You will work closely with team members and affected product teams to improve our detection capabilities and design defense-in-depth controls that limit attackers' ability to move inside our network. Whether working on our Google Cloud systems, researching the latest in computer technology or keeping BigCommerce internal systems humming, BigCommerce customers rely on us to keep things running. We're back-end experts: protecting privacy and ensuring the security of our platform.
We are looking for a full-time Lead Information Security Engineer, who wants to make an impact at every level of society through protecting more than 60,000 merchants sitting on the BigCommerce e-commerce SaaS platform. By protecting our merchants, you will be powering innovators, creative thinkers, entrepreneurs and business owners around the world to be successful at each stage of their business.
The Lead Information Security Engineer will direct the work of the Cybersecurity Infrastructure Security Team. In this role, they will monitor, analyze, and detect Cyber vulnerabilities, events and incidents within information systems and networks. Lead Cyber Defense efforts to maintain our security toolsets, establish a framework by which cyber risk can be measured and quantified. Conduct multiple-disciplined penetration tests. Development of domain or problem-specific tools that leverage identified vulnerabilities, research on the latest exploitation techniques and threat vectors, and design and configuration of representative test environments. They will support various training events and mentor others.
Their main mission is to lead the Information Security Operations team to excellence in their efforts to protect the BigCommerce platform and BigCommerce customers and employees from cyber threats.
What you’ll do:
- Evangelize security within BigCommerce
- Protect BigCommerce merchants, their shoppers, and the company
- Seamlessly improve BigCcommerce’s security posture with minimal impact to our employee’s daily operations
- Assess security on existing infrastructures
- Respond to information security incidents, providing technical expertise and conduct forensics
- Reduce time-to-detect and time-to-remediate by driving the automation of security event management, vulnerability assessment, and intelligence correlation
- Provide security guidance and experience to engineering teams
- Provide domain expertise regarding security events that impact applications and network design
- Mentoring team members in best practice around information security standards
- Design secure information systems that protect company data, empower users and drive business growth
- Regular and ongoing pen testing of BigCommerce’s changing environment
- Utilize data to help generate insights into threats and build solutions
Who you are:
- Bachelor's degree in CS, EE or MIS; or equivalent experience
- 7 + years of experience in security engineering, system and network security, cloud security, authentication and security protocols, cryptography, and infrastructure security
- Passion for Information Security
- Experience using various penetration testing tools (e.g. such as, Burp Suite, Metasploit, Nessus, etc.) on Windows and Linux
- Have supported PCI, ISO 27001, and SOX audits
- Develops scripts, tools, methodologies and best practices to improve team capabilities (e.g. SIEM)
- Knowledge of security testing standards and practices (is a must)
- Proficient in Identity Management best practices
- Scripting skills (e.g. Python / Perl / Ruby, shell scripting) a significant plus
- Experience in using network protocol analyzers and sniffers, as well as the ability to decipher packet captures
- Excellent verbal and written communication
- Proven ability to work effectively with stakeholders, staff, vendors, and external consultants
- Exceptional ability to provide a high level of support with a customer first attitude
- Exceptional ability to seek out opportunities to increase internal client satisfaction and deepen client relationships
- Passionate about technology, and a strong desire to make our environment better
- Strong sense of ownership, urgency, and drive
- A desire to help and train users so they better understand the solutions we offer
- Presentation experience, conferences, white papers, bug bounties are a plus most Welcome.
- Desired but not mandatory, relevant information security certifications (e.g. OSCP, OSCE, SANS GCIA, SANS GCIH, SANS GPEN, SANS GCFA and CISSP)