Senior Security Engineer, GRC

Docker is a remote first company with employees across Europe, APAC and the Americas that simplifies the lives of developers who are making world-changing apps.  We raised our Series C funding in March 2022 for $105M at a $2.1B valuation. We continued to see exponential revenue growth last year.  Join us for a whale of a ride!

Docker is looking for a Senior Security GRC Engineer who will lead the development, implementation and maintenance of comprehensive GRC strategies.  A security engineer that works in security engineering and will automate control evidence gathering and continuous testing.  This role will mature the governance program by working alongside security engineering providing compliance and technical security control implementations across multiple software products, supporting infrastructure technologies, and business processes in alignment.  

Responsibilities:

• Lead the development, implementation and maintenance of comprehensive GRC strategies

• Build automated evidence gathering and continuous control testing through integrations maturing our governance program. 

• Establish partnerships with internal/external auditors, regulators, business stakeholders develop security requirements and controls.

• Optimize security compliance monitoring and alerting systems; aggregate compliance alerts and advise on system policy violations

• Perform critical data security reviews over newly released products and features. 

• Ensure controls are operating effectively via assessment and attestation

• Own the vulnerability management program to identify and provide guidance for improvements

• Security Metrics - Uses automated and manual processes to produce  relevant KPIs about the Information security program

• Policies and Procedures - Maintains corporate Information Security policies and departmental procedures and maps them to relevant control standards

• Recertification - Operates periodic processes to hire, transfer, and termination protocols are complied with and regular access reviews are conducted

• Security Awareness - Builds and maintains company awareness and education progress

• Risk Assessment - Builds and operates the company platform to document, measure, and report assessments, risks, controls findings, and remediation activity

• Draft policies and best practices that will be consumed by the entire organization

• Maintain knowledge of certifications and controls such as SOC 2, ISO 27001 / ISO 27018, and 27701

• Evaluate vendors against compliance and security standards

Qualifications:

• Have 6 to 8 years of experience in Information Technology, Security Engineering, Governance, Risk and Compliance

• Will have familiarity setting up APIs and Webhooks, at least one scripting language, and at least one public cloud architecture and control tool 

• Experience conducting security compliance reviews and audits for SaaS products and hosted environments including AWS and Azure.

• Have strong knowledge of information security risk management and information security technologies (e.g: SIEM, vulnerability management, data loss prevention and /or endpoint protection)

• Thrive in fast-paced environments and can adapt quickly in the face of constantly evolving cybersecurity challenges

• Strong project management skills with the ability to lead and execute security assessment projects, vendor evaluations and initiatives on time with multiple stakeholders

• Enjoy fostering collaboration and cross-functional partnerships to help spread awareness and 

• Build and implementation of cybersecurity controls

• Have experience in-depth knowledge and experience of cybersecurity frameworks including ISO 27001, 27701 and 27018

• Experience with the entire controls monitoring lifecycle, including identifying, assessing, monitoring, and remediating controls.

• Excellent verbal and written communication skills with the ability to document, communicate, and report security assessments 

• Serve as the subject matter expert and provide technical leadership and feedback for compliance / GRC projects

• Appropriately handling and managing confidential information including proprietary and trade secret information

• Stay up-to-date with changes in regulations, standards, and emerging regulatory requirements and ensure compliance   

• Nice to Have: Relevant industry certifications such as CISSP, CISA, CRISC

What to expect in the first 30 days

• Advise on control design and build key partnership with control owners

• Document walkthroughs for all controls deemed ready in the current testing sprint

• Perform testing of all controls deemed ready in the current testing sprint

• Manage updates to the SOC 2 Jira Board to ensure accurate status is displayed

• Coordinate feedback and address comments for draft policies

• Complete vendor due diligence for new vendors onboarded

What to expect in the first 90 days

• Provide feedback for the compliance roadmap

• Document walkthroughs for all for all controls deemed ready in the current testing sprint

• Perform testing of all controls deemed ready in the current testing sprint

• Manage updates to the SOC 2 Jira Board to ensure accurate status is displayed

• Create documented processes and procedures for Compliance team

• Help with implementation of vendor solutions and automation frameworks

What to expect in the first year

• Complete walkthroughs for all SOC 2 controls

• Set up audit software to prepare for future audits

We use Covey as part of our hiring and / or promotional process for jobs in NYC and certain features may qualify it as an AEDT. As part of the evaluation process we provide Covey with job requirements and candidate submitted applications. We began using Covey Scout for Inbound on April 13, 2024.

Please see the independent bias audit report covering our use of Covey here.

Perks (for Full-Time Employees Only)

• Freedom & flexibility; fit your work around your life

• Home office setup; we want you comfortable while you work

• 16 weeks of paid Parental leave

• Technology stipend equivalent to $100 net/month

• PTO plan that encourages you to take time to do the things you enjoy

• Quarterly, company-wide hackathons

• Training stipend for conferences, courses and classes

• Equity; we are a growing start-up and want all employees to have a share in the success of the company

• Docker Swag

• Medical benefits, retirement and holidays vary by country

Docker embraces diversity and equal opportunity. We are committed to building a team that represents a variety of backgrounds, perspectives, and skills. The more inclusive we are, the better our company will be.

Due to the remote nature of this role, we are unable to provide visa sponsorship.

#LI-REMOTE