Engineering Manager, Security & Compliance
San Francisco, CA /
At Sisu, we're building a software platform that empowers people to make better decisions using data. Based on years of cutting-edge research at Stanford, Sisu enables users to quickly and comprehensively understand what’s driving their key metrics, so they never miss a window of opportunity to act.
Sisu leverages the massive amounts of data available within private, first-party data warehouses, which capture a real-time, structured view of organizational behavior. By monitoring the performance of key metrics like revenue, retention, and churn, and their relationships to interactions between key factors like user demographics, campaigns, and acquisition channels, we can help users make better decisions. The key problem Sisu solves is to help identify what’s driving change among this enormous feature and hypothesis space. To do so, we combine statistical analysis and machine learning at scale to provide users personalized, real-time diagnoses of changes in their metrics via an explainable, interpretable user interface.
Sisu is looking for an Engineering Manager in Security and Compliance to join our fast-growing team to lead Sisu’s company-wide efforts around security, compliance, risk, audit, and privacy. With some of the top companies in the world trusting us with their data, security is core to what we do. You will play a critical role in creating, implementing, and maintaining company-wide information policies and procedures. Additionally, as the team grows, there is opportunity for expansion in scope of the role to oversee other emerging areas in Engineering Operations, including Corporate IT, Technical Writing, Technical Program Management (TPM), Release Engineering, and more.
- Company-wide leadership. Build a vision and roadmap for our company’s efforts around security, compliance, risk, audit, and privacy, driving all workstreams in collaboration with leads across every department at Sisu - engineering, product, legal, finance, sales, marketing, and the executive team.
- Application & product security. Support security for every feature we build, from conception to delivery and the infrastructure supporting it all. Includes design doc review, secrets management, security testing, source code analysis, data loss prevention, information flow modeling, intrusion detection and more.
- Security operations. Monitor, analyze, and triage risks and threats as they come in. Craft incident response plans and policies to respond to alerts and events. Run postmortems for events after they happen, to continue iterating our security posture towards greatness. Develop and report on metrics to measure progress and effectiveness of the security and compliance program.
- Sales enablement. Collaborate with our field team and customers to close deals - joining customer calls, answering security questionnaires, suggesting security best practices for integration, and working with eng leads on technical documentation.
- Compliance. Develop and strengthen Sisu’s comprehensive compliance program, overseeing compliance, monitoring, audit, and controls for certifications & legal frameworks including SOC 2, ISO 27001, HIPAA, GDPR, CCPA, and more
- Threat planning. Lead a variety of white hat efforts against Sisu’s product and corporate infrastructure, including phishing tests, penetration tests, bug bounties, and simulations for disaster recovery and business continuity.
- Research. Proactively research new attack vectors that may affect Sisu’s services. Attend security conferences and meetups to stay in the know. Keep leadership up to date.
- Training & evangelism. Train Sisu employees on security best practices, from their very first day to ongoing talks at all-hands meetings.
- Public presence. Be the public face of Sisu’s security program, speaking at conferences, writing blog posts, and managing our public security portal and supporting documentation.
- Corporate IT. Craft security policies and processes for Sisu’s devices, vendors, and people, with MDM, vendor security review, IAM, and background checks.
- Security background. Minimum 5+ years of experience in Information Security, Software Engineering, DevOps, or system administration, with 2+ years of experience in compliance, audit, and risk - preferably at a tech startup (That said, we care a lot more about what you know and what you can learn than the number of years spent. We’re just as excited to talk to high-trajectory growth-mindset folks early in their career as we are with director-level folks who can help lead & scale from day 1.)
- Hacker mindset. You don’t just want to check off boxes for compliance - you want to apply creative & elegant solutions to our security posture and process, building true security that mitigates risk and delivers business value
- Engineer mentality. You approach process security & compliance the way an engineer approaches architecture - attempting to craft elegant policies, playbooks, and runbooks that simplify & automate manual work, minimize the chance of mistakes happening, remove single points of failure, and integrate with existing tools and practices wherever possible
- Cloud. Experience with modern cloud technologies including cloud compute (AWS, Google Cloud, Azure); cloud data warehouses (Snowflake, Redshift, BiqQuery); containerization (Kubernetes & Helm); continuous integration, deployment, & delivery; and secrets management
- Project management. Demonstrated experience leading large-scale enterprise projects, from planning and technical requirements to delivery, collaborating with cross-functional stakeholders and customers along the way
- Effective communication. Ability to present complex technical information in a clear and concise manner, to a variety of audiences - both internal and external, from sales & marketing to execs and the board. You care about correctness but don’t miss the forest for the trees.
- Bonus - Engineering Operations. Desire to wear multiple hats and take on additional areas of Engineering Operations as you and the company grows - including Corporate IT, Technical Writing, Technical Program Management (TPM), Release Engineering, and more