Compliance & Security EngineerPrimary: Bay Area (San Francisco / Peninsula) | Secondary: NYC
The OpportunityWe're doing an AI-first engineering rebuild for a company that already has an audience of 100M+ people. This is a zero-to-one build with no legacy constraints, which means you get to stand up the security and compliance foundation correctly from the start. The stakes here are concrete: Step handles money and serves minors, Feastables carries consumer and supply-chain data, and the media business ships fast and constantly. You're here to make regulated products shippable without slowing them down.
The MandateYou'll be a single principal-level IC bridging two disciplines that usually live on separate teams: security engineering (threat modeling, vulnerability management, hardening, incident response) and compliance engineering (control design, audit evidence, framework mapping across SOC 2, PCI DSS, COPPA, and privacy law). That means:
- Own the security architecture and the technical compliance posture across Step, Feastables, and the media org.
- Build one control framework, with each control mapped to the regulation it satisfies (PCI DSS, COPPA, GDPR/CCPA, SOC 2).
- Make compliance continuous by automating evidence collection and control monitoring, not a once-a-year scramble.
What You'll Do- Set the security standards other engineers build against across cloud infrastructure, applications, and data systems.
- Lead threat modeling and security reviews for high-risk products, especially Step's payment and account systems and anything touching minors' data.
- Run the vulnerability management program and drive remediation to closure with the teams that own the systems.
- Build and own incident response: detection, playbooks, escalation, post-incident review, and breach-notification readiness.
- Act as technical lead during PCI DSS and SOC 2 audits, and represent Beast with auditors, regulators, and partners.
- Translate regulatory requirements into engineering work teams can act on, and advise leaders on risk tradeoffs in plain terms.
- Define secure-by-default patterns and paved paths so most teams meet requirements without one-off review.
Who You Are- AI-Native: You're already using AI daily and bringing it into security work where it earns its place, from automation to evidence pipelines.
- Security + Compliance Hybrid: Around 15 years of combined security engineering and compliance experience, with proven ownership of PCI DSS and SOC 2 in production, from control design through a successful audit.
- Applied and Hands-On: Strong cloud security (AWS/GCP), application security, threat modeling, and incident response, with the ability to read and reason about code.
- Trusted on Risk: You say no clearly when risk warrants it and explain the tradeoff in terms the business can act on, you treat minors' data and customer money as the highest bar, and you influence through evidence, not title.
Working knowledge of privacy and minor-protection regulation (COPPA, GDPR, CCPA) and how it maps to technical controls. Bonus points for fintech or payments experience (money movement, KYC), security automation and infrastructure-as-code (Terraform, policy-as-code), relevant certifications (CISSP, CCSP, OSCP), and standing up a security or compliance function from an early stage.
Benefits- Equity: Highly competitive equity package designed for a foundational hire.
- Hybrid Model: Expected ~3 days per week in-office (Bay Area or NYC).
- Competitive Salary
- Generous Medical (Blue Cross Blue Shield), Dental, Vision and company-paid Life Insurance
- Company contributions to employee Health Savings Accounts (HSA)
- 401k Plan with Safe Harbor company-matching
- Flexible vacation policy and paid company holidays
- Company-provided technology package
- Relocation assistance where applicable, including travel and company-provided housing for the first 90 days
