About TRUE
TRUE Property Insurance is a reciprocal insurer founded in 2020 to serve homeowners in storm-prone regions across Florida and other coastal markets throughout the United States. The company is actively writing HO3 business in Florida, Georgia, Texas, and South Carolina, in addition to program business with partners in Arizona and California. TRUE plans to continue expanding into additional states in 2026 and beyond as it grows its national footprint. Through a partnership-driven distribution model, TRUE collaborates with both new and existing partners to deliver tailored homeowners insurance solutions while continuing to scale its product offerings, underwriting capabilities, and team.
About the role
We are seeking an experienced and self-driven Senior Security Analyst / Senior Security Engineer. This is a highly impactful, individual-contributor role, responsible for the policies, practices, tools, and culture needed to protect our people, systems, data, and applications.
You will partner closely with Engineering, IT, Legal, and People Operations to assess risk, implement controls, and ensure we maintain a strong and continuously improving security posture. This role blends both strategic thinking and hands-on execution.
Key Responsibilities
- Application Security
- Lead the application security program, including secure SDLC practices, threat modeling, and code review processes.
- Conduct and coordinate application penetration testing and vulnerability assessments.
- Partner with engineering teams to integrate security tooling (SAST, DAST, SCA) into CI/CD pipelines.
- Define and enforce secure coding standards and developer security training programs.
- Data Security
- Design and implement data classification frameworks and data loss prevention (DLP) strategies.
- Oversee encryption standards for data at rest and in transit across all systems.
- Identify and remediate risks related to sensitive data exposure, PII, and regulated data (e.g., SOC 2, GDPR, HIPAA where applicable).
- Develop and maintain data access controls and data governance policies.
- Employee & Endpoint Security
- Oversee the endpoint security program, including MDM, EDR, and device compliance policies.
- Develop and deliver security awareness training and phishing simulation programs for all employees.
- Establish onboarding and offboarding security checklists and access provisioning controls.
- Monitor for insider threats and risky user behaviors through appropriate tooling.
- Cybersecurity Policy & Governance
- Maintain, mature, and enforce the organization's cybersecurity policies, incident responses, standards, and procedures.
- Drive compliance with relevant frameworks (SOC 2, ISO 27001, NIST CSF, CIS Controls).
- Manage the vendor risk management program, including third-party security assessments.
- Serve as the primary point of contact for security-related audits, customer questionnaires, and compliance inquiries.
- Yearly Assessments & Risk Management
- Lead and coordinate annual security risk assessments and gap analyses.
- Own the vulnerability management lifecycle — from scanning to prioritization to remediation tracking.
- Present security metrics, risk findings, and program status to leadership on a regular cadence.
- Maintain and mature the organization's risk register.
- Infrastructure & Cloud Security
- Evaluate and harden cloud infrastructure (AWS) configurations using best practices and benchmarks (e.g., CIS).
- Implement and oversee identity and access management (IAM), zero trust principles, and privileged access controls.
- Monitor security alerts via SIEM and investigate potential incidents end-to-end.
Qualifications
- 5+ years of experience in information security, with a mix of analyst and engineering responsibilities.
- Demonstrated experience owning or significantly contributing to an enterprise security program.
- Solid understanding of application security concepts (OWASP Top 10, threat modeling, secure SDLC).
- Hands-on experience with cloud security (AWS) and infrastructure hardening.
- Familiarity with compliance frameworks such as SOC 2, NIST CSF, ISO 27001, or CIS Controls.
- Strong written and verbal communication skills; able to translate technical risk into business language.
- Proven ability to work independently and prioritize in a fast-paced, resource-constrained environment.
Preferred Qualifications
- Relevant certifications: CISSP, CISM, CCSP, CEH, AWS Security Specialty, or equivalent.
- Experience conducting or managing penetration tests and red team exercises.
- Familiarity with SaaS security tooling (e.g., Okta, CrowdStrike, Wiz, Drata, Vanta).
- Experience building a security program from scratch at a startup or high-growth company.
- Knowledge of privacy regulations (GDPR, CCPA, HIPAA) and their security implications.
- Background in software engineering or DevSecOps practices.
