Security & Risk Engineer || Remote, US-based

About Buoy Software

Our mission is to deliver the best experience possible to as many donors of blood products (such as plasma) as possible, in as many communities as possible. We use our understanding of blood product donation and the industry’s regulations and pair them with our extensive consumer product experience to enrich the lives of our members and improve health outcomes for patients everywhere. 

In an industry that hasn’t seen innovation in more than two decades, Buoy’s software streamlines the donation process allowing our business to promote loyalty while improving efficiency in a donation center. In turn, the increase in blood product donations improves a supply level that is at an all time low, and allows for blood-product derived biotherapies to continue to evolve, improve, and save lives for those who face life-threatening conditions (i.e. immune deficiencies and blood disorders). Without an increase in blood product donations, we are facing a worldwide health crisis that ultimately results in rationing of care without the proper resources. Buoy Software is excited to be playing more of a role in improving the state of blood products and blood product donations.

We’re working alongside Join Parachute ([www.joinparachute.com/](http://www.joinparachute.com/)) in the opening of small market donation centers across the country that will create local donation center careers, opportunities to donate blood products, and provide financial compensation for those donations that will have a positive economic impact in those communities. 

The need for blood products is growing rapidly. We want to close the gap in blood product supply and demand by empowering organizations with the right tools. Buoy is the intuitive, data-driven mobile application for donors.

About The Role

We're looking for a Security and Risk Engineer to join our team. You should be someone who is comfortable and experienced in risk management and code review. This role will work closely with specific product engineering pods, owning all security controls and documentation for assigned pods. You should have an eye for continuous improvement, risk and vulnerability management, and security compliance.

• Oversee vulnerability and security risk management including, but not limited to, vulnerability and risk identification/assessment, crafting mitigation proposals, tracking mitigation status, and testing and validating mitigation methods
• Oversee security compliance activities including, but not limited to, hazard analyses, threat modeling, root cause analysis, and creating, updating, and maintaining policies and other relevant documentation
• Manage continuous monitoring and auditing processes to detect and respond to security incidents
• Perform code assessments to determine any impacts for Buoy’s applications
• Responsible for defining, implementing, evaluating, and maintaining the effectiveness of security and risk controls
• Identify current and emerging issues including security trends, vulnerabilities, and threats
• Collaborate with team members and stakeholders on projects and audits
• Design security controls that increase operational efficiency and reduces the likelihood of control failure
• Perform third party security assessments
• Educate and train staff on security best practices

• You have experience with threat modeling analysis such as STRIDE and Attack Tree methodologies.
• You have experience with software as a service.
• You are a self starter. You enjoy working in an environment where you have a lot of autonomy. You are not one to wait around to be given work, but are always looking for ways in which you can provide support for your colleagues.
• You can adapt to change quickly and thrive in an environment where every day is different / you own a variety of tasks.
• You are a team player. Everyone contributes within the Buoy team, and you want to help the team get the job done when needed, regardless of initial ownership.
• You are professional in your collaboration and communication methods. You can represent Buoy and our values both internally and externally (with vendors / partners) as needed.

• Be introduced to the team - we’ll help you start to get to know your colleagues, point of contacts for various scenarios, understanding dynamics within the broader org.
• Learn how Buoy Software operates internally - we’ll help you get accustomed to Buoy’s process, engineering terminology, and other cultural aspects of working here.
• Go through product demos to start to understand Buoy Software and how it works for both donors experience and donor processing.
• Begin meeting with and getting to know your direct manager who will share various projects and goals for this role to provide guidance as you settle into the position.
• Review existing security documentation and determine gaps or improvements.
• Hit the ground running!

• Understand goals for your respective pods over the next 6 - 12 months.
• Begin implementing solutions for gaps identified and performing all duties related to continuous management of security for your pods.
• Become more familiar with workflows and processes.
• Become more autonomous as you work with your pods and other stakeholders.
• Start to define timelines for various projects with your manager to help prioritize your focus and align them with the goals for this role.
• Begin to suggest changes and improvements to the security program and/or internal processes.

• Meet with stakeholders across the broader Buoy Software organization.
• Become more familiar with the other departments across Buoy Software (including leadership, support, customer success, marketing, and people ops).

Where you'll be

We are fully remote. We deeply believe in distributed teams at Buoy. We build projects around motivated individuals. We give our team the environment, support and trust they need to get the job done.

We are only considering candidates currently based in the United States at this time.

---

Employment at Buoy Software is contingent upon achievement of satisfactory results on your background check and reference check and your ability to provide proof of your identity and eligibility to accept employment in the United States.