Principal Security Engineer
Code for America
Code for America believes government can work for the people, by the people, in the new digital age, and that government at all levels can and should work well for all people. For more than a decade, we’ve worked to show that with the mindful use of technology, we can break down barriers, meet community needs, and find real solutions.
Our employees build and transform government and community tools and services, making them so good they inspire change. We merge the best parts of technology, nonprofit, and government to help support the people who need it most. With a focus on diversity, equity, inclusion, and deep empathy for partners in government and community organizations and the people that our partners serve, we’re building a movement of motivated change agents driven by meaningful results and lasting impact. At Code for America, you contribute to exciting work while learning and developing in a supportive and flexible environment. Our compensation and benefits are holistic and thoughtfully curated to represent our employees and our mission. Help us drive real generational change that lasts.
Code for America is looking for a talented Principal Security Engineer to join our security practice and ensure that all our products meet a high standard of security, and we have the appropriate privacy protections in place.
As of October 27, 2023, Code for America has reached a CBA (collective bargaining agreement) with Code for America Workers United, affiliated with OPEIU (Office Professional Employees International Union, Local 1010). This position is not designated as part of Code for America Workers United.
About the Role:
In this role, you will work with our Product Engineering and DevSecOps teams as a contributing engineer, in order to gain a deep understanding of our technical systems and identify the most impactful opportunities to improve our overall security and privacy posture. You will also spend time stepping back from product work to evaluate our organizational practices and security compliance as a whole, establish security and privacy policies and best practices, and serve as an advisor across teams for any security and privacy issues as they arise.
This role requires experience with both proactive (prevention) and reactive (detection and response) security work.
This position is full-time, based in our office in San Francisco or remote and reports to our Vice President of Engineering.
In this position you will:
- Lead Security Initiatives: Take charge of major security projects or initiatives within the organization, setting goals, timelines, creating tickets, defining cross-portfolio technical templates, and ensuring successful implementation.
- Security Architecture and Design: Develop and oversee the implementation of security architectures for software applications. This includes designing secure coding practices, threat modeling, and ensuring the security of the entire development lifecycle.
- Threat Monitoring: Proactively identify and mitigate potential security threats. This might involve the use of tools and techniques to detect, hunt and respond to cyber threats in real-time.
- Risk Assessment and Management: Conducting comprehensive risk assessments and audits to evaluate the security posture of the organization. This includes identifying vulnerabilities, assessing potential impacts, and proposing risk mitigation strategies.
- Incident Response and Forensics: Leading the response to security incidents, including the investigation of security breaches. This might also involve conducting forensic analysis to understand the cause and impact of the breach and implementing measures to prevent future incidents.
- Policy and Compliance Oversight: Ensuring that all security practices and procedures comply with regulatory requirements. This might involve staying updated with the latest regulations and standards, such as NIST 800-53 rev5.1, SOC 2, ISO 27001, etc.
- Mentoring and Leadership: Providing guidance and mentoring to junior security team members. This includes helping them develop their skills and understanding of complex security concepts and practices.
- Interdepartmental Collaboration: Working closely with other departments, such as IT, legal, and human resources, to ensure a holistic approach to security and privacy across the organization.
- Technology Research and Adoption: Keeping abreast of the latest security technologies and trends, and evaluating their potential application within the organization.
- Stakeholder Communication: Communicating effectively with stakeholders at all levels, including non-technical staff, to ensure a broad understanding of security risks and measures.
- At least 10 years experience in a software engineering or information security role, including at least 4 years in a security-focused role, along with privacy protection experience;
- Deep subject matter expertise, encompassing multiple information security domains;
- Excellent written and verbal communication skills;
- Pragmatic and collaborative attitude, focused on enabling teams to achieve their goals;
- Highly organized, able to manage time and balance competing priorities effectively;
- Strong coding skills and experience with agile software development and devops practices;
- Strong knowledge of incident response and security operations.
It’s a bonus if you:
- Have personal experience with the justice system, social safety net, workforce training, or other mission-relevant government services.
- Have experience building customer-facing applications for the web using frameworks such as Ruby on Rails or Java Spring (our current supported tech stacks).
- Have experience operating and securing production environments using tools such as Ansible, Terraform, and AWS cloud services.
- Have experience navigating security compliance in a government context
- Are familiar with and comfortable with pair programming and test driven development (we don’t pair all the time, but we find it really helpful in lots of contexts!)
What you’ll get
Code for America’s salary bands are transparent as a part of our commitment to diversity, equity, and inclusion. We are happy to extend this transparency in the recruitment process. As part of our equitable hiring practices, we aim to target the 2nd quartile midpoint of each salary band, for all new hires.
The 2nd quartile midpoint offer numbers vary based on market / geographic location. The target offer numbers for this role range from $143,884 - $176,138, annually.
Benefits and perks:
- Leadership and teammates who value Equity, Inclusion, and Diversity (DE&I)
- A collaborative, cross-functional, hardworking and fun environment
Medical & Retirement:
- Full benefits package with 100% coverage towards select medical, dental and vision plans and contributes 80% of the cost towards dependent and family coverage
- 401k plan with matching funds up to 3%
- Bi annual 360 review process alongside compensation reviews
- $1000 annual (per calendar year) stipend towards professional development
- A manager and org-wide structure that supports and enables professional development
Remote work and time off:
- Open personal time off, 16 paid holidays, and an org-wide closure Christmas Day through New Years Day
- Intentional paid sick time; up to 96 hours annually
- Competitive paid parental and family leave
- Collaborative working hours:
- Full time employees work 40 hours per week, Monday - Friday
- We aim to hold all internal meetings between 10 AM - 3 PM PT; we expect all Code for America staff to be available during these set collaborative working hours
- Code for America employees may work remotely across the US:
- Code for America employees may not work remotely outside of the US at anytime during their employment
Employee enablement support:
- $200 stipend in first paycheck for remote environment setup
- Additional equipment reimbursement of up to $500 for remote enablement
- Cell phone and/or internet reimbursement of $50 per month
Equal Employment Opportunity:
Code for America values a diverse, equitable, and inclusive workplace and strongly encourages women, people of color, LGBTQ+ folks, people with disabilities, members of ethnic minorities, foreign-born residents, and veterans to apply. Code for America is an equal opportunity employer. Applicants will not be discriminated against because of race, color, creed, sex, sexual orientation, gender identity or expression, age, religion, national origin, citizenship status, disability, ancestry, marital status, veteran status, medical condition or any protected category prohibited by local, state or federal laws.