Senior Security Engineer, GRC

Docker is a remote first company with employees across Europe, APAC, and the Americas that simplifies the lives of developers who are making world-changing apps. We raised our Series C funding in March 2022 for $105M at a $2.1B valuation. We continued to see exponential revenue growth last year. Join us for a whale of a ride!

Docker is looking for a Senior Security GRC Engineer who will lead the development, implementation, and maintenance of comprehensive GRC strategies. A security engineer that works in security engineering and will automate control evidence gathering and continuous testing. This role will mature the governance program by working alongside security engineering providing compliance and technical security control implementations across multiple software products, supporting infrastructure technologies, and business processes in alignment.

Responsibilities:

• Lead the development, implementation, and maintenance of comprehensive GRC strategies.
• Build automated evidence gathering and continuous control testing through integrations maturing our governance program.
• Establish partnerships with internal/external auditors, regulators, and business stakeholders to develop security requirements and controls.
• Optimize security compliance monitoring and alerting systems; aggregate compliance alerts and advise on system policy violations.
• Perform critical data security reviews over newly released products and features.
• Ensure controls are operating effectively via assessment and attestation.
• Own the vulnerability management program to identify and provide guidance for improvements.
• Security Metrics - Uses automated and manual processes to produce relevant KPIs about the Information security program.
• Policies and Procedures - Maintains corporate Information Security policies and departmental procedures and maps them to relevant control standards.
• Recertification - Operates periodic processes to ensure hire, transfer, and termination protocols are complied with and regular access reviews are conducted.
• Security Awareness - Builds and maintains company awareness and education progress.
• Risk Assessment - Builds and operates the company platform to document, measure, and report assessments, risks, controls findings, and remediation activity.
• Draft policies and best practices that will be consumed by the entire organization.
• Maintain knowledge of certifications and controls such as SOC 2, ISO 27001, ISO 27018, and 27701.
• Evaluate vendors against compliance and security standards.

Qualifications:

• Have 6 to 8 years of experience in Information Technology, Security Engineering, Governance, Risk, and Compliance.
• Will have familiarity setting up APIs and Webhooks, at least one scripting language, and at least one public cloud architecture and control tool.
• Experience conducting security compliance reviews and audits for SaaS products and hosted environments including AWS and Azure.
• Have strong knowledge of information security risk management and information security technologies (e.g., SIEM, vulnerability management, data loss prevention, and/or endpoint protection).
• Thrive in fast-paced environments and can adapt quickly in the face of constantly evolving cybersecurity challenges.
• Strong project management skills with the ability to lead and execute security assessment projects, vendor evaluations, and initiatives on time with multiple stakeholders.
• Enjoy fostering collaboration and cross-functional partnerships to help spread awareness and build and implement cybersecurity controls.
• Have in-depth knowledge and experience of cybersecurity frameworks including ISO 27001, 27701, and 27018.
• Experience with the entire controls monitoring lifecycle, including identifying, assessing, monitoring, and remediating controls.
• Excellent verbal and written communication skills with the ability to document, communicate, and report security assessments.
• Serve as the subject matter expert and provide technical leadership and feedback for compliance/GRC projects.
• Appropriately handle and manage confidential information including proprietary and trade secret information.
• Stay up-to-date with changes in regulations, standards, and emerging regulatory requirements and ensure compliance.
• Nice to Have: Relevant industry certifications such as CISSP, CISA, CRISC.

What to expect in the first 30 days:

• Advise on control design and build key partnerships with control owners.
• Document walkthroughs for all controls deemed ready in the current testing sprint.
• Perform testing of all controls deemed ready in the current testing sprint.
• Manage updates to the SOC 2 Jira Board to ensure accurate status is displayed.
• Coordinate feedback and address comments for draft policies.
• Complete vendor due diligence for new vendors onboarded.

What to expect in the first 90 days:

• Provide feedback for the compliance roadmap.
• Document walkthroughs for all controls deemed ready in the current testing sprint.
• Perform testing of all controls deemed ready in the current testing sprint.
• Manage updates to the SOC 2 Jira Board to ensure accurate status is displayed.
• Create documented processes and procedures for the Compliance team.
• Help with the implementation of vendor solutions and automation frameworks.

What to expect in the first year:

• Complete walkthroughs for all SOC 2 controls.
• Set up audit software to prepare for future audits.

Docker embraces diversity and equal opportunity. We are committed to building a team that represents a variety of backgrounds, perspectives, and skills. The more inclusive we are, the better our company will be.

Due to the remote nature of this role, we are unable to provide visa sponsorship.

#LI-REMOTE