Senior Cyber Risk Engineer

"The front page of the internet,” Reddit brings over 430 million people together each month through their common interests, inviting them to share, vote, comment, and create across thousands of communities. Come for the cats, stay for the empathy.

The Reddit Assurance team leads and oversees technology risk related initiatives including risk management, audit readiness, internal controls and governance, and the design and implementation of remediation action plans. The team is rapidly developing and looking for a Senior Compliance Engineer.  This is an exciting opportunity to get in and have an outsized impact on a highly skilled and motivated team. We look for humble experts with a relentlessly resourceful and entrepreneurial, “can do” view of security and privacy. We want to deliver facts (not FUD) to the business to enable Reddit to manage risk more effectively. Culture is important to us and a learning and developing mentality is vital, regardless of the work assigned. 

What You'll Do:

• Design and implement enterprise-wide Tech Risk Management frameworks to enhance objective, data-driven risk models. This includes activities such as:
• Identify Reddit’s crown jewels (critical assets and data).
• Establish a comprehensive program for Threat Analysis & Threat Modeling (supported by threat intelligence).
• Identify vulnerabilities in Reddit that could be exploited by threats identified to come up with Threat scenarios.
• Identify Risk Statements (Risks to Reddit from the threat scenarios/events identified).
• Perform a comprehensive Risk Assessment (Determine inherent risk, Controls Assessment & Maturity Assessment, Determine residual risk).
• Develop Risk Treatment Plans (Risk acceptance, risk reduction, risk transfer).
• Develop a comprehensive Program for Risk Monitoring & Maintenance of the Risk Assessment (including: Monitor risk factors identified in risk assessments, & update the components of risk assessments based on risk monitoring activities performed).
• Develop a program for the application of the Risk Assessment throughout the organization: Including at the 1) Organizational Tier, 2) Mission/Business Process Tier, 3) Information System Tier.
• Develop detailed risk scenarios and cyber threat models
• Collaborate with cross functional teams to quantify the risk of ransomware, data breach or other cyber-attacks to cyber insurance policyholders
• Build and maintain the technology/security risk register, including improvements to tooling and process automation
• Partner with cross functional teams to design, implement and continuously assess controls to mitigate identified risks.
• Engage and collaborate with various teams in Security, partnering and sharing information, resources, and capabilities regarding constantly-evolving cyber vulnerabilities, threats, and controls.
• Identify and report appropriate metrics to measure the technology risk program and highlight trends.
• Influence behaviors to reduce risk and foster a strong technology risk management culture throughout Reddit

What We Can Expect From You:

• Experience building a technology risk management program and related framework from the ground up.
• Support a collaborative, performance-driven culture that builds bridges with other functional groups across the enterprise and maintains positive working relationships.
• 7+ years working in an IT audit / risk management / IT compliance role 
• Demonstrated experience with technology risk management and quantitative risk models (e.g. FAIR)
• Strong knowledge of technology risk assessment, compliance, and data frameworks such as any/all of the following: NIST, CVE, CIS, PCI/DSS, Soc 2, ISO 27001, etc.)
• In-depth knowledge of the attack lifecycle (“Kill-chain” or MITRE’s ATT&CK methodologies)
• Ability to identify and recommend tools, processes, and software to automate and continuously improve compliance practices
• Ability to influence across all levels of the organization
• Strong written and verbal communication skills
• CISSP or CISA/CISM preferred 

What You Can Expect From Us:

• Competitive Healthcare Benefits Package
• Quarterly Dependent Care or Pet Care Stipend
• Family Expansion Benefits
• 4 Months Parental Leave with Flexible Return-To-Work Programming
• Professional & Personal Development Stipends
• Unlimited Vacation, Annual Travel Stipend, and 10 Paid Holidays
• Onsite Wellness Classes and Wellness Stipend
• 401k Plan with Employer Contributions
• Monthly Commuter Stipend
• Monthly Cell Phone Allowance
• Paid Volunteer Days, plus Reddit For Good Volunteer Opportunities

#LI-SN1