GitHub is seeking a highly experienced information security professional to help build out the GRC Risk Management function within a young and rapidly growing organization.
This is an independent contributor role.
Are you prone to fits of root cause analysis? Do you find yourself always searching for areas of weakness and naturally figuring out ways to break things? Do you create flowcharts to help your friends and family understand exactly how Thanksgiving dinner should come together and who's bringing what sidedish? Can you spot over-engineered solutions from a mile away? Do you suffer from compulsive list making? Maybe have a strong forest-from-trees project management perspective, and masterful "Way With the Project Plan".
Have you already answered the question "Why are we here?" with the GRC Truth, "Because Customers."
The Security-GRC team applies the GitHub standard to it’s work - transparency, iteration, collaboration - we share our work early and often.
These cultural functions are critical to GitHub’s success and our ability to work together and iterate on ideas to ultimately ship them successfully.
And we like to have some fun along the way.
As part of the GRC team reporting to the Security-GRC Risk Manager, this is an excellent opportunity for a strong independent contributor to have a hand in elevating risk management and security as business and sales enabler as well as integrate a deeper understanding of risk management into the product and business space.
Primary job duties include:
Execution day to day of the Information Security Risk Assessment process, covering internal and 3rd party risk.
Develop and deliver risk reporting and monitoring processes and management of risk tools.
Contribute to the establishment of the data governance processes as well as other new services out of the GRC team.
Support development of processes, controls and continuous compliance testing, remediation and risk mitigation solutions to support internal processes and external audit requirements, and collaborate cross functionally to establishing high levels of automated testing and evidence collection.
Our ideal candidate takes an extremely pragmatic approach to risk management, functions as part of a growing team, and is able to balance the needs of a very dynamic engineering culture with that of protecting the company and customer data.
This job is remote, U.S.
based and open nation wide, however, semi-frequent travel (<15%) to our San Francisco, CA headquarters, Portland , OR, or Seattle WA, will be necessary for a remote worker.
6+ years prior work experience in information security risk, audit and/or compliance efforts, with a focus in a technical capacity.
Prior technical program management and/or project management experience, preferably in a service-oriented organization.
Experience standing up and administering applications and tooling.
Ability to develop and use metrics to assess and report program performance.
Experience with leading or being a subject matter expert in the review of systems and solutions as part of a internal risk assessment, procurement process, or other program.
Exposure to PCI, FISMA/FedRAMP, Cloud Security Alliance and the STAR program including the CCM and CAIQ; and other industry and regulatory frameworks.
CRISC, CIA, CISA, CISSP, or other relevant independent certification, or equivalent education.
The ability to partner with and effectively communicate with technical and non-technical employees, security, engineering and management staff.
Strong asynchronous communication skills - does not need face to face communications on a daily basis to perform job duties and is comfortable communicating over media like chat, GitHub, and other online productivity tools like Google Docs with email as a secondary method as needed.
Must be legally authorized to work in the United States.
Confident in ability to say "I don't know, but I will find out!"
Comfortable with the belief of “Code speaks louder than words” and an iterative, transparent work environment.
Excels at creating proof of concepts, mock ups, and sharing work in draft stages.
Extremely team oriented with a desire to dig into problems, answer questions, and assist colleagues both within the GRC team and across the company.
High comfort level working under ambiguous situations, with natural drive to bring clarity using communication and independent research of existing documentation and resources.
Compulsive about documentation and organizing content into easily digestible formats for the consumption of others.
Ability to function as a strong business to technology translator and help bridge the business view of compliance and risk management to technical engineering and operations staff and vice versa.
Capacity to run meetings, take notes, and track concurrent activities across multi-discipline teams
Above all, you'll be getting your hands deep into the work and working with product, engineering, and security teams to identify new ways to solve problems and provide services inside our company.
Strong information security background in either software development or systems operations.
Have successfully contributed to regulatory audits through the entire lifecycle from initial gap-assessment to receiving a favorable report, and the ability to demonstrate effective auditor or regulatory assessors.
Experience supporting on-going compliance monitoring year over year, and including but not limited to working with independent auditors during validation and compliance testing phases.
Ability to write basic scripts to automate audit evidence collection.
Exposure to software version control systems/Git and GitHub.
GitHub is committed to building a diverse workforce and strongly encourages applications from people of color and other groups currently underrepresented in tech.
We are looking for candidates who:
Display a strong commitment to building an inclusive tech environment
Have demonstrated resilience and resourcefulness both in and outside of the workplace
Can bring a new perspective based on unique educational, professional, and lived experiences
Can effectively communicate with people from disparate backgrounds
Have experience mentoring/coaching/teaching, particularly in environments with diverse students/participants
WHO WE ARE
GitHub is the best place to share code with friends, co-workers, classmates, and complete strangers.
Over ten million people use GitHub to build amazing things together.
With the collaborative features of GitHub.com, our desktop and mobile apps, and GitHub Enterprise, it has never been easier for individuals and teams to write better code, faster.
We have a lot of exciting things to do, and we’re looking for the right people to grow with us!
WHY YOU SHOULD JOIN
Working at GitHub is, to put it simply, a special slice of the universe.
We're committed to transparency, collaboration, experimentation, and always staying classy.
Because of this unique perspective, we've established one of the most flexible and well designed physical workspaces around that encourages you to work as you work best.
Right now, over 60% of our employees are based outside of our San Francisco (SOMA) headquarters and work according to how they get their best stuff done.
Ensuring that GitHubbers are healthy, motivated, focused and creative is how GitHub stays awesome.
Part of this is ensuring that our benefits
* are out of this world.
In a nutshell, we've built and are growing a place where we truly love working, and we think you will too.
GitHub is made up of people with many different backgrounds and lifestyles, and we like it that way.
We invite applications from people of all stripes.
We don't discriminate against employees or applicants based on gender identity or expression, sexual orientation, race, religion, age, national origin, citizenship, disability, pregnancy status, veteran status, or any other differences that people imagine to discriminate against one another.
Also, if you have a disability, please let us know if there's anything we can do to make the interview process better for you; we're happy to accommodate.
Please note that benefits vary by country, if you have any questions don't hesitate to ask your recruiter