Glossier Inc. is building the future beauty company in collaboration with its customers.
We’re hiring our first Lead Information Security Specialist to build a robust information security discipline for Glossier. You’d join our Technology team, working closely with Technology, IT, Privacy and broader functional team to ensure Glossier keeps our customer’s trust.
You’d continuously improve our security practices, processes and tooling to help us deliver a secure and reliable e-commerce experience for our customers. This is a generalist role for an experienced candidate to build a strong information security program. If our mission sounds exciting to you and you are excited about building a program ground up, please reach out!
Six Month Expectations
- Collaborates with functional teams to conduct security risk assessment/audit meetings and discuss company information security initiatives
- Develop, collaborate and publish critical security policies.
- Identify processes and tooling to enforce key security policies and related controls.
- Implement processes and tooling for raising Security Awareness across functions.
- Build metrics to track security risks, awareness, IAM health of the organization and automate them.
- Establish standards and guidelines for Information Security controls.
- Conduct an Incident Response Tabletop exercise.
- Contributes to the development of the Vendor Risk Management program.
Twelve+ Month Expectations
- Create policies and tools to ensure new services can easily follow recommended security practices, such as least-privileged access, audit trails for sensitive actions, and centralized logs for investigating incidents.
- Drive policy and process tuning to align internal processes to meet various regulatory requirements around consumer privacy.
- Ensures Information Security controls meet company standards for confidentiality, integrity, availability and defense in depth security principles
- Proactively identifies and develops recommendations to information security and cyber risk issues by working with cross-functional teams.
- Support activities to ensure that risk and controls are in compliance with regulatory requirements and remain in line with the company risk appetite
- Lead the Identity & Access Management initiatives across the organization to establish least privilege principle for critical asset and information.
- Develop creative ways to raise security awareness and programs that are tailored to the needs of specific roles within the organization.
- Drive adoption of security controls and policies across the organization
- Review and present metrics to monitor control-related developments, issues and trends in the management of cybersecurity, technology and information security risks.
- Maintain and/or oversee relevant policies and procedures related to Glossier security processes
- Build cloud governance tooling to automatically monitor and enforce our AWS security policies.
- Facilitate red team and security incident response drills.
- The successful candidate should have extensive knowledge of security industry best practices as well as modern solutions, and must be hands-on collaborating with the organization to ensure the business manages cybersecurity risk efficiently.
- Experience with regulatory requirements (i.e. PCI; GDPR;CCPA; Privacy; NYDFS; etc)
- Experience in using InfoSec assessment/audit tools and/or controls questionnaires based industry standard frameworks (i.e. NIST; ISO; Cobit; CSA)
- Have experience and knowledge of driving DR, BCP and Incident Response tabletop or simulations.
- Experience and knowledge of security controls in public cloud (AWS and other cloud applications)
- Has implemented frameworks and tooling to continuously monitor for security controls.
- Demonstrated experience across information security and cyber risk domains required
- Must be able to explain security risks to any audience (including senior executives), and discuss effective defensive techniques
- Can appropriately align security goals with business value and make effective tradeoffs.
- Candidate must have excellent organization skills and be a self-motivated learner, Effective Communication skills
- One or more relevant certifications preferred (CISA, CRISC, CISM, or CISSP)
- Any programming or scripting experience/knowledge is a plus.
Our Technology Stack:
- AWS to host our infrastructure
- Heterogeneous data stores: GSuites, Dropbox, S3, Postgres, Redis, DynamoDB, and Redshift
- Datadog, Looker, PagerDuty for monitoring, analytics and alerting
Glossier is a beauty company that lives in NYC, is sold on the internet, and promotes a skincare first philosophy that celebrates beauty in real life.
We are an Equal Employment Opportunity (“EEO”) Employer. It has been and will continue to be a fundamental policy of Glossier not to discriminate on the basis of race, color, creed, religion, gender, gender identity, pregnancy, marital status, partnership status, domestic violence victim status, sexual orientation, age, national origin, alienage or citizenship status, veteran or military status, disability, medical condition, genetic information, caregiver status, unemployment status or any other characteristic prohibited by federal, state and/or local laws. This policy applies to all aspects of employment, including hiring, promotion, demotion, compensation, training, working conditions, transfer, job assignment, benefits, layoff, and termination.