Security Program Manager

  • San Francisco, CA
  • Full-time

Company Description

We believe everyone should be able to participate and thrive in the economy. So we’re building tools that make commerce easier and more accessible to all. We started with a little white credit card reader but haven’t stopped there. Our new reader helps our sellers accept chip cards and NFC payments, and our Cash app lets people pay each other back instantly. We’re empowering the independent electrician to send invoices, setting up the favorite food truck with a delivery option, helping the ice cream shop pay its employees, and giving the burgeoning coffee chain capital for a second, third, and fourth location. Let’s shorten the distance between having an idea and making a living from it. We’re here to help sellers of all sizes start, run, and grow their business—and helping them grow their business is good business for everyone.

Job Description

At Square, Information Security partners with internal teams to help them understand the information security risks of their products and help those teams drive risks down. Remediating known vulnerabilities in a timely manner is one of the most effective ways for teams to reduce the risks within their projects. Further, recognizing the risks that 3rd party suppliers may introduce to a product allows teams to make reasonable risk trade-offs that enable them to ship products securely.

The Security Program Manager owns Square’s vulnerability management program, vendor security management program, and Square’s bug bounty program. This individual works through others to reduce risk by ensuring vulnerabilities are closed within agreed upon SLAs, 3rd party vendors/software adhere to Square’s security policies, providing feedback and guidance to craft our vendor security policies, and ensuring Square maintains a healthy and productive relationship with external security researchers. Additionally, this individual will provide limited project management support for internal information security projects. This individual will report to the Head of Information Security.

You will:

  • Own Square’s vulnerability management program
    • Provide visibility and metrics of the current state of vulnerabilities to stakeholders
    • Provide oversight and stakeholder accountability of SLAs
    • Collaborate closely with Information Security peers to help teams understand and resolve complex vulnerabilities
  • Own Square’s bug bounty program
    • Collaborate with Square engineers to understand, prioritize, and remediate vulnerabilities reported by external security researchers
  • Own Square’s vendor security management program
    • Collaborate with IT, Engineering, and Procurement to design a vendor security review process that adheres to Square’s security policies while also enabling peers to find the best vendor/solution for their problem.
  • Provide project management support up to two information security projects per quarter of medium complexity (3-6 month project duration).

Qualifications

You have:

  • 5+ years of industry experience.
  • 5+ years of project management experience.
  • Excellent verbal and written communication skills in an engineering environment
  • Ability to work through others
  • Strong technical background
  • Experience in setting up project schedules and breaking down engineering work.

Even better:

  • Previous experience working in/with an information security team.
  • Previous experience running a vulnerability management and/or bug bounty program
  • Hands on experience with JIRA and other Atlassian products
  • Hands on experience with vulnerability scanners
  • Experience with data visualization (e.g. Looker/Tableau)
  • Experience with PCI, SOC 2, and ISO27001 compliances

Reasons you will LOVE this position:

  • You LOVE working through others.
  • You have a strong ability to lead without authority and develop consensus.
  • You are excited by the idea of maturing processes.
  • You love making metrics move the right direction.
  • You LOVE managing multiple, small information security projects.

Reasons you will NOT LOVE this position:

  • You are uncomfortable working with some ambiguity
  • You think saying “Because security says so” is enough justification to drive change.
  • You are uncomfortable working with/talking to engineers

Additional Information

At Square, we value diversity and always treat all employees and job applicants based on merit, qualifications, competence, and talent. We do not discriminate on the basis of race, religion, color, national origin, gender, sexual orientation, age, marital status, veteran status, or disability status. We will consider for employment qualified applicants with criminal histories in a manner consistent with the requirements of the San Francisco Fair Chance Ordinance.