Information Security Governance and Control Engineer

At Butterfly Network, we’re leading a digital revolution in medical imaging, transforming an industry that has long relied on bulky, analog systems. With our proprietary Ultrasound-on-Chip™ technology, we’re democratizing healthcare by shifting ultrasound from the expensive, stationary systems of the past to the connected, mobile, and software-enabled platforms of today.  In 2018, we launched the world’s first handheld, whole-body ultrasound, Butterfly iQ – followed by iQ+ in 2020 and iQ3 in 2024, each more powerful than the last.

Our innovation doesn’t stop at hardware. Butterfly combines our advanced device with intelligent software, AI, services, and education to drive adoption of affordable, accessible imaging. Our technology is proving to help clinicians, clinics, and hospitals enhance care, cut costs, and expand imaging access. We’ve been recognized by Prix Galien USA, Fierce 50, TIME’s Best Inventions, Fast Company’s World Changing Ideas, among other awards.

We’re a team of bold thinkers, problem-solvers, and innovators ready to shape the future of medical imaging. Let’s build something extraordinary together!

You will be working in Butterfly’s fast-growing Information Security (InfoSec) team to better meet the needs of our customers in the global healthcare sector. As a Security Engineer, you will have the opportunity to work closely with our DevOps, Hardware, Software, AI, Risk Management, Audit, Quality Team, and Cloud Engineering Teams to secure our product and our cloud security architecture. As we scale our business internationally and into large enterprises, security has never been more important to our company and those patients we help every day. Manage, Monitor, and Maintain Global Security Certifications rooted in National Institute of Standards and Technology (NIST) - International Organization for Standardization (ISO) - Health Information Technology for Economic and Clinical Health (HITECH) - International Electrotechnical Commission (IEC).

As part of our team, your core responsibilities will be:

• Assess, triage, and prioritize security alerts from logging and monitoring systems.
• Incident response management and breach mitigation.  
• Conduct vulnerability assessment, determine deviations from acceptable configurations, and assess the level of risk; recommend appropriate mitigation countermeasures.
• Work in collaboration with IT, Cloud Operations, and Engineering Teams to secure our AWS environment.
• Keep abreast of tools, techniques, and process improvements in support of security detection and analysis in accordance with current and emerging threat and attack vectors.
• Support digital forensic activities including collecting, processing, preserve, analyze, and present evidence in support of vulnerability mitigation, and investigations.
• Help mature and maintain an Incident Response Program.
• Develop playbooks, work instructions, process flow, Risk Assessments, and automation solutions.
• Evidence and artifact collection and articulation for purpose of Audit and Accreditations. 
• Supports Routine Governance and Control Meetings (e,g. Security Steering Committee, etc.)
• Performs Third Party Risk Management of a selection of vendors via automated tool (e.g. VisoTrust).
• Writing and maintaining a robust portfolio of prescribed Information Security Policies and Procedures.
• Management of the Annual and Intermittent Security Training Curriculum (working with the Learning Management System (LMS) Admin. 
• Lead the administration Information Security Committee 
• Lead the administration of the BC/DR/IR Plans and Testing
• Manage and Submit routine Con-Mon Reports to issue certification authorities. 
• Management of the Routine User Access Reviews and validation approvals.
• Partnership with Internal/External Auditors on Statement of Compliance (SOC-2), ISO27001, C5 Germany, NHS DSPT England, GovRAMP, TX-RAMP, FedRAMP, HITRUST. 
• Contributes to Executive Presentations of the InfoSec state and environment. 
• Will require working nights (at times), weekends (at times), or holidays (at times) on a rotational basis with the rest of the team to ensure 24x7 coverage.
• Supports our CISO in additional security initiatives and projects, as needed.

• Baseline skills/experiences/attributes:
• Minimum 7+ years of cybersecurity experience, 2 of which include being in a Security Operation Center (SOC)/Computer Security Incident Response Team (CSIRT) environment.
• Experience investigating cybersecurity events and incidents using a full suite of alerting and response tools, digital forensic or malware analysis tools.
• Firsthand experience with Vulnerability Management preferably Rapid7, perform scans, produce reports, and track remediation.
• Experience managing User Access Reviews, to ensure access, proper roles, and findings are accurate and timely.
• Strong familiarity with NIST 800-53 (Rev-5).
• Strong familiarity with ISO27001. 
• Strong Project Management skills (PMP, Six Sigma, or Agile).
• Strong Audit Coordination Skills (interpretation, artifact collection, and mapping). 
• Skilled in Plan of Action & Milestones (POA&M) 
• Skilled in Continuous Compliance Monitoring (Con-Mon)
• Strong written and communications skills (collaborating with employees at all levels).
• CISSP, GIAC, and or AWS Certified Security Specialty a plus.
•  

Values

Innovation is what we do. Our values are how we make it happen. Butterflies are and believe in…

• Patient-Centric Innovators: Our mission is THE mission.
• Empowered to Impact: Every voice matters.
• One Team, One Goal: Unity fuels progress.
• Growth Champions: We embrace challenges.
• Action-Oriented Achievers: We follow through, every time.

This is a hybrid role based in the NYC office. Our minimum expectation is that you are in the office 2 to 3 days every week. 

• Comprehensive health insurance, encompassing dental and vision coverage, is provided to all our employees. As a health-tech company, we prioritize the well-being of our teams. Additionally, employees have the option to buy up for enhanced health insurance coverage. We also contribute to Health Savings Account (HSA) accounts for all enrolled employees on an annual basis.
• Comprehensive Employee Assistance Program - we provide access to tools and resources to support your emotional health and day-to-day needs.
• 401k plan and match - we facilitate your retirement goals.
• Eligible employees will have the opportunity to participate in Employee Stock Purchase Plan (ESPP)
• Unlimited Paid Time Off + 10 Holiday Days a Year - recharge and come back ready to make an impact
• Parental Leave - we aim to provide our employees with time to bond with their growing family, along with additional support for primary caregivers to help transition back to work 
• Competitive salaried compensation - we value our employees and show it 
• Equity - we want every employee to be a stakeholder
• The opportunity to build a revolutionary healthcare product and save millions of lives! 

Compensation 

Our estimated salary for this role based in NYC is around $100,000 base + bonus + equity + benefits. Actual pay is determined by multiple factors such as skills, qualifications, experience and market demand.

For this role, we are only considering candidates who are legally authorized to work in the United States and who do not now or in the future require sponsorship for employment visa status.

Butterfly Network does not accept agency resumes.

Butterfly Network is an E-Verify Company. 

Butterfly Network is an equal opportunity employer.  Regardless of race, traits associated with race, color, ancestry, religion, gender, national origin, sexual orientation, age, citizenship, marital status, disability or Veteran status. All your information will be kept confidential according to EEO guidelines.

Butterfly requires security adherence responsibilities from all employees. These include:  adhering to all company security policies and procedures, utilize provided company assets securely, and complete all required security awareness training programs. Safeguarding company data and systems from unauthorized access, modification, or destruction, contributing to the overall security posture of the organization. Immediately reporting any suspected or actual security incidents, including phishing attempts, malware infections, or unauthorized access, following the established incident response procedures.

#LI-KG

#KG-LI