Senior Security Analyst, Compliance

About OpenSesame

OpenSesame is the trusted partner for Workforce Reinvention in the age of AI. OpenSesame delivers integrated software, curated and customizable content, and expert services – embedded into existing learning, HR, and work systems – to help organizations expand their human+AI potential and thrive through change.

Learn more: www.opensesame.com/about

About the Role

As a Senior Security Analyst on our Compliance team, you will play a key role in strengthening OpenSesame’s security posture in a fast-moving, high-growth environment. We’re looking for someone who brings deep technical security expertise, a proactive mindset, and the ability to turn complex risks into practical, scalable solutions.

This role spans vulnerability management, penetration testing, bug bounty operations, cloud and application security, and audit readiness. You’ll partner across Engineering, DevOps, IT, and Compliance to improve security processes, support compliance efforts, and help ensure security is built into how we work, especially as we continue evolving our approach to AI security. We’re looking for proven examples from your career that show you can do this job; that you’ve owned penetration testing programs, built vulnerability management systems, implemented security automation, and helped organizations adopt modern technologies (including AI) securely and responsibly.

You’ll be a strong fit if you’re detail-oriented, collaborative, and excited to build programs that reduce risk, improve visibility, and support safe innovation across the business.

Performance Objectives

Establish Security Ownership & Technical Depth (0–6 Months)

• Develop a comprehensive view of OpenSesame’s external attack surface, vulnerabilities, and threat landscape — integrating signals from CrowdStrike, cloud environments (AWS, GCP), and application security tooling.
• Own external penetration testing engagements end-to-end — including vendor selection, scope design, execution oversight, remediation validation, and executive reporting.
• Build and operationalize a structured vulnerability management program — partnering with DevOps, Engineering, and IT to prioritize and remediate risk effectively.
• Stand up scalable evidence collection and control mapping workflows in Drata — improving audit readiness and reducing manual effort.
• Establish strong cross-functional relationships to embed security into engineering, infrastructure, and IT workflows from the outset.

Operationalize Continuous & AI-Aware Security (6–12 Months)

• Design and implement a continuous penetration testing program that complements annual third-party testing — leveraging automation, threat modeling, and targeted validation.
• Own and mature the bug bounty program — improving signal quality, triage processes, researcher engagement, and remediation workflows.
• Lead implementation of AI security practices across internal systems and product development:
  • Apply OWASP Top 10 for LLMs / AI systems to identify and mitigate emerging risks
  • Support adoption and operationalization of ISO 42001 controls
  • Define secure usage patterns for internal AI tools and third-party AI integrations
• Partner with Product Engineering to define and enforce secure AI and application baseline requirements — ensuring security is built into system design, not retrofitted.
• Develop automations and tooling (Python, APIs, Make) to continuously collect threat intelligence, validate security baselines, and detect drift across AWS, GCP, GitHub, and SaaS platforms.
• Improve Jira and Confluence workflows to create visibility, accountability, and measurable progress across security findings and remediation.
• Provide deep technical support during audits — translating real-world implementations into clear, defensible narratives aligned with ISO 27001, ISO 27701, and ISO 42001.

Drive Security Maturity & Compliance Integration (12+ Months)

• Serve as a senior technical partner to Compliance — supporting vendor reviews, customer security questionnaires, and control design with practical, implementation-level expertise.
• Continuously improve Drata automation and evidence pipelines — moving toward near real-time compliance visibility.
• Partner with Engineering and DevOps leadership to evolve secure development practices, CI/CD security controls, and cloud security baselines.
• Establish and refine AI security governance models — balancing innovation with risk management across internal and customer-facing use cases.
• Identify systemic risks, recurring vulnerability patterns, and process inefficiencies — driving durable, organization-wide improvements.
• Contribute to long-term security strategy — aligning threat management, AI adoption, compliance requirements, and engineering velocity.

What Success Looks Like

• Penetration testing (external and continuous) is predictable, effective, and drives measurable reductions in risk.
• Vulnerabilities are prioritized intelligently and remediated within defined SLAs, with clear ownership across teams.
• The bug bounty program consistently yields high-quality findings with efficient triage and response.
• AI systems and tools are deployed with clear security guardrails aligned to OWASP AI Top 10 and ISO 42001.
• Engineering teams proactively incorporate security — including AI security — into design and development workflows.
• Audit readiness becomes continuous rather than event-driven, with strong evidence pipelines in Drata.
• Security is viewed as a strategic enabler of safe innovation, not a bottleneck.

You might notice we don’t have the typical list of requirements and buzzwords here. That’s intentional.

We’re looking for proven examples from your career that show you can do this job — that you’ve owned penetration testing programs, built vulnerability management systems, implemented security automation, and helped organizations adopt modern technologies (including AI) securely and responsibly.

When you look back a year from now, you’ll know you’ve made OpenSesame more secure, more resilient, and better positioned to innovate with confidence.

Although it should go without saying (but it doesn’t), OpenSesame is an equal opportunity employer and we strive to create a welcoming, inclusive environment that celebrates diversity.

Location: This position can be based anywhere in the US. We operate as a remote-first company, and invest in mandatory all-company meetings several times a year in addition to required team travel as necessary.

Performance Driven: We're looking for self-starters with a track record of delivering excellent results, but we're highly selective about who we hire. We don't focus on typical job requirements, instead, we're interested in specific examples from your past experiences. All positions can be based anywhere in the US, and require up to 15 days of travel per year, with senior management and leadership teams requiring up to 35 days.

Compensation: The base salary for this position generally ranges between $130,000 and $160,000, depending on experience. At OpenSesame, we offer a comprehensive benefits package to employees upon hire, including professional development, ISOs, health insurance, 401(k) matching, and paid time off. 

Equal Employment Opportunity: OpenSesame is an Equal Employment Opportunity and Affirmative Action employer that values and welcomes diversity. We do not discriminate on the basis of various legally protected characteristics, including criminal history, and strive to provide reasonable accommodations to qualified individuals with disabilities. We prioritize safety and security and may use your information accordingly, and you can contact us for assistance or accommodations during the job application process. 

Pay Transparency: At OpenSesame, we prioritize pay transparency, fairness, and equity to create a positive and inclusive work environment, regularly reviewing our compensation practices to align with our values and goals. We provide competitive and fair compensation to our employees based on their skills, experience, and performance.

CPRA (California Candidates): When you submit your application, OpenSesame may collect and use your personal information in accordance with our privacy policy and the CPRA. This may include personal details and employment history, and will only be used for employment-related purposes. We may share this information with third-party service providers, but we will not sell it to third parties. If you have any questions or concerns, please contact us, and for more information on your rights under the CPRA, refer to our privacy policy or the California Attorney General's website.