Compliance Security Engineer

Cloud computing is revolutionizing IT and forcing organizations to rethink their approach to cloud security. Lacework is at the forefront of this transformation. We enable security teams to effectively secure public and private clouds – AWS, Azure, or collocations – by eliminating repetitive, manual, and labor-intensive security tasks. Using Lacework, security teams operate security at the same pace as DevOps, which relies on automated tools to publish daily updates to the cloud.

WHY LACEWORK NEEDS YOU

The InfoSec team is responsible for Security, Compliance, Risk, and Governance internally at Lacework. Our focus is to consistently maintain and improve security, earning our customer's trust by implementing and demonstrating best in class security practices. We work collaboratively across the whole company to accomplish this goal in an era of complex regulatory requirements within a truly global economy. We are a growing team and need an experienced InfoSec practitioner to help scale compliance programs. This is part engineering role and part GRC role that will partner with Engineering, IT, Product, and the GTM/Field teams.

The ideal candidate is an engineer who knows how to apply engineering principles to Security and Compliance problems and is business-minded. You are a leader and team player with a transformational mindset. You can adapt seamlessly into the organization, technically savvy, work cross-functionally, and enjoy diving deep into a system to understand and help secure it. You have experience with certifications such as SOC 2 and ISO27K, policy writing, control procedures, interacting with external auditors, and utilizing automation to efficiently provide continuous compliance capabilities.

Your Opportunity:

• Develop an in-depth understanding of the Lacework platform and the cloud technologies it's built on.
• Maintain and improve existing certifications and successfully obtain new ones. Develop roadmap initiatives based on global customer demands & Lacework's growth strategy.
• Prepare for and facilitate external audits associated with various security regulatory requirements.
• Develop and maintain common control framework mappings to efficiently expand the compliance and auditing capabilities.
• Establish and track key performance metrics as service level objectives (SLOs) of security related Field requests.
• Drive projects, technical initiatives, and architectural/service improvements.
• Work with Engineering teams to prioritize and track resolution of identified issues.
• Always look for automation opportunities with continuous compliance as a constant objective. Become an expert at using Lacework and effectively showcase it's use for our own compliance needs. Provide a feedback loop for product improvements.
• Drive regular project reviews with leadership.

Your Professional Profile:

• 5+ years of experience in Information Security in areas of compliance, audit, and risk; preferably at a startup.
• Polished professionalism developed through consulting or engaging directly with customers, auditors, and third-parties.
• Past experience in developing roadmap initiatives for certification efforts (e.g. GDPR, SOC 2, ISO 27001, PCI, HiTrust, FEDRAMP, etc.) and driving them through readiness and gap assessments, control implementation, and internal/third party audits.
• Working knowledge of how compliance operates with cloud-native technology stacks
• Proficiency with common IaaS services/components and architectures.
• Adept in documentation: create diagrams or necessary customer artifacts including policies, standards and procedures, and bring to light areas that need improvement.
• Experience with responding to security questionnaires; conducting research, leading calls, and communicating with internal/external stakeholders using explicit technical details and professionalism.
• Self-directed and motivated to foster creative problem solving as well as out of the box thinking.
• Experience working remotely across many time zones and cultures.
• Excellent written and verbal communication skills.
• Security certification a plus - such as CISSP, CRISC, CISM, etc.
• Bonus points: Software development background or proficiency in at least one of the following: Python, Go, or Java.
• Bonus points for broad exposure or experience in technologies such as containerization, real-time threat detection, secrets management, continuous deployment, and AWS/DevSecOps tools
• Bonus points for experience with contract review of security & compliance addendums.

Salary Range: $119k - $300k USD Annually + Benefits + Bonus + Equity
Actual compensation may vary based on factors such as geographic location, work experience, education/training and skill level.