Senior Security Strategist, GRC Uber
San Francisco, CA

Job Description

Uber Overview

At Uber, we ignite opportunity by setting the world in motion. We take on big problems to help drivers, riders, delivery partners, and eaters get moving in more than 600 cities around the world.

We welcome people from all backgrounds who seek the opportunity to help build a future where everyone and everything can move independently. If you have the curiosity, passion, and collaborative spirit, work with us, and let's move the world forward, together.

Job Description

About the Role

Uber's Security team works to ensure the security of rider, driver and partner information and technology. Our ultimate goal is to ensure that every single experience with Uber is simple, secure, and safe.

We are seeking a talented Security Strategist to join our Security Assurance team in San Francisco or Seattle, who will develop and maintain Uber's security governance and risk management program. The Security Strategist will dive head first into the implementation of processes, and solutions for assessing risk and managing complex regulatory and industry standard requirements across diverse business and technology landscape.

What You'll Do / What You'll Need / Bonus Points / About the Team

Who you are

You have solid security experience and a passion to help organizations communicate and manage security risks. You can distill complexity, and take a pragmatic approach to address challenging problems. You've contributed to the development of cross-functional programs and you work well across a variety of stakeholder groups. You seek to automate processes and you have a strong understanding of DevOps and microservices.

What you'll do

You will support the implementation of Uber's security GRC program, which will assist Uber in meeting complex strategic, regulatory and industry standard requirements, operating at significant scale. You will:

* Contribute to the implementation and continuous improvement of security GRC processes such as Policy Management, Information Risk Management, Compliance Management, Exception Management, Issue Management, etc
* Support, configure, test, implement, and maintain the GRC processes in the applicable GRC product, working closely with the business, engineering, security and 3rd party development/implementation partners
* Operationalize and manage the awareness and adoption of GRC processes
* Assess and advise on the impact of GRC process design options and changes
* Track remediation activities and relevant metrics to help communicate status, demonstrate progress and build awareness of GRC processes.
* Work proactively with security compliance team members to design, implement, and manage regulatory and compliance program requirements in the GRC product
* Contribute to the strategy and execution of the overall security governance and risk management program
* Cultivate relationships with security, engineering, legal, internal audit, and business stakeholders to strengthen security governance and risk management

What you'll need

* B.S. degree or equivalent work experience in security, risk management, compliance, information systems or other relevant fields
* 4+ years of combined risk management, risk consulting, GRC product implementation and /or security work experience
* Knowledge of qualitative and quantitative risk management approaches and processes, including proven implementation experience
* Knowledge of security practices and controls applied to address security risks
* Knowledge of and experience applying security, risk and control frameworks such as NIST, COBIT, and ISO
* Experience with GRC products (e.g., RSA-Archer, Metric Stream, ServiceNow GRC etc.)
* Project management capabilities to track progress on GRC process implementation and improvements
* Advanced interpersonal skills to effectively promote ideas collaborate across teams and influence stakeholders

Bonus Points

* Certified Information Systems Security Professional (CISSP), Certified Information Systems Manager (CISM), Certified in Risk and Information Systems Control (CRISC), Certified in the Governance of Enterprise IT (CGEIT), or equivalent
* Knowledge of and experience with quantitative risk management frameworks such as FAIR and OCTAVE
* Excellent presentation and communication skills
* Results-oriented, with demonstrated problem-solving abilities
* Previous experience in a complex DevOps, engineering-driven culture preferred