Information Security Specialist

About Customer.io Over 8,000 companies — from scrappy startups to global brands — use our platform to send billions of emails, push notifications, in-app messages, and SMS every day. Customer.io powers automated communication that people actually want to receive. We help teams send smarter, more relevant messages using real-time behavioral data. About the role Hi, I'm Bill, VP of Operations at Customer.io. I'm looking for an Information Security Specialist to join our team. As our first dedicated InfoSec hire, you'll be the go-to person for securing our organizational systems, data, and operations across a globally distributed, remote-first company. Reporting to the VP of Operations, you'll work closely with IT, Compliance, and Platform Security to protect customer data, maintain our compliance posture, and help the company adopt AI tools thoughtfully and securely. This is a experienced individual contributor role — you'll be hands-on with tooling and policy, not managing a team. We're a company that embraces AI — we use it in our product and want our team to use it to do their best work. We need someone who sees AI as an opportunity to enable, not just a risk to lock down. You'll help us build practical guardrails that let people move fast with AI while protecting customer data and staying compliant. If your instinct is to ban first and ask questions later, this isn't the right fit. If you get excited about figuring out how to say "yes, and here's how we do it safely" — keep reading. What we value Pragmatic security — You focus on real risk reduction, not perfection, and avoid slowing the business down unnecessarily. Enablement over restriction — You default to “yes, if…” and help teams adopt tools like AI safely and confidently. Ownership and autonomy — You take responsibility for your domain and can operate independently in a fast-moving environment. Clarity and usability — You create policies and guidance that are simple, practical, and actually followed. Cross-functional partnership — You build trust and work effectively across IT, Engineering, Legal, and GTM teams. Curiosity and adaptability — You stay current on evolving threats, especially in AI and SaaS environments. Calm under pressure — You bring structure and clear thinking during incidents and audits. High standards, right-sized — You balance quality with speed and scale appropriately for a growing company. What you’ll do AI Governance Enablement — Develop and maintain a practical framework for evaluating, approving, and securely deploying AI tools across the organization. Assess data exposure risks, establish acceptable use guidelines, and help teams adopt AI confidently — not fearfully. Vulnerability Management — Own our vulnerability management program — scanning, triaging, coordinating remediation, and tracking resolution across infrastructure, applications, and endpoints. Compliance — Support and improve our compliance posture (SOC 2, ISO 27001), including evidence collection, control monitoring, and audit support. Ensure AI usage aligns with our regulatory and contractual obligations. Incident Response — Lead security incident response — investigate alerts, coordinate containment, document root causes, and drive improvements. Security Tooling — Manage and tune security tooling (EDR, SIEM/logging, DLP, email security, identity and access management controls). Vendor Third-Party Risk — Conduct security reviews of third-party vendors, SaaS integrations, and AI services — evaluating data handling, model training policies, and privacy commitments. Policy Standards — Develop and maintain security policies, standards, and runbooks that are practical and right-sized for our environment — including clear, usable AI usage policies that people actually follow. Application Security Partnership — Partner with Platform Security and Engineering on application security topics — advising on secure architecture, reviewing configurations ... (truncated, view full listing at source)