Summary of Department:

The Aumni Information Technology & Security department is responsible for maintaining the IT operations and security of Aumni’s web app, systems, and data. We collaborate with all other departments in various capacities with an emphasis on reducing friction where possible while maintaining security. Our mission statement is:

To deliver stronger, smarter security solutions, provide peace of mind for the venture capital ecosystem, and enable the success of our customers, employees, and investors.

How You’ll Help Us Win:

We acknowledge that cyber security is a broad discipline and that not all individuals have experience in each of the requirements listed below. If you do not have experience in every area below, do not let it discourage you from applying.

This is a working manager role and will report to the VP of Information Technology and Security. Working manager means we expect the role to be doing work along side the other security engineers, as well as leading and managing them.

  • Leading a team of application and cloud security engineers
  • Strategize, execute, and oversee Aumni’s security engineering strategy.
  • Risk and vulnerability management in coordination with our Governance, Risk, and Compliance team.
  • DAST strategy, scanning setup, configuration, and maintenance
  • SAST strategy, scanning setup, configuration, and maintenance
  • Inform the strategy for future headcount and budget
  • Work with security vendors to implement tools and stay within budget constraints.
  • Work with product management, engineering managers, and developers to implement security updates and security features in our infrastructure and web application.
  • Threat modeling assets and processes.
  • Educate our software engineers on secure coding practices and even build out a robust security champions program
  • Assist our customers with their SSO configurations, identify product roadmap features that require a security eye, review API security configuration
  • Knowledgeable of the Secure Software Development Lifecycle Framework.
  • Knowledgeable of well known Security Frameworks (ASVS, NIST CSF)
  • Experience with various threat modeling tools and methodologies (STRIDE, OWASP Top 10, Threat Dragon)
  • Hands on experience implementing & managing various SAST, SCA & Secret scanning tools ( Snyk, GitLeaks, Dependabot)
  • Hands on experience investigating & prioritizing vulnerabilities discovered by third-party security tools. (Identifying false positives, out of scope items, adjusting CVSS severity of vulnerability to business context, etc.)
  • Hands on experience with DAST tools (Burp Suite, Rapid7, OWASP ZAP)
  • Knowledgeable of CI/CD tools and how to integrate security into the pipeline (CircleCi, Jenkins)
  • Experience securing: Rails, React, next.js, python
  • Knowledge of SDET tools and writing security test cases
  • Experience securing various layers of the OSI model.
  • Experience configuring and maintaining a Content Security Policy & other HTTP Security Headers.
  • Experience configuring and maintaining a Web Application Firewall
  • Experience with cloud platforms and securing them
  • Posture Management Monitoring
  • Secure Infra Config
  • Infra Perimeter Monitoring
  • Web App Perimeter Monitoring
  • Infra Access Management
  • Container Security
  • IaC Security
  • Runtime Security
  • Peer review of IaC
  • Container Hardening and Compliance (CIS benchmarks)
  • Kubernetes Hardening
  • Kubernetes Compliance
  • Cloud Security Strategy & Architecture
  • Security Champion collaborator
  • Penetration Testing Vulnerability Management
  • Incident Response Support

What You’ll Need:

  • 2+ years of people management experience
  • 3-5 years of cyber security experience
  • Self-motivated and autonomous
  • Ability to work with little management oversight and direction
  • Must be a team player who is eager to share domain knowledge with the team and eager to learn from others as well.
  • Experience architecting, developing strategies, and executing security engineering systems and processes.
  • Experience with DAST and SAST tools
  • Experience managing risk and vulnerability management
  • Preferred, not required: BA/BS/MS or equivalent in a relevant field
  • Preferred, not required: CISSP, CISA, CISM, CEH, or other related security certifications.