Do you get excited about coming in on the ground floor of a new department? One that will be responsible for the security of Corporate and Production environment data?

Would you thrive in a role where you will focus on protecting systems, mitigating risks, responding to breaches and educating both customers and internal teams on the importance of defending valuable information?

As our Security and Compliance Engineer, your role will be to help Compeat understand how to be secure and compliant with all the relevant policies, processes, and regulations. The Security and Compliance Engineer is an expert with Security Operations and expected to become a subject matter expert in SOC1 and SOC2 compliance frameworks, as well as other compliance frameworks. The ideal candidate for this role will build relationships with various departments to become a trusted partner within the business and help them translate regulatory language into specific requirements. You will also help design testing strategies, conduct regular reviews of those tests, define compensating controls, work with the business to handle policy exceptions, and identify risks.
What You’ll Do:

• Responsible for securing the infrastructure through working with the DevOps team to implement security best practices in the cloud and datacenter.
• Working with the Dev teams to review security best practices for coding. Setting up security monitoring, logging and alerting.
• Security vulnerability scanning and remediation.
• Conduct Internal and external pen tests.
• Understanding and promoting compliance with contracts, compliance controls, relevant laws, regulations, industry security standards and frameworks.
• Assists with collection and analysis of risk data, recommending mitigating actions, and leading risk mitigation projects as assigned.
• Conducts research on current and emerging requirements related to regulations, laws, and rules affecting the business, as well as assist with the risk assessment process, privacy and control standards.
• Participate in yearly compliance audits, and adhere to a schedule of required governance, risk, compliance and audit tasks and activities.
• Monitor appropriate sources for new vulnerabilities, evaluate the risk such vulnerabilities pose to the organization’s information and systems, and advise management of appropriate measures to eliminate or reduce the organization’s risk or exposure to such vulnerabilities.
• Monitor organizational initiatives to ensure they adhere to security, risk and compliance requirements.
• Assist with review of business policies and procedures, provide guidance to ensure effectiveness, ensure procedures are aligned with Information Security Policies and client contracts.
• Maintain process flows, and heat maps identifying gaps, remediation plans and target SLAs.
• Implement a risk exception process, track temporary exceptions, follow up on expiring exceptions.
• Assist in the monitoring and surveillance of external vendors and third-party relationships.
• Performs risk assessments and due-diligence evaluations for new and existing vendors.
• Contribute to the continued development of internal control awareness in the organization.
• Work with stakeholders to develop enhancements to organizational controls.
• Escalates promptly to appropriate team members, senior management any material breaches of applicable laws, rules, policies, tolerances, appetite, standards, tolerances, SLAs, etc.
• Gather and analyze data to support compliance and risk scenario development activities.
• Participate in appropriate opportunities for continuing education, seminars, organizations, etc.

What You’ll Need:

• 5+ years of experience with information technology security operations, audits, controls, assessments, risk assessments, or remediation management.
• Deep understanding of cloud infrastructure and security.
• Industry certification preferred (e.g., CISA, CISM, CISSP, CRISC, GSNA, GLEG, etc.).
• Familiarity with privacy laws, data protection/security regulations, written contract language and frameworks, such as AICPA SOC1 Type 2/SOC2 Type 2, CCPA, GDPR, HIPPA, and PCI DSS.
• Excellent time management and related organizational skills, including appropriate sense of urgency, a proactive approach, and a suitable ability to anticipate and manage project lifecycle events, issues and obstacles.
• Negotiation skills needed to obtain internal commitments to remediate risks and vulnerabilities.
• Strong analytical skills to analyze risks, evaluate control effectiveness and internal control frameworks, as well as to perform risk assessments and evaluations of vendor and third-party relationships.
• Excellent interpersonal and organizational skills; ability to analyze situations, respond independently, prioritize to meet deadlines, work under pressure, and be a team player while maintaining a positive attitude.
• Excellent communication, listening and facilitation skills.
• A willingness to mentor and guides fellow team members kindly and constructively.
• A desire to share knowledge and teach others.
• Be a good steward of our clients' data and of our business.
• Bachelor’s and advanced degrees are preferred but not necessary for more experienced applicants.

What attributes and skills do top candidates have that others don't?

• Fast learner and self-starter
• Attention to detail
• Energized by interacting with people throughout the day, both in person and via online channels of communication
• Able to negotiate with teams to define implementation strategies that maximize compliance without impacting productivity
• Proficient at time management and prioritization of deadlines
• Some level of experience and understanding of regulatory compliance frameworks such as SOX, or PCI-DSS.
• Experience with security frameworks such as SOC1 and SOC2, NIST CSF, CIS Cybersecurity Framework, NIST 800-53, and others.

Compeat Hiring Practices:

We value diversity at our company. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin or any other applicable legally protected characteristics in the location where the candidate is applying. Compeat doesn't accept unsolicited agency resumes and won't pay fees to any third-party agency or firm that doesn't have a signed agreement with Compeat.