At Segment, we believe companies should be able to send their data wherever they want, whenever they want, with no fuss. Unfortunately, most product managers, analysts, and marketers spend too much time searching for the data they need, while engineers are stuck integrating the tools they want to use. Segment standardizes and streamlines data infrastructure with a single platform that collects, unifies, and sends data to hundreds of business tools with the flip of a switch. That way, our customers can focus on building amazing products and personalized messages for their customers, letting us take care of the complexities of processing their customer data reliably at scale. We're in the running to power the entire customer data ecosystem, and we need the best people to take the market.
The Security team at Segment is building a comprehensive security program in order to protect our customers' data. We work with different organizations across the company to ensure our security practices and controls are constantly improving. In order to keep up with our internal customers' needs, we need our third-party security controls to provide clear insight into the risk introduced into our environment. We need these controls to be lightweight and efficient. We also need to provide fast and accurate responses to security questionnaires from our customers. We also want out enable our business by completing third-party assessments in a timely manner. These are top-tier business problems that you as a GRC Solutions Lead at Segment could dig into right away. Security is the most important thing happening in engineering, and will always have strong support and high internal visibility by company leadership.
Who we are:
We're a small team with a passion for startup security, which means we are always thinking of newer and better ways to tackle hard security and risk problems. We take on ambitious projects that have a big impact on our customers and the security of our company. We talk about our methods, trials and accomplishments in public blogs, at conferences, and in presentations. If you want to be this kind of security person and work with a team that's like you; if you want to create innovative security solutions for classic security problems, we'd love to hear about your approach and introduce you to our team.
A little more about our Security and GRC team:
* We showcased the importance of making security tooling more usable by demoing our OWASP ZAP contributions at Appsec USA
* We discussed our overall approach to our security engineering program at LASCON
* Our CISO's approach to Building a Security Team and Program
* We deleted every employees' AWS keys!
* We help organize the OWASP SF chapter, the AppSec California, B-Sides SF, and Day of Shecurity conferences
What we do:
* We are the Privacy and GRC team within the overall Security Organization, and we deliver compliance, privacy and risk projects that have a positive business impact at Segment.
* We help assess and manage internal and third-party risk to the company and to our customers.
* We set ambitious goals for ourselves, and we hold ourselves and each other to high standards.
Who we are looking for:
We are seeking an individual who is enthusiastic to learn, contribute, and influence all facets of the security governance, risk, and compliance program. Qualified candidates will successfully demonstrate the following experience and attributes:
* You've worked extensively with compliance frameworks and developed a scalable and repeatable approach to perform multiple audits across various frameworks efficiently.
* You've successfully lead or supported ISO 27001, GDPR, SOC2 II and HIPAA audits.
* You've' performed internal and third-party risk assessments and can clearly articulate impact to stakeholders.
* You're comfortable developing and enhancing processes related to third-party risk that allow for efficient and value-added evaluation of business partners.
* You've successfully built effective program-monitoring by reporting key risk and compliance metrics (ideally within a GRC system).
* You've worked with internal and external teams to coordinate, execute, and deliver on complex customer request or vendor assessments.
* You've figured out how to spend less time doing this work each year, and already thinking automation.
* You're a capable subject-matter expert in security and you understand how to put together controls to meet a security requirement.
* You've a high-level understanding of how cloud infrastructure works.
* You've strong organizational and prioritization skills and can get challenging projects across the finish line.
Projects We're Currently Working On:
* We are implementing multiple GRC processes to help manage and scale all aspects of a maturing GRC program.
* We are constantly evaluating and raising the security and privacy bar to exceed customer expectations
* 4+ years experience working within technology governance, risk management including third-party, regulatory requirements, and program frameworks.
* Familiar with risk frameworks including NIST 800-37, ISO 27005, or FAIR and think about risk both in quantitative and qualitative models.
* Familiar with building and maintaining a common control framework, in alignment with multiple compliance frameworks including SSAE 18, ISO 27001, FedRAMP and HIPAA
* Successfully built a GRC program, complete with a roadmap that illustrates where you want to take your program, and you're excited to do it again for a startup.
* Top notch communication skills and comfortable sharing our contributions to the rest of the company.
* (Bonus) You have a degree in Computer Science or a related field.
Segment is an equal opportunity employer. We believe that everyone should receive equal consideration and treatment. Recruitment, hiring, placements, transfers, and promotions will happen based on qualifications for the positions being filled regardless of sex, gender identity, race, religious creed, color, national origin ancestry, age, physical disability, pregnancy, mental disability, or medical condition.
Segment is a company that develops a platform for collecting customer data.