Senior Engineer, Information Security Compliance

About SecurityScorecard

Funded by world-class investors including Silver Lake Waterman, Moody’s, Sequoia Capital, GV, Riverwood Capital, and others with over $290 million in funding, SecurityScorecard is the global leader in cybersecurity ratings and the only service with over 2M+ companies continuously rated. Founded in 2013 by security and risk experts Dr. Aleksandr Yampolskiy and Sam Kassoumeh, SecurityScorecard’s patented rating technology is used by over 16,000 organizations for enterprise risk management, third-party risk management, board reporting, due diligence, and cyber insurance underwriting. This is done by measuring your and your vendors' cyber-health by assigning a security rating of "A" through "F" based on outside-in, non-intrusive data. SecurityScorecard continues to make the world a safer place by transforming the way companies understand, improve and communicate cybersecurity risk to their boards, employees, and vendors. 

SecurityScorecard is headquartered in NYC with over 500 employees globally. Our culture has helped us be recognized by Inc Magazine as a "Best Workplace," "Best Places to Work in NYC" by Crain's NY, and one of the 10 hottest SaaS startups in NY for two years in a row.

About the team

You will be joining our Infosec team and reporting to the CISO. Our team includes specialists in security operations as well as security champions within other teams and departments as we evangelize the practice of nine workstreams making up the security program. Our focus is more on the process and people than tools (though we make excellent use of infosec tools) because security is not a state, but rather a process, and inculcating a culture of security is where real resilience lives. Security is in our products and also in our DNA. As part of the Infosec team, you will help execute a reliable and trusted roadmap through a combination of third-party services and home-grown solutions to protect our customers, our colleagues, and our intellectual property from harm.

We are looking for a Senior Engineer, Information Security Compliance with a background in the audit and compliance aspects of information security. The ideal candidate will have significant experience and passion for audit and compliance and ideally have worked in a start-up environment previously. The applicant should not just  have the familiarity with specific tools and security frameworks or technologies, but also an attitude of being curious, showing a desire to learn new things and an ability to execute on the goals and initiatives of the organization. The best way to ensure security is embedded in the software and systems development lifecycles is to implement features and functionality securely and not try to implement security as a feature or “bolt-on.”

What you will do

You will help implement our Infosec roadmap and product strategy with high quality, predictability and auditability. The ideal candidate will be comfortable with managing multiple compliance projects using both influence as well as individual contributor responsibilities for implementing controls and control frameworks within the organization.

• Create and improve infosec documentation and procedures
• Conduct compliance and audit activities with hands-on approach
• Support our business, sales, legal and non-functional requirements to safeguard data
• Consume the SOC2 reports of our core vendors and partners to maintain awareness of their security controls compliance and health
• Orchestrate an automated compliance artifact gathering for SOC2 Type2
• Perform adhoc audits and analysis of network, endpoint, database, cloud services and privileged identity management logs and events
• Keep abreast of industry trends, new threats and malicious actors across platforms
• Comfortable challenging assumptions while respecting historical constraints and decisions
• Skew towards action and ownership versus over-analysis and finger-pointing when mistakes are made
• Possess the ability to translate compliance requirements to actionable security controls

Basic Qualifications 

• 5+ years of compliance experience for a cloud-based SaaS platform
• Experience implementing US and international controls and techniques
• Expert knowledge of AWS/Google products and ability to audit them
• Deep knowledge of several of the following areas: 
• NIST-CSF, NIST 800-53, NIST SP 800-171, NIST SP 800-160
• CIS Critical Security Controls (v8 preferred)
• SOC2 Type2 assessments
• ISO 27001 certification
• FedRAMP certification 
• Ability to work independently as well as collaborate with others effectively

BenefitsWe offer a competitive salary, stock options, a comprehensive benefits package, including health and dental insurance, unlimited PTO, parental leave, tuition reimbursements, and much more!

SecurityScorecard is committed to Equal Employment Opportunity and embraces diversity. We believe that our team is strengthened through hiring and retaining employees with diverse backgrounds, skill sets, ideas, and perspectives. We make hiring decisions based upon merit and do not discriminate based on race, color, religion, national origin, sex or gender (including pregnancy) gender identity or expression (including transgender status), sexual orientation, age, marital, veteran, disability status or any other protected category in accordance with applicable law. 

We also consider qualified applicants regardless of criminal histories, in accordance with applicable law. We are committed to providing reasonable accommodations for qualified individuals with disabilities in our job application procedures. If you need assistance or an accommodation due to a disability, please contact [email protected].

Any information you submit to SecurityScorecard as part of your application will be processed in accordance with the Company’s privacy policy and applicable law. 

SecurityScorecard does not accept unsolicited resumes from employment agencies.