Security Compliance - Technical Program Manager at Coreweave

CoreWeave is The Essential Cloud for AI™. Built for pioneers by pioneers, CoreWeave delivers a platform of technology, tools, and teams that enables innovators to build and scale AI with confidence. Trusted by leading AI labs, startups, and global enterprises, CoreWeave combines superior infrastructure performance with deep technical expertise to accelerate breakthroughs and turn compute into capability. Founded in 2017, CoreWeave became a publicly traded company (Nasdaq: CRWV) in March 2025. Learn more at www.coreweave.com. About This Role: The Product Engineering organization is responsible for executing and delivering CoreWeave’s products, platforms, processes, and tools. As a security compliance lead, you will creatively shape compliance solutions that enhance both security, engineering and business agility. You will collaborate closely with innovative teams to turn compliance from a checklist into a strategic advantage. You will be part of an environment that values proactive thinking, creative problem-solving, and meaningful impact. If you are passionate about cloud technologies, thrive in complex technical environments, and excel at orchestrating large-scale programs, we want to hear from you! Who You Are: In this role, you will: • Own and drive the HITRUST program end-to-end, ensuring alignment with HIPAA Security, Privacy, and Breach Notification Rules and obligations under Business Associate Agreements (BAAs) • Define, document, and continuously refine the HITRUST control environment, including data flows, system boundaries, and trust zones for systems that store, process, or transmit electronic Protected Health Information (ePHI) • Partner closely with Product, Engineering, Infrastructure, and Security teams to design and implement secure, scalable, and HIPAA-aligned solutions that meet HITRUST CSF requirements • Lead HITRUST (e1/i1/r2) assessment readiness and certification efforts, including risk-based scoping, gap assessments, control maturity evaluations, and cross-functional remediation programs • Act as the primary liaison for HITRUST External Assessors, managing assessment readiness, validated assessment processes, evidence collection, and certification lifecycle • Ensure effective implementation of administrative, physical, and technical safeguards to protect ePHI in accordance with HIPAA and HITRUST requirements • Drive continuous compliance and monitoring initiatives, including automation of evidence collection, control validation, and reporting across cloud-native and hybrid environments • Translate HITRUST CSF, HIPAA, and contractual (BAA) requirements into actionable technical and operational controls, enabling secure-by-design architectures • Support and enforce data protection principles such as minimum necessary access, encryption, secure transmission, audit logging, and incident response for ePHI • Identify and implement opportunities to reduce compliance overhead and audit fatigue through control rationalization, inheritance, and alignment across frameworks (SOC 2, ISO 27001, NIST, etc.) • Manage compliance and certification lifecycles, ensuring accurate tracking of controls, risks, corrective action plans (CAPs), and audit artifacts • Continuously assess and improve control maturity, effectiveness, and risk posture, with a focus on protecting sensitive healthcare data • Develop and maintain high-quality documentation (policies, standards, procedures, BAAs, and audit evidence) aligned with HITRUST and HIPAA requirements • Track and communicate program health, compliance posture, risks, and remediation progress to internal stakeholders, leadership, and customer-facing teams • Support customer assurance activities, including security questionnaires, due diligence requests, and discussions related to HITRUST certification and HIPAA compliance • Mentor and guide junior team members and control owners on HITRUST, HIPAA, and healthcare compliance best practices Investing in our people is one of our top priorities, and we value candidates who can bring their diversified experiences to our teams. Here are some qualities we’ve found compatible with our team. We'd love to talk about whether this aligns with your experience and interests and what you’re excited to work on next. Preferred: • Experience leading HITRUST certification and readiness programs (e1, i1, r2), including control implementation, gap remediation, and audit support in HIPAA-regulated environments • Strong understanding of HIPAA Security, Privacy, and Breach Notification Rules, with hands-on experience implementing safeguards for ePHI in cloud and distributed systems • Proven ability to design and scale compliance programs in high-growth or hyperscale environments, balancing regulatory requirements with engineering velocity • Experience aligning HITRUST CSF with frameworks such as HIPAA, ISO 27001, SOC 2, and NIST to streamline controls, enable inheritance, and reduce audit overhead • Deep knowledge of cloud-native security controls, including IAM, encryption (at rest and in transit), logging and monitoring, network segmentation, and container/Kubernetes security • Experience implementing and operating administrative, physical, and technical safeguards in accordance with HIPAA and HITRUST requirements • Demonstrated ability to drive continuous compliance, automation, and compliance-as-code initiatives in engineering-driven environments • Experience supporting customer assurance, security reviews, and BAA obligations, including responding to due diligence and regulatory requirements • Strong analytical, communication, and stakeholder management skills, with the ability to translate complex compliance requirements into actionable guidance • Relevant certifications such as HITRUST CCSFP, CISSP, CISA, CISM, CRISC, or equivalent If you're eager to elevate compliance into a creative, strategic force within a fast-paced, forward-thinking company, we'd love to hear from you! Wondering if you’re a good fit? We believe in investing in our people, and value candidates who can bring their own diversified experiences to our teams – even if you aren't a 100% skill or experience match. Why CoreWeave? At CoreWeave, we work hard, have fun, and move fast! We’re in an exciting stage of hyper-growth that you will not want to miss out on. We’re not afraid of a little chaos, and we’re constantly learning. Our team cares deeply about how we build our product and how we work together, which is represented through our core values: • Be Curious at Your Core • Act Like an Owner • Empower Employees • Deliver Best-in-Class Client Experiences • Achieve More Together We support and encourage an entrepreneurial outlook and independent thinking. We foster an environment that encourages collaboration and enables the development of innovative solutions to complex problems. As we get set for takeoff, the organization's growth opportunities are constantly expanding. You will be surrounded by some of the best talent in the industry, who will want to learn from you, too. Come join us! The base salary range for this role is $143,000 to $210,000. The starting salary will be determined based on job-related knowledge, skills, experience, and market location. We strive for both market alignment and internal equity when determining compensation. In addition to base salary, our total rewards package includes a discretionary bonus, equity awards, and a comprehensive benefits program (all based on eligibility). What We Offer The range we’ve posted represents the typical compensation range for this role. To determine actual compensation, we review the market rate for each candidate which can include a variety of factors. These include qualifications, experience, interview performance, and location. In addition to a competitive salary, we offer a variety of benefits to support your needs, including: • Medical, dental, and vision insurance - 100% paid for by CoreWeave • Company-paid Life Insurance • Voluntary supplemental life insurance • Short and long-term disability insurance • Flexible Spending Account • Health Savings Account • Tuition Reimbursement • Ability to Participate in Employee Stock Purchase Program (ESPP) • Mental Wellness Benefits through Spring Health • Family-Forming support provided by Carrot • Paid Parental Leave • Flexible, full-service childcare support with Kinside • 401(k) with a generous employer match • Flexible PTO • Catered lunch each day in our office and data center locations • A casual work environment • A work culture focused on innovative disruption Our Workplace While we prioritize a hybrid work environment, remote work may be considered for candidates located more than 30 miles from an office, based on role requirements for specialized skill sets. New hires will be invited to attend onboarding at one of our hubs within their first month. Teams also gather quarterly to support collaboration. California Consumer Privacy Act - California applicants only CoreWeave is an equal opportunity employer, committed to fostering an inclusive and supportive workplace. All qualified applicants and candidates will receive consideration for employment without regard to race, color, religion, sex, disability, age, sexual orientation, gender identity, national origin, veteran status, or genetic information. As part of this commitment and consistent with the Americans with Disabilities Act (ADA), CoreWeave will ensure that qualified applicants and candidates with disabilities are provided reasonable accommodations for the hiring process, unless such accommodation would cause an undue hardship. If reasonable accommodation is needed, please contact: [Upgrade to PRO to see contact]. Export Control Compliance This position requires access to export controlled information. To conform to U.S. Government export regulations applicable to that information, applicant must either be (A) a U.S. person, defined as a (i) U.S. citizen or national, (ii) U.S. lawful permanent resident (green card holder), (iii) refugee under 8 U.S.C. § 1157, or (iv) asylee under 8 U.S.C. § 1158, (B) eligible to access the export controlled information without a required export authorization, or (C) eligible and reasonably likely to obtain the required export authorization from the applicable U.S. government agency. CoreWeave may, for legitimate business reasons, decline to pursue any export licensing process.