, authentication/authorization protocols (OAuth, OIDC), and common attack vectors.

Security-Related Responsibilities

Ensure access management is performed in compliance with the employee's role and responsibilities
Responsibility and accountability for executing League's policies and procedures within the department/ team
Notification of HR, Legal, Compliance & Security of any incidents, breaches or policy violations
Compliance with Information Security Policies

CANADA APPLICANTS ONLY: The Canada-specific compensation range below for this full-time position is exclusive of bonus, equity and benefits. This range reflects the minimum and maximum target for base salaries for the position across all Canadian locations. The salary range is intentional to account for the performance and career progressions a Leaguer will experience in the role throughout their time at League. Where in the band you may land is determined by job-related skills/experience. Your recruiter can share more about the specific salary range specific to your skills and experience during the hiring process.

Compensation range for Canada applicants only

$193,500—$230,000 CAD

Our employees come from different backgrounds, and we celebrate those differences. We are looking for the best candidates for our open roles, but do not expect applicants to meet every qualification in order to be considered. If you are excited about what you could accomplish at League and believe you can add value to our team, we would love to hear from you.

We are committed to equal employment opportunity regardless of race, color, ancestry, religion, sex, national origin, sexual orientation, age, citizenship, marital status, disability, gender identity or Veteran status. If you are an individual in need of assistance at any time during our recruitment process, please contact us at [email protected].

Our Application Process:

Applying to a role you love can be exhausting, and understanding the next steps can feel vague and uncertain. You have done the hard part of submitting your application; let's do ours by sharing potential next steps

You should receive a confirmation email after submitting your application.
A recruiter (not a computer) reviews all applications at League.
If we see alignment with League's needs, a recruiter will reach out to learn more about your goals. The recruiter will also share the team-specific interview process depending on the roles you are exploring.
The final step is an offer, which we hope you will accept!
Prior to joining us, we conduct reference and background checks. Additional checks could be required for US Candidates, depending on the role you are exploring.

Here are some additional resources to learn more about League:

Work Location:

We have a mix of office-centric roles based in our vibrant Toronto office, and remote-eligible roles based anywhere in Canada or US. Each job posting will indicate where the role will be based. Regardless of the role’s posted location, all Toronto-area Leaguers (living within 65 km of our downtown HQ) collaborate in-office Monday through Thursday. Depending on your distance to the office, you’ll enjoy 10 or 20 Flexible Remote Days each quarter for focus and deep-work time. We are committed to fostering a meaningful work environment and connections for all Leaguers regardless of location.

Recognize and Avoid Employment scams. Practice safe job searching.

Scammers are getting craftier and leveraging fake job postings to get personal information. Know the warning signs and protect yourself from scammers. Learn more here.

Use of AI Notice
We are committed to ensuring fairness and transparency throughout our hiring process. League may use Artificial Intelligence (AI) tools to assist in the screening of applicants for this position. Please check out our stance on using AI in recruitment here.

Privacy Policy

Review our Privacy Policy for information on how League is protecting personal data.

Staff Security Engineer

AI overview