Staff Security Engineer, Security Assurance

About the team

We are looking for a Staff Engineer to be the technical lead of our GRC engineering team. You will be responsible for developing and implementing strategies to ensure we get and maintain industry certifications, and liaising with other teams delivering parts of our overall security posture. The ideal candidate will have a proven track record of building, implementing and improving the maturity of security programs in Cloud-based SaaS organizations and possess excellent leadership and communication skills.

We are building a security system that’s automated at scale, rigorously data-driven, and built from the ground up with defense-in-depth and self-healing in mind. This system supports a highly autonomous, remote-first, cloud-native organization. We are a technical team that can build any tool we need. We also want to open-source as much of our work as possible for security practitioners.

To support our growth and ambitious vision, we embrace agile principles and values, share openly, apply context-driven security mechanisms, default to action, and have an OSS-first mindset. We are a 100% remote company. We believe in high-velocity but reasonable expectations and timeframes, giving people the room to do great work in a setting that prioritizes health, happiness, and work-life balance.

Role

The Staff Security Assurance Engineer will collaborate across Grafana to articulate security policies, implement continuous monitoring, automate workflows, and write and deploy policies across all of our SDLC, applications, and infrastructure. The ideal candidate will have a proven track record of building, implementing and improving the maturity of security programs in Cloud-based SaaS organizations and possess leadership and communication skills.

This role involved hands-on keyboard development, so programming chops and a deep knowledge of securing cloud-native, container-based architectures are critical. Knowledge of security standards and frameworks (ISO, FedRAMP, PCI-DSS, etc) is useful, but the disposition to quickly learn new things is more important than rote knowledge here. Experience negotiating with peers, stakeholders, customers, and auditors is highly valuable. You will work alongside other security engineers, full-stack developers, and customer-facing teams.

Responsibilities:

• Be a technical lead for our assurance team covering a range of areas, including certifications, application security, cloud security, and internal tooling development
• Develop, implement, and maintain highly automated security assurance programs to ensure compliance with organizational and regulatory requirements (e.g., ISO 27001, SOC 2, GDPR, NIST, PCI-DSS)
• Develop systems, automations, and methods of security observability to push the GRC engineering organization beyond just meeting certification requirements
• Deploy security and compliance checks in an employee-enabling way (guardrails and paved roads) in their daily workflows and build pipelines
• Define, optimize, and implement the engineering strategy in concert with the security leadership team, ICs and stakeholders across the business
• Design cutting-edge security metrics to show the security value of what we do
• Coach and mentor to ensure your team members are motivated, happy and engaged. Provide continuous feedback to ensure that they can add value while maintaining high standards
• Collaborate with cross-functional teams to integrate security controls into the software development lifecycle and operational processes.
• Respond to customer security issues, security alerts, and potential incidents

Requirements:

• Solid experience with at least one programming language. We primarily use Go, TypeScript, and Python but most languages translate well. You will take a code screen.
• Deep knowledge of using and securing containerized, cloud-native applications, ideally with Kubernetes. Experience with multiple cloud providers is a strong plus.
• Proven expertise in automating security compliance processes using tools, scripts, and frameworks while enabling developer and employee workflows.
• Deep understanding of industry-recognized security frameworks, standards, and certifications, such as ISO 27001, SOC 2, PCI DSS, NIST, or GDPR.
• Strong interpersonal skills. Experience collaborating (and negotiating) with peers, stakeholders, auditors, and customers.
• Strong capability to manage multiple complex projects and deadlines simultaneously, ensuring timely delivery of security and compliance objectives.
• A degree in Computer Science, Information Security, or related field (or equivalent experience).

Bonus Points:

• Working knowledge of Grafana Labs OSS projects and products. Experience in using observability tooling to solve security problems.
• Experience working with OSS communities
• Experience securing large-scale distributed systems running in public clouds

In the United States, the Base compensation range for this role is USD 202,000 - USD 243,000. Actual compensation may vary based on level, experience, and skillset as assessed in the interview process. Benefits include equity, bonus (if applicable) and other benefits listed here.

*Compensation ranges are country-specific. If you are applying for this role from a different location than listed above, your recruiter will discuss your specific market’s defined pay range & benefits at the beginning of the process.