We started MedMen with a simple vision; cannabis as a consumer product. It is a simple idea with profound consequences for how marijuana is cultivated, produced and marketed. Quality standards matter, best practices matter, brand reputation matters. Today, MedMen is the most dominant cannabis enterprise in the emerging legal marijuana industry.
MedMen's Information Security team is seeking an experienced Security Engineer with a background in application and database security, penetration testing, and network security. The ideal candidate will serve as a subject matter expert across all security domains in a hands-on capacity, as well as to provide security consulting guidance to technical and non-technical teams. The Security Engineer will play a critical role in helping secure MedMen data, protect web and mobile applications before and after deployment, perform penetration testing, manage vulnerability remediation, investigate security incidents, provide security architecture guidance, optimize security hardware and software, research new threats and defenses, gather and analyze security metrics, and assist with the development of written security protocols in accordance with industry best practices and compliance requirements.
* Independently researches, plans, and leads security engineering projects across all security domains, including application and database security, network security, access controls, firewalls, encryption, and intrusion detection.
* Performs risk assessments, vulnerability tests, penetration tests, and gap analyses against MedMen web and mobile applications, retails store systems databases, servers, wired and wireless networks, and third party systems, and gives expert recommendations on best controls to harden systems.
* Serves as Subject Matter Expert (SME) on application and database security. Performs penetration testing at the code and protocol levels of web and mobile apps, and teaches developers and database administrators how to secure systems against attack.
* Manages testing and hardening of cloud systems, including Amazon Web Services (AWS) and Azure. Follows cloud best practices to apply cloud security controls as needed, such as access controls, network segmentation, network and application firewalls, encryption, and monitoring tools.
* Manages MedMen vulnerabilities, including risk ranking using common threat risk models, and remediation efforts.
* Helps test, deploy, harden, manage, monitor, and inventory core Information Security technologies, including monitoring systems, intrusion detection and anti-virus systems, patching & updating systems, access control systems (Active Directory), firewalls (Palo Alto), anti-spam systems, data retention and loss prevention systems, key management systems, encryption appliances, and cloud security controls.
* Investigates malware, breach, and fraud incidents, while correlating, analyzing, and preserving evidence using forensics tools and best practices.
* Analyzes and reports on security metrics and trends from security hardware and software, testing efforts, and vulnerability rankings.
* Actively expands security awareness of security best practices and MedMen security protocols across the company.
* Contributes to MedMen's written security standards and protocols.
* Mentors security analysts, junior security engineers, developers, infrastructure engineers, and project managers.
* Remains aware of latest Information Security trends, threats, and technologies.
* At least 5 years of experience in security engineering, penetration testing, or an equivalent technical discipline
* Bachelor's degree in Computer Science or related field, or applicable experience
* One or more advanced Information Security certifications, such as CISSP, CCSP, CCNA, CEH, GPEN, CMWAPT, OSCP, or equivalent
* In-depth knowledge of common security best practice frameworks, such as NIST or ISO
* Knowledge of how to review and enforce PCI, SOX, or similar regulatory controls
* Knowledge of common network protocols, including TCP, HTTP, and DNS
* Knowledge of common web, application, and network attacks, plus defenses recommended by best practice bodies such as OWASP
* Hands-on web, mobile, API, and wired/wireless network penetration skills using common commercial and/or open source tools, as well as manual methods; ability to create own custom tools using Python, Perl, Powershell, or other languages a plus
* Ability to score and rank vulnerabilities using common risk models
* Understanding of Secure SDLC best practices
* Excellent verbal and written communication tailored to appropriate audiences
* Experience with the following technologies:
* Penetration testing tools targeting web, mobile, API, and network targets (e.g., nmap, Wireshark, Zap, Zed, Nexpose, Burp, w3af, etc.)
* Windows Active Directory hardening
* Windows and/or Linux OS hardening
* Security settings in Amazon Web Services (AWS) and/or Azure
* Database security (SQL knowledge a plus)
* Firewalls (Palo Alto a plus)
* Intrusion Detection/Prevention Systems (IDS/IPS)
* Networking (e.g., TCP/IP, switches, routers)
* Encryption (e.g., SSL/TLS, X.509 certs, PKI, symmetric)
* Endpoint & anti-malware (e.g., Cylance, Carbon Black, BitDefender)
* Skills with manual penetration testing methods (e.g., raw protocol manipulation)
* Skills developing code in compiled or scripting languages (e.g., .Net, Python, PHP, shell)
* Knowledge of SIEM tools (e.g., syslog, Splunk, QRadar)
* Experience using forensic tools for gathering, analyzing, and preserving evidence
* Knowledge ofData Loss Prevention (DLP) methods and tools
* Knowledge of anti-spam tools or anti-fraud measures, especially related to retail Points of Sale
This position has no supervisory responsibilities.
This job operates in a professional corporate setting. This role routinely uses standard office equipment such as computers, phones, photocopiers, filing cabinets and fax machines.
While performing the duties of this job, the employee is occasionally required to stand; walk; sit; use hands to finger, handle, or feel objects, tools or controls; reach with hands and arms; climb stairs; talk or hear. The employee must occasionally lift or move office products and supplies, up to 20 pounds.)
(Note: The Company complies with the Americans with Disabilities Act (ADA), as amended by the ADA Amendments Act (ADAAA), and all applicable state and local fair employment practices laws, and is committed to providing equal employment opportunities to qualified individuals with disabilities. Consistent with this commitment, the Company will provide a reasonable accommodation to disabled applicants and employees if the reasonable accommodation would allow the individual to perform the essential functions of the job, unless doing so would create an undue hardship.)
May require occasional travel, up to 10%.
Please note this job description is not designed to cover or contain a comprehensive listing of activities, duties or responsibilities that are required of the employee for this job. Duties, responsibilities and activities may change at any time with or without notice.
Work Authorization/Security Clearance
There is no visa or H1-B sponsorship.
MedMen Is An Equal Opportunity Employer
Individuals seeking employment at MedMen are considered without regards to race, color, religion, national origin, age, sex, marital status, ancestry, physical or mental disability, veteran status, gender identity or expression, sexual orientation, or any other basis protected under federal, state or local laws.
MedMen is engaged in cannabis cultivation, manufacturing, and retail.