Security Risk Assessment Manager
- Location HOBOKEN, NJ
- Department Technology
- Team Security
- Employment Type -
- Position -
- Requisition GH840648
What you'll do at
Jet’s mission is to become the smartest way to shop and save on pretty much anything. Combining a revolutionary pricing engine, a world-class technology and fulfillment platform, and incredible customer service, we’ve set out to create a new kind of e-commerce. At Jet, we’re passionate about empowering people to live and work brilliant.
About Jet’s Internal Engine
We’re building a new kind of company, and we’re building it from the inside out, which means that investing in hiring, developing, and retaining the brightest minds in the world is a top priority. Everything we do is grounded in three simple values: trust, transparency, and fairness. From our business model to our culture, we live our values to the extreme, whether we’re dealing with employees, retail partners, or consumers. We believe that happiness is the highest level of success and we want every person that crosses paths with Jet to achieve it. If you’re an ambitious, smart, natural collaborator who likes taking risks, influencing, and innovating in a challenging hyper-growth environment, we’d love to talk to you about joining our team.
About the Job
At Jet you will help to improve and manage our security risk assessment processes, procedures, and tools. As a Security Risk Assessment Manger, you will be responsible for performing risk assessments as well as maturing our security risk assessment program and ensuring the quality of reviews performed by risk analysts and other members of the team. You will also play a key role in managing relationships between the security team and legal, business teams, and third parties with which Jet shares data or connects. You will help to promote our security review processes and ensure timely and proper engagement for projects, contracts, and new business processes. The successful candidate will have exceptional project management skills and will be able to ensure that reviews assigned to other individuals are progressing in line with business needs and expectations.
Jet's security risk assessment process includes performance of security design reviews, security and risk assessments, and internal consulting for internal applications and projects, third party services, new technologies, and data sharing arrangements with Jet's partners. In a nutshell, you will be looking at how we connect and configure systems as well as how we handle and protect data to ensure customer and proprietary data is safe from inappropriate usage or exposure. You will combine your understanding of practical security controls and technology to help the business succeed while ensuring we protect our operations and customers. Your contributions will be highly valued by our company leadership and you will be given the autonomy to get the job done.
If you are someone who wants to be at the center of the all the action and is excited for the opportunity to mature our risk assessment program and tools than this is the job for you!
Specific responsibilities may include:
- Oversee the timely assignment and completion of reviews for new projects and contracts
- Oversee the planning process for re-reviews and outstanding issue management
- Gain a holistic understanding of existing systems and new projects to understand risk beyond individual reviews
- Serve as primary and initial point of contact for security reviews; Triage and establish key risk criteria and focus areas for reviews assigned
- Perform continual iteration and maturation our tools, questionnaires, and processes
- Perform security risk assessments on new business tools, business processes, software, data transfers, and vendors
- Research and address security gaps identified through security investigations and audits
- Work alongside both business and engineering teams to perform design risk assessments and threat modeling
- Evaluate if technical and data risks adhere to the needs of the business case
- Map end-to-end data flows between systems to include data involved, protocols, security controls
- Document existing or suggest appropriate controls in processes and systems
- Develop risk mitigation strategies, remediation plans, and compensating controls
- Ensure process, applications, and data transfers adhere to Jet policies and standards
- May assist with security governance or compliance activities
- 5+ years of experience in information security, with 3+ years performing security risk assessments
- Excellent personal time management and project management of other team members
- Experienced and comfortable communicating with business owners and business leaders in order to clearly communicate risks and gain buy-in
- Experience performing various types of security reviews - third party reviews, IT general control, change development, data transfer, business processes
- Understanding of the system development and data management lifecycles
- Strong ability to talk to technical and non-technical users in appropriate language and the ability to craft your communications to various levels of the organization
- Ability to quickly understand new systems and business cases by reading documentation, performing walkthroughs, etc.
- Strong internal networking skills so that you can understand the various lines of business and identify the best teams which to direct questions
- 5+ years performing security risk assessments, 3+ years implementing or maturing a security risk assessment process
- Experience writing or participating in the legal contracting process relevant to security and compliance terms
- Experience writing and/or evaluating independent reporting such as SOC1/SSAE16, SOC2, SOC3, ISO2700X, AUP
- Familiarity with risk assessment methodologies such as OCTAVE, OCTAVE Allegro, FAIR, NIST SP800-53
- Familiarity with risk/governance frameworks such as ITIL, COSO, COBIT, BITS/Shared Assessments, Cloud Security Alliance Cloud Controls Matrix
- Familiarity with data security regulations and laws such as PCI, HIPAA, CAN-SPAM, state data breach reporting
- Previous experience in hands on security roles such as penetration testing, infrastructure security, etc. or as a developer or systems administrator
- Certifications such as CISA, CISM, CRISC, CIA, CISSP
- Project management experience, a PMP is a plus
- Contributions to the security community (Research, CVEs, Bug Bounty, Open Source, Blogs…)