Security Governance Analyst II
Location: Boston, MA
Team: Information Security
This role is for someone who is looking to develop their information security knowledge by contributing to Security Trust & Governance operations. An information security and/or information technology background would set you up for success in this position. Your ability to successfully carry out cross-functional work will require strong communication skills, patience, and a solution-oriented attitude.
You'll join us in our brand new North Station HQ and work with an energized team that cares deeply about the success of these initiatives, and leadership that values work-life balance, an inclusive culture, and your ongoing career development.
Day In The Life:
The Sales team wants to purchase a new enablement solution, and you're responsible for conducting a security assessment of the tool they've selected. You start the day by meeting with a Sales manager to discuss how the tool would be used, what data it would process, and what integrations would be required. This context is critical to understanding how the tool might introduce risk to Rapid7. Later today, you'll review the documentation provided by the vendor to determine whether they have adequate security controls in place based on the scope of our potential engagement.
You check your ticket queue and see that you've received some security and privacy questions from a customer. You're able to answer most of them by referring to Rapid7's policies, and you send the remaining questions over to a team member in Product Security, ensuring they have enough context to address them thoroughly.
After lunch, you spend a couple of hours on a project you've been chipping away at -- automating a process to pull some SOC 2 audit evidence in order to speed up the process for a control owner in IT.
Before you head out for the day, you check in to see if application owners have completed their quarterly access reviews. You notice that one of the application owners stopped in the middle of his review, so you send him a Slack message to see if he'll be able to finish his review this week to keep the process on track. He mentions he paused after getting confused about something he saw in the access re-certification tool. You walk over his desk and sort out his question with him so he can complete his review.
Assist in third party risk management efforts by performing security assessments of potential Rapid7 partners/vendors. This requires considering elements such as the architecture of computer information systems, the sensitivity of data that will be processed, the vendor's overall security program maturity, and any aspect of the engagement that could introduce risk to Rapid7.
Address questions about Rapid7's internal security program from customers, prospects, and auditors. This will often require working with other members of the Information Security team, and with other Rapid7 teams, including Engineering, Product Management, Content Strategy, and Legal.
Assist senior members of the security team with tasks related to:
Aiding in security awareness and culture initiatives throughout the company
Compliance and privacy program maintenance
Identity and access management maintenance
2+ years of experience in information security, information technology, data privacy, or an adjacent field.
Strong project management abilities, including ability to coordinate initiatives across technical and non-technical teams/stakeholders and managing distributed teams and projects.
Ability to work effectively with both technical and business executives.
Strong communication and organizational abilities.
Experience in information security and/or information technology.
Understanding of certification and accreditation/auditing activities, and security control frameworks.