Principal Information Security Engineer

The Zwift Information Security Team is looking for a Principal Information Security Engineer to help build and grow product security within service and engineering teams and address both deeply technical and programmatic security issues. This individual will set the vision for security engineering projects as well as mentor and cultivate our DevSecOps culture. The role requires partnering with project stakeholders to define key security metrics, identify, prioritize, and manage risk, and help to build world class security engineering teams in a fast paced cloud based containerization environment. You will coordinate and influence cross-functional engineering and integration teams to provide security consultation throughout the organization. 

Successful Principal Information Security Engineers at Zwift are self-starters, able to work autonomously, natural problem solvers, collaborative, and comfortable navigating ambiguity. You should have strong problem-solving skills, excellent interpersonal skills, a deep technical understanding of modern web applications, client/server applications, and containerization based security threats, strong scripting and automation skills, and the desire to be an individual contributor to securing Zwift enterprises, services, and products.

What you’ll do: 

• Align security strategy with business objectives and facilitate broad communication across the organization.
• Identify key security controls and team metrics and design security policy and enforcement strategies.
• Mentor security and engineering team members and build open, informative, and collaborative relationships.
• Establish security analytics and monitoring capabilities for consumption by security operations teams.
• Proliferate DevSecOps methodologies and cultivate a culture of highly integrated security strategies across Zwift development efforts.
• Advise and consult internal engineering teams on risk assessment, incident triage, threat modeling, and security vulnerability mitigation.
• Design and maintain a regular technology proposal review process.
• Develop and maintain a public bug bounty and vulnerability submission process.

What we’re looking for: 

• 5+ years of demonstrated information security engineering leadership and experience building cross functional security teams.
• 5+ years application security experience designing, building or testing web and API based architectures.
• 3+ years aligning security strategies with business objectives.
• Comprehensive understanding of modern DevSecOps methodologies.
• Deep understanding of security vulnerabilities, attacker exploit techniques, common objectives, and tactics affecting public web applications.
• Deep working knowledge of the public cloud infrastructure and services in AWS (IAM, KIAM, EKS, EC2, VPC, KMS, CloudWatch, Systems Manager, S3, RDS, Route53, Lambda, AWS Config, etc.).
• Excellent understanding of docker and container orchestration with kubernetes and experience running production kubernetes clusters in Amazon EKS, Google GKE, or similar managed platform.
• Experienced scripting skills (e.g. Python, Go, JS, C, C++, Java, Ruby, or PowerShell)
• Excellent communication skills and approaches to relationship building.

Bonus points: 

• Prior working experience in or with a Software Development Team.
• Experience crafting or working with bug bounty programs.
• Prior experience authoring or delivering public talks, meetups, conferences, or other business related events.
• Prior security auditing of Zwift applications, networks, and infrastructure.