Caro usuário, habilite o javascript para que esse site funcione corretamente.

Information Security Specialist

Pessoa JurídicaRemoto (Home Office)VIPRemotoEmpresa Confidencial (Cadastre-se)

* Salário: R$ 11.000 a R$ 20.000 por mês (estimado)

* O valor exibido é uma estimativa calculada com base em dados públicos e referências do mercado. Não garantimos que este seja o salário oferecido para esta vaga específica.

Área: Tecnologia da Informação

Nível: Senior

Summary

Confidencial (Apenas para Cadastrados) is Brazil's first intelligent copilot for fleet management. Our mission is to connect data from telematics, video, and logistics systems to deliver insights that reduce accidents, optimize costs, and increase our clients' sustainability.

As we grow at least 100% year over year and expand into Enterprise accounts, information security shifts from a support function to a strategic business lever. We are looking for an Information Security Specialist to operate Confidencial (Apenas para Cadastrados)'s security and compliance program hands-on: helping us achieve ISO/IEC 27001:2022 certification, keeping our GRC platform healthy, and turning security into something that unblocks Enterprise deals instead of slowing them down.

At Confidencial (Apenas para Cadastrados), we believe in "operate on all levels". This is a hands-on, executor role: you will spend your days inside audit logs, GRC platforms, evidence pipelines, and security questionnaires, not only writing policy.

Philosophy

Intensity to win. We believe extraordinary results are born from relentless focus, resilience, and a deep-seated passion for overcoming challenges. This intensity fuels our commitment to excellence and ensures we never settle for "good enough".

Partnership that creates value. We understand that sustainable success is never built in isolation. We thrive by creating win-win relationships, aligning our goals with our clients and colleagues to build mutual, lasting growth. Our success is measured by the success we create for others.

Autonomy that learns. We believe that innovation and agility come from empowerment. We trust our teams to take initiative and make decisions, knowing that every outcome, whether a success or a challenge, is a crucial opportunity to learn, adapt, and grow smarter.

Mission

Your mission is to put Confidencial (Apenas para Cadastrados)'s information security program into practice. You will work side by side with the Head of Platform (who owns DevOps and Security strategy) to execute the roadmap that takes us through ISO/IEC 27001:2022 certification and keeps the program running afterward.

You will be the person who operates the controls day to day: configuring Drata, collecting and organizing evidence, answering Enterprise security questionnaires, building the Trust Center, and keeping our compliance posture always audit-ready.

Operating model

This role reports to the Head of Platform, who owns the overall DevOps and Security strategy, the relationship with the executive team, and the program direction. You provide the execution muscle behind that program.

You will not manage a team. Your impact comes from doing the work well and from partnering closely with DevOps, Engineering, Product, HR, Legal, and Operations to keep every control with a clear owner and a working evidence pipeline. As the program matures, the security function will grow and your scope can grow with it.

In your first 12 months, expect roughly 70 to 80% of your time on ISO 27001 certification, the Trust Center, and Enterprise security questionnaires. Other workstreams (AI Security, vendor risk, awareness, tabletop exercises) start lean and mature progressively.

Hiring model

Fully remote, with 4 on-site gatherings per year in São Paulo.

What you'll do day-to-day

  • Operate the ISO 27001 program: Execute the work behind Confidencial (Apenas para Cadastrados)'s ISO/IEC 27001:2022 certification, maintaining the Annex A controls, preparing evidence, and supporting the Head of Platform as the focal point with external auditors.

  • Run the GRC platform: Configure, maintain, and scale Drata, integrating evidence sources (cloud, identity, endpoint, HR), automating collection, and keeping the compliance posture visible and audit-ready.

  • Answer Enterprise security questionnaires: Respond to SIG, CAIQ, VSAQ, and custom Enterprise RFPs, and build a reusable answer library that scales with the sales team.

  • Build and maintain the Trust Center: Help stand up and operate a public-facing Trust Center showcasing certifications, policies, subprocessors, and incident SLAs.

  • Support secure SDLC and AI Security: Help embed security into the development lifecycle (SAST/DAST/SCA, security-focused code review) and apply the guardrails for responsible use of generative AI tools (Cortex, Copilot, Cursor).

  • Risk and vendor management: Keep the risk register up to date, support risk assessments for new initiatives, and run the vendor risk assessment process for critical partners (BaaS providers such as Swap, AWS, Chinese ODMs, productivity SaaS).

  • LGPD and privacy: Support Legal on data mapping, lawful basis for processing, and data subject rights.

  • Security culture: Run the awareness program, phishing simulations, and security onboarding across teams.

  • Hands-on contribution: Go deep when needed, whether reviewing an AWS IAM policy, configuring a Drata integration, writing an incident runbook, or personally answering a 300-line Enterprise security questionnaire.

What we need from you

Prerequisites

  • Solid security experience in information security, GRC, or DevSecOps, having participated in at least one ISO 27001 and/or SOC 2 certification process (as a contributor, not necessarily as the lead).

  • Hands-on GRC platform experience: Practical experience operating Drata, Vanta, Sprinto, Secureframe, or similar, including evidence integrations and day-to-day operation.

  • Foundation in at least one area: Working strength in one of the following, with curiosity to learn the others: (a) GRC and compliance (ISO 27001, SOC 2, LGPD), (b) Cloud Security and DevSecOps (AWS, IAM, container security, IaC scanning), or (c) AppSec and Secure SDLC (threat modeling, SAST/DAST, code review).

  • Collaborative profile: Comfortable getting outcomes by partnering with engineering, product, and operations teams rather than gatekeeping.

  • AI fluency: Daily use of AI tools (Claude, ChatGPT, Cursor, Copilot, or similar) and awareness of the risks generative AI brings to security and software development.

  • Cloud familiarity: Working knowledge of AWS, CI/CD, and ideally Kubernetes, Terraform, and observability practices.

  • Enterprise questionnaire experience: Exposure to SIG, CAIQ, VSAQ, or custom Enterprise security questionnaires.

  • Operate on all levels: Comfortable balancing organized, methodical work with hands-on execution.

Nice to have

  • Certifications such as ISO 27001 Lead Implementer / Lead Auditor, AWS Security Specialty, CompTIA Security+, CISM.

  • Prior experience in startups or scale-ups growing 100%+ year over year.

  • Familiarity with PCI-DSS (relevant for our fintech initiative, Confidencial (Apenas para Cadastrados) Pay) or Brazilian Central Bank resolutions.

  • Working knowledge of AI security frameworks (OWASP Top 10 for LLMs, NIST AI RMF, MITRE ATLAS).

  • Familiarity with video telematics, IoT, or embedded hardware (device security, secure OTA, protection of video and location data).

  • Hands-on Security Engineering background (Python automations, SIEM integrations, custom detections).

    Benefits of being Confidencial (Apenas para Cadastrados)

    • Collaborative and flexible environment;
    • Day Off on your birthday month;
    • Wellhub;
    • Meal Allowance (Caju card) R$1.000,00;
    • Home Office Allowance (Caju card) R$150.00;
    • Health and Dental Insurance (100% covered by Confidencial (Apenas para Cadastrados));

Compartilhar: FacebookTwitterLinkedInwhatsapp
Reportar erro nesta vaga