Security Incident Response Lead

Ottawa, Canada
Trust & Security
full-time
Shopify has grown quickly in almost every metric imaginable. As a SaaS provider, we understand that online reputation is a critical asset; developing a solid online reputation takes a lot of hard work and determination. A company’s reputation comes not only from the products its people create, but from the safeguards in place around its data and the way it responds if bad things happen. Our merchants put a lot of trust in Shopify and our systems, the systems that underlie their businesses and livelihoods. More than anything, our reputation is their reputation, and we take that responsibility very seriously.

We are looking for an Security Incident Response Lead who understands the interplay between reputation and incident response, with the tenacity to develop and implement Shopify’s strategy as we continue to scale. This isn’t a direct-from-the-sidelines sort of role - you’ll be in the weeds with your team, investigating incidents, pulling logs, and ensuring that everyone has the information they need. If you are someone willing to try new approaches, who enjoys building and fostering relationships with folks in the anti-abuse community, and wants to take a leading role as we continue building our security incident response framework, please consider joining us.

Requirements for the role:

    • Security Incident Response Experience. You’ve spent much of your career detecting, investigating, responding to, and managing security threats and technical abuse cases in a cloud-based environment. A least a bit of time has been in a Mac environment, too.
    • Experience leading a team. You care for people as their lead, and focus on mentorship and continual growth. You also keep a mindful pulse on your team’s health, understanding the strain that comes with this type of work.
    • Resourcefulness in the face of incomplete information. You know how to get the information you need from cloud service providers, and are comfortable digging deep. Windows Enterprise IR experience is unfortunately not relevant for our environment. 
    • Clear communication for a variety of audiences. You are a thoughtful communicator,  who knows how to craft messaging with the right level of technical depth, both for internal stakeholders and through externally-facing comms.
    • Resiliency. You possess equal parts grit and empathy to work in a high-stakes environment where things break.
    • Calm in the face of stressful situations. You’re extremely methodical and disciplined in your approach, yet thrive in dynamic environments.
    • Comfort working autonomously. You can leverage our Default to Open culture to gather the context you need to meet your goals.

Bonus experience:

    • Interacting with various working groups (FIRST, FS-ISAC, M3AAWG, etc.).
    • Managing online reputation in a cloud-based or service provider environment.
    • Engineering or software development of web or mobile-based applications.
    • Working with email authentication infrastructure, such as SPF, DKIM, or DMARC.
    • Supporting negotiations involving complex legal agreements with third party vendors.

Responsibilities:

    • Developing a clear voice and communication strategy as part of our security incident response program.
    • Continuously evolving our incident response framework, and ensuring that the team is built up appropriately to maintain health and effectiveness.
    • Bridging gaps by providing technical input to teams outside Trust & Security, in order to strengthen our incident response capabilities.
    • Developing a program to improve Shopify’s online reputation.
    • Establishing working relationships with vendors and security teams.
    • Building a threat intel sharing relationship with vendors, security teams, and working groups.
    • Coordinating red team exercises to test Shopify’s incident response framework.
We know that looking for a new role can be both exciting and time-consuming, and we truly appreciate your effort. Ash is an actual real live person (👋🏻) and is looking forward to learning more about you through your application. 

And remember, we want to know what you're really interested in building and why you want to build it at Shopify, so please give us as much detail on this as you'd like in your cover letter - we do love a good story. 👍  📖