Senior Vulnerability Analyst & Operational Lead
We’re Cruise, the self-driving ride-hailing service.
We are building the world’s most advanced self-driving vehicles to safely connect people to the places, things, and experiences they care about. We believe self-driving vehicles will help save lives, reshape cities, give back time in transit, and restore freedom of movement for many.
At Cruise, our engineers have opportunities to grow and develop while learning from leaders at the cutting-edge of their fields. With a culture of internal mobility, there's opportunity to thrive in a variety of disciplines. This is a place for dreamers and doers to succeed.
If you are looking to solve one of today’s most complex engineering challenges, see the results of your work in hundreds of self-driving cars, and make a positive impact in the world starting in our cities, join us.
We are looking for someone who wants the opportunity to build and run a critical operational component of our cybersecurity program: if you love the process of turning high level business requirements into meaningful technical requirements, creating metrics that determine efficiency and effectiveness, and working with a broad range of stakeholders at all levels of the organization, this role is for you.
As the Vulnerability Program Lead & Analyst you will work closely with an engineering peer (the Staff Vulnerability & Risk Management Engineer) to build and manage a comprehensive vulnerability management program that encompasses traditional IT infrastructure (physical workstations, servers, etc.) and new-traditional IT infrastructure (containers, compute, “cloud,” etc.) while reporting to the Director of Security Assurance and Trust.
- Discovery and material assessment of frameworks -- e.g. finding things like NIST 800-40 revision 3 and determining whether or not that applies to our business
- Draft and review of requirements documents with an emphasis on efficient process design, automation, and alignment to compliance and internal standards
- Develop and implement techniques and tools for meaningful risk correlation of vulnerability data
- Develop vulnerability management dashboard and work with stakeholders in incident response, GSOC, risk management, and threat intel to correlate data
- Evangelize vulnerability management at Cruise across the business to drive buy-in from stakeholders and be a key Security touch point
What you must have:
- Expertise in agile planning methodologies and associated technologies such as Confluence, Jira, Smartsheets, and like
- Expertise in the discovery, drafting, and workshopping of project requirements
- Expertise in the negotiation of in-flight projects -- you must be comfortable negotiation options, trade-offs, and other common blockers
- Expertise with prioritization and task management; you should be comfortable representing trade-offs associated with removing or adding work within an execution cycle, and, calibrating roadmap milestones as needed.
- Expertise in econometrics / metrology: you know the difference between data and information, and, enjoy creating
- Experience with vulnerability scanning technology such as Nessus, Qualys, Rapid7, etc.
- Experience with vulnerability management in GCP and AWS
- Familiarity with CI/CD pipeline tools and processes such as Github, CircleCI, etc
- Familiarity with cloud and container based deployments, using AWS, Kubernetes etc.
- Familiarity with security orchestration, automation, and deployment tools, using Ansible, Terraform, and queueing systems (Kafka, RabbitMQ, etc.)
- One or more of the following certifications: OSCP, OSCE, GVEA, GCIH, GCED, or CISSP
- The ability to write scripts to automate investigative or security analysis tasks.
- Experience in implementation of vulnerability management and risk programs from the ground up
Why Cruise?
- Our benefits are here to support the whole you:
- Competitive salary and benefits
- 401(k) Cruise matching program
- Medical / dental / vision, AD+D and Life
- Flexible vacation and company paid holidays
- Healthy meals and snacks provided
- Paid parental leave & family expansion stipend
- Monthly wellness stipend
- Commuter benefits
- We’re Integrated
- Through our partnerships with General Motors and Honda, we are the only self-driving company with fully integrated manufacturing at scale.
- We’re Funded
- GM, Honda, SoftBank, and T. Rowe Price have invested billions in Cruise. Their backing for our technology demonstrates their confidence in our progress, team, and vision and makes us one of the leading autonomous vehicle organizations in the industry. Our deep resources greatly accelerate our operating speed.
- We’re Independent
- We have our own governance, board of directors, equity, and investors. Our independence allows us to not just work on the bleeding-edge of technology, but also define it.
- We're Vested
- You won’t just own your work here, you’ll have the potential to own equity in Cruise, too. We are competing in a market that is projected to grow exponentially, which gives our company valuation room to grow.
Cruise LLC is an equal opportunity employer. All applicants for employment will be considered without regard to race, color, religion, sex, national origin, age, disability, sexual orientation, gender identity or expression, veteran status, genetics or any other legally protected basis. Below, you have the opportunity to share your preferred gender pronouns, gender, ethnicity, and veteran status with Cruise to help us identify areas of improvement in our hiring and recruitment processes. Completion of these questions is entirely voluntary. Any information you choose to provide will be kept confidential, and will not impact the hiring decision in any way.
We also consider for employment qualified applicants regardless of criminal histories, consistent with applicable laws. And, if you believe that you will need any type of accommodation, please let us know.
Note to Recruitment Agencies: Cruise does not accept unsolicited agency resumes. Furthermore, Cruise does not pay placement fees for candidates submitted by any agency other than its approved partners.