Sr. Director, Cybersecurity

• Define the Cyber Security Strategy for Bugcrowd and identify areas of improvements to the threat landscape, internal risk tolerance objectives, and/or compliance objectives
• Ensure the technical aspects of vendor acquisitions and tools are safe for Bugcrowd’s use, in unison with the IT and compliance teams
• Assess corporate technology systems, determine strategy for changes, enhancement and improvements
• recommend and implement the same, from the perspective of cyber security
• Carry out and fulfill the cyber security strategy of bugcrowd, proactively improving the security posture with time
• Work with GRC to assist in designing, develop, implement and coordinate areas of policies and procedures for compliance with SOC-2, NIST 800-53v4, ISO27001,ISO27018, and FedRAMP
• Represent Bugcrowd in the internal and external audits for SOC-2, ISO27001, and ISO27018
• Manage Bugcrowd’s bug bounty program, ensuring that clients have a standard to aspire to, when running their own bounty programs
• Analyze new features prior to development or launch, to ensure the security measures in place are sufficient for the project. (security architecture and security testing)
• Manage the access controls for Bugcrowd’s production codebase (GitHub)
• Approve and analyze authorisation requests to production data (AWS, GitHub, Tableau, etc.)
• Perform regular audits of Bugcrowd’s cloud infrastructure, alongside helping with architecture of any cloud solutions from the security perspective
• Manage and audit all vulnerability scans (internal and external) for all of Bugcrowd’s systems (Qualys and Nessus)
• Proactively test and identify issues within Pull Requests and production to find issues (code review & penetration testing)
• Automate security tasks to proactively identify and fix security issues within Bugcrowd. (Python, golang, JS, Ruby)
• Perform configuration management upon all Bugcrowd systems (IT and cloud)
• Perform code audits on new features, patches, etc
• Perform IR for all parts of the business (on-call 24x7) and perform root cause analysis upon the incidents to properly mitigate them in the future. Aid with forming an Incident Response Plan (IRP) based on these incidents
• Perform threat intelligence to proactively find issues relating to Bugcrowd’s security posture
• Plan implementation of security controls, in unison with the required teams (infra, eng, secops, IT, compliance, Researcher Success (RS), etc.)
• Monitor the security controls for all of Bugcrowd’s systems and build a team to do the same. (SIEM usage)
• Perform malware analysis on any potential malware, should the forensic requirements arise during IR
• Coordinating red team engagements against Bugcrowd and implementing security controls to mitigate any issues found
• Develop security awareness materials for all roles within the Bugcrowd organisation
• Aid the Legal team with GDPR related issues from researchers and programs
• Perform table top exercises within the Bugcrowd organization to ensure the organization is prepared for future threats
• Aid with business continuity testing, since the internal cybersecurity team plays a major role within the process
• Present findings and observations to the ISMS committee
• Portray and represent the technical controls and engineering areas within the ISMS committee (requirement of ISO27001)
• Lead and manage a team of internal cybersecurity professionals
• Train and grow the security team with objectives that are defined, measured and monitored
• Support Security Leadership with delegated responsibilities, as requested
• Take a proactive, collaborative and respected leadership role in the Company to galvanize support of a robust, efficient and secure technology organization
• Manage a team of hungry and fast growing security professionals with both strong attack and defense skills

• Proven work experience leading Cyber Security (penetration testing, red teaming, GRC, IR, secure development, and security architecture) in a startup and growing with the organization
• Excellent knowledge of technical security controls, including cloud, web application, infrastructure, IT, and compliance
• Experience in data governance, data architecture, data flow and system architecture to optimize the same
• Hands-on experience with penetration testing, red teaming, and security patch bypass testing
• Ability to work independently and must have strong organizational and communication skills
• Systems / Software (detailed knowledge of the following stack): Mac OS, Python, JavaScript, Ruby, Golang, Java, Kotlin, Postgres, GSuite, Cisco Umbrella, Netskope, Crowdstrike, GitHub, AWS, Heroku, Cloudflare, DataDog, JAMF, etc
• Experience related to and assistance with ISO27001, ISO27018, NIST 800-53v4, and SOC2 audits is compulsory
• Degree in Computer Science, cyber security, MIS or equivalent experience desirable but not required
• Experience in cyber security with demonstrations of responsibility and technical excellence
• Must be eager to work hard, to learn many new skills, solve problems, and integrate tightly with the rest of the team
• Willingness to support a global organization with limited staff via off hours activity while maintaining a healthy work-life balance

Familiarity with Jira is a plus