Senior Cyber Risk Engineer

"The front page of the internet,” Reddit brings over 430 million people together each month through their common interests, inviting them to share, vote, comment, and create across thousands of communities. Come for the cats, stay for the empathy.

The Reddit Assurance team leads and oversees technology risk related initiatives including risk management, audit readiness, internal controls and governance, and the design and implementation of remediation action plans. The team is rapidly developing and looking for a Senior Compliance Engineer.  This is an exciting opportunity to get in and have an outsized impact on a highly skilled and motivated team. We look for humble experts with a relentlessly resourceful and entrepreneurial, “can do” view of security and privacy. We want to deliver facts (not FUD) to the business to enable Reddit to manage risk more effectively. Culture is important to us and a learning and developing mentality is vital, regardless of the work assigned. 

What You'll Do:

• Design and implement enterprise-wide Tech Risk Management frameworks to enhance objective, data-driven risk models. This includes activities such as:
• Identify Reddit’s crown jewels (critical assets and data).
• Establish a comprehensive program for Threat Analysis & Threat Modeling (supported by threat intelligence).
• Identify vulnerabilities in Reddit that could be exploited by threats identified to come up with Threat scenarios.
• Identify Risk Statements (Risks to Reddit from the threat scenarios/events identified).
• Perform a comprehensive Risk Assessment (Determine inherent risk, Controls Assessment & Maturity Assessment, Determine residual risk).
• Develop Risk Treatment Plans (Risk acceptance, risk reduction, risk transfer).
• Develop a comprehensive Program for Risk Monitoring & Maintenance of the Risk Assessment (including: Monitor risk factors identified in risk assessments, & update the components of risk assessments based on risk monitoring activities performed).
• Develop a program for the application of the Risk Assessment throughout the organization: Including at the 1) Organizational Tier, 2) Mission/Business Process Tier, 3) Information System Tier.
• Develop detailed risk scenarios and cyber threat models
• Collaborate with cross functional teams to quantify the risk of ransomware, data breach or other cyber-attacks to cyber insurance policyholders
• Build and maintain the technology/security risk register, including improvements to tooling and process automation
• Partner with cross functional teams to design, implement and continuously assess controls to mitigate identified risks.
• Engage and collaborate with various teams in Security, partnering and sharing information, resources, and capabilities regarding constantly-evolving cyber vulnerabilities, threats, and controls.
• Identify and report appropriate metrics to measure the technology risk program and highlight trends.
• Influence behaviors to reduce risk and foster a strong technology risk management culture throughout Reddit

What We Can Expect From You:

• Experience building a technology risk management program and related framework from the ground up.
• Support a collaborative, performance-driven culture that builds bridges with other functional groups across the enterprise and maintains positive working relationships.
• 7+ years working in an IT audit / risk management / IT compliance role 
• Demonstrated experience with technology risk management and quantitative risk models (e.g. FAIR)
• Strong knowledge of technology risk assessment, compliance, and data frameworks such as any/all of the following: NIST, CVE, CIS, PCI/DSS, Soc 2, ISO 27001, etc.)
• In-depth knowledge of the attack lifecycle (“Kill-chain” or MITRE’s ATT&CK methodologies)
• Ability to identify and recommend tools, processes, and software to automate and continuously improve compliance practices
• Ability to influence across all levels of the organization
• Strong written and verbal communication skills
• CISSP or CISA/CISM preferred 

What You Can Expect From Us:

• Comprehensive Health benefits
• 401k Matching 
• Workspace benefits for your home office
• Personal & Professional development funds
• Family Planning Support
• Flexible Vacation & Reddit Global Days Off
• 4+ months paid Parental Leave  
• Paid Volunteer time off

Pay Transparency:

This job posting may span more than one career level.

In addition to base salary, this job is eligible to receive equity in the form of restricted stock units, and depending on the position offered, it may also be eligible to receive a commission. Additionally, Reddit offers a wide range of benefits to U.S.-based employees, including medical, dental, and vision insurance, 401(k) program with employer match, generous time off for vacation, and parental leave. To learn more, please visit https://www.redditinc.com/careers/.

To provide greater transparency to candidates, we share base pay ranges for all US-based job postings regardless of state. We set standard base pay ranges for all roles based on function, level, and country location, benchmarked against similar stage growth companies. Final offer amounts are determined by multiple factors including, skills, depth of work experience and relevant licenses/credentials, and may vary from the amounts listed below.

The base pay range for this position is: $174,800. - $262,200.

#LI-SN1