Director of Security
San Francisco, CA, USA
Posted on Friday, May 5, 2023
Our mission is to change the way business deals get done. In an industry plagued by inefficient and ineffective contract management systems, we provide a solution that accelerates, scales, and protects the business, enabling contract professionals to become their company’s superhero.
We create cutting-edge AI technology that makes contracts searchable and simplifies deal-making processes to supercharge business while helping to reduce costs and manage risk. We automate manual work, facilitate collaboration, and streamline operations so businesses can make better decisions.
By reimagining legal documents, we take the stress out of contract management, empowering brilliant people to do their best work while fueling exponential growth.
We are seeking a technical, hands-on, enablement-focused Head of Security to lead Evisort’s growing security team and drive securing our code base, infrastructure, and systems as the company (and security organization) scales. This is an exciting opportunity to join a company that takes security seriously from the start, rather than the usual state of cleaning up years of technical debt with a skeleton crew. You will be leading an already mature team with multiple Security Engineers. You will manage all areas of security and compliance at Evisort, with your input to senior leadership directly driving product, engineering, and other company decisions.
What You’ll Do:
- Own the security, privacy, and compliance programs at Evisort. Develop and implement a comprehensive security strategy that aligns with the company's goals and objectives. Identify and prioritize potential security threats and develop measures to mitigate them
- Leading and improving the existing application security and vulnerability management programs. Lead the team to find, manage, and fix vulnerabilities in the product, coordinating with development teams on their remediation, coordinating the bug bounty program, and building tooling to prevent them from reappearing or being created in the first place.
- Design and build application frameworks and services to improve the security of a cloud, container-based microservice application stack
- Run and participate in the Security Partner program, including threat modeling, security design, implementation, and process building with development teams
- Lead cloud infrastructure security initiatives
- Manage and expand our detection and response program
- Manage our bug bounty program
- Manage corporate security initiatives in collaboration with other teams, including expanding our SSO, MDM, and EDR deployments
- Drive compliance initiatives that add real security value and maintain our SOC 2, ISO 27001, and ISO 27701 certifications
- Develop and deliver security training and awareness programs to ensure all employees understand their role in maintaining a secure environment
- Engage with prospects and customers on their security needs, being involved on the security side with significant enterprise deals
- The right candidate for this role will definitely have:
- Bachelor's degree in Computer Science, or a related field with past software engineering experience. You are a builder more than a buyer; your strategic plan should not be a list of vendors to buy
- 7+ years of experience in securing software systems, ideally with a SaaS and cloud focus
- 2+ years experience in effectively guiding security or other interrupt-driven teams, following the DevOps paradigm applied to security
- A deep understanding of the security landscape, the threats in it, and how they apply to the company and its goals. You should be able to effectively triage mitigations to these threats, and know where the limitations of potential mitigations are
- Experience with finding, triaging, and fixing web application vulnerabilities. Covering at least the OWASP Top 10 is table stakes; you should have a far deeper knowledge
- The ability to quickly pick up new technologies and find problems in unfamiliar systems or code bases
- Project management skills: financial/budget management, scheduling, and resource management
- An excellent ability to communicate security concerns to technical and non-technical stakeholders via written and verbal mediums
- Knowledge of the SOC 2, ISO 27001, and 27701 frameworks
- A proficiency for automating as much as possible, a desire to solve problems once, and the discipline to make it happen
- Be intensely curious and constantly learning and growing, both within the security space and without. You should have an entrepreneurial mindset, taking ownership of problems and finding novel solutions for them
- Experience with one or more of the following is preferred:
- Experience with securing microservice architectures based around public cloud services, containers, Docker, Kubernetes, and service meshes.
- Familiarity with managing public clouds (AWS, Azure, GCP) using infrastructure–as-code (Terraform) and automation (Ansible, Puppet, Chef, etc) is critical. Extensive knowledge of cloud security best practices is preferred
- Experience building out a Secure Software Development Life Cycle (SSDLC), including integrating automated security testing, SAST, DAST, SCA, fuzzing, and variant analysis within a CI/CD pipeline in a developer-enabling way. You should know the limitations of each of these techniques, and where best to apply them
- Experience with SIEM tooling
Evisort is an E-verify employer. Your eligibility to work in the United States will be verified through the E-verify system if you apply and are selected for a position in the United States.
See more open positions at Evisort
Something looks off?