We’re looking for a Cybersecurity Manager

A message from the VP of IT & Security

Does your in-depth understanding of IT protocols make you a successful pen tester or threat hunter? Do you look at an app and think, “I wonder how it caches my secrets, and how its API works”? Are you inherently inquisitive? Do you have a need to dig deeper to understand how technologies actually work? Do you see an indicator of compromise or hint of exploitability and immediately map out several possibilities in your head? Are you eager to take your in-depth knowledge and apply it in a way that impacts and drives the security culture of an entire organization? 

I’m looking for someone that’s as comfortable leading and planning as they are on the console. We’re building a world-class security program using the best tools we can find to monitor, audit, control, and test our defenses. We also perform white-box and black-box testing on our own apps, tools, and services. If you’re up for the challenge of building and leading a team of dedicated and hard-working people, instilling your knowledge and driving them to success, then you shouldn’t hesitate to apply. 

Highlights 

  • Rare challenges and opportunities from our large international customer base.
  • Successful global business, leader in a fast-growing industry. 
  • Highly skilled team using best-practice engineering processes.
  • Meritocratic culture with fast decision-making.

Responsibilities

You’ll lead our global team providing cybersecurity for employees. As manager of this team, you will:

  • Lead by example by being able to perform most of the duties of your team members. We’re looking for a practitioner that is passionate and up to date on the latest security tools and concepts and wants to build modern and highly effective security monitoring and engineering operations to keep our colleagues and customers safe. 
  • Building a Security Operations Center by working with our recruiting teams to find the talent to begin staffing it, then deciding how to execute the mission effectively. We have the tooling for a SOC in place, but we need to build the team and expand our capabilities. 
  • Build a Red Team by working with our recruiting teams to find the talent to begin staffing it, then begin executing our backlog of internal assessments and red team engagements. 
  • Be the people leader for all members of the team. You hire, train, motivate, assign responsibilities, and hold the team accountable to reaching agreed-upon goals. 
    • The current team, which reports to you, consists of 2 security engineers in Hong Kong
    • By the end of 2020, we want to triple the size of this team.
  • Implement the hiring plan for your team in APAC. Partner with our recruiting teams to interview, hire, and onboard new staff.
  • Articulate and drive a vision of what the Security functions should be to best support the needs of the business.
  • Design processes, documenting them very clearly, measuring their metrics, and improving them.
  • Coordinate with other teams, especially Engineering, Ops, HR, Facilities, Finance, and IT.

The team is responsible for:

  • Security Operations Center
    • Network-based & host-based intrusion detection. Detect and stop attack attempts or successful exploits. Research and implement solutions, or self-operate tools as needed.
    • Detect unauthorized exfiltration. Analyze logs and traffic patterns to find possible data exfiltration occurring on our systems.
    • Collect and analyze logs from all devices across the company and monitor and alert on suspicious activity.
    • Respond to and investigate incidents. Perform incident triage and response, digging into the facts and indicators of compromise to make sound recommendations and analysis. Design, implement, and test incident response processes.
  • Red Teaming
    • Analyze and attack internal infrastructure. Run Metasploit, the Kali Linux toolchain, and similar tools on an ongoing basis in all office locations using best-practice methods. Ensure that standard hacking tools do NOT show vulnerabilities. If someone is going to hack us, they need to do it with zero-day or application-bugs that they must find themselves, NOT with off-the-shelf vulnerabilities.
    • Build custom tools and techniques. Write scripts and tools and automate processes to support red teaming engagements and test our defenses.
    • Perform black-box and white-box testing on our consumer-facing services and apps. We have apps on all major operating systems and the backend services to support them.
    • Search for rogue assets. Scan for and identify unauthorized or misconfigured company assets exposed to the Internet.
    • Validate our defenses. Use your knowledge and skills to validate our threat models and defense.
    • Identify and vet external pentesting vendors, own these relationships long-term (they might engage with various teams across the company over time and need you as a consistent point of contact), and help coordinate their projects.
  • Threat Modeling & Security Engineering
    • Analyze the security capabilities of various SaaS services. Perform threat modeling on how they can be exploited, analyze how to validate configurations and catch risky changes immediately, and create a set of tools and processes to adequately control and monitor each service. These SaaS services include but are not limited to:
      • Okta
      • G Suite
      • Slack
      • 1Password
      • Jira
      • Zendesk
      • GitHub
      • And many more
    • Use the MITRE ATT&CK framework as a guide for threat modeling and implementing security controls for those threats. 
    • Engineer security solutions. Provide high-quality engineered solutions for monitoring, auditing, and controlling security across various devices and services. Work with the IT and Ops teams to use endpoint protection software for employee devices, IT servers, and cloud-app servers. 
    • Run an effective vulnerability management program.  Ensure patch management is in place to identify published and n-day vulnerabilities early, assess the impact of these vulnerabilities, and perform corrective actions. 
    • Perform escalation engineering to other teams, including the SOC and teams outside of IT & Security.
    • Participate in security engineering reviews and threat modeling for our consumer-facing apps and services managed by teams outside of IT & Security. Help all of our teams implement effective security in their products and advise on security issues.
    • Run security QA as part of our software development process.
    • Oversee our bug bounty program.
  • Partner with IT and engineering teams. You will identify the problems; the owners of the affected devices or systems are responsible for fixing them. You will ensure that the issues have sufficient priority and get fixed in a timely manner, and that we eliminate root causes where feasible.
  • Train employees.
    • Advocate security best practices across the company, including employee IT as well as cloud operations.
    • Curate security-related training content for all employees.
    • Be an internal trainer for some topics directly.
  • Create PR content describing our security processes to the public (e.g., blog posts, guest posts, trust-center updates, open-source contributions, etc.). Create brand value.
  • Decide where to spend the company’s security budget on vendors, training, and licenses.

The team’s success metrics include:

  1. All parts of the company passing periodic pentests and red-teaming engagements
  2. Finding, classifying, and responding to security events and incidents 
  3. Our brand being publicly regarded as having world-class security operations

Relationship between the security-team and other teams: Each team is responsible for the secure design, implementation, and operation of its systems. The Security team is responsible for measuring the levels of security across the company, advising on how to fix and preempt problems, and running operational processes that are specific to security.

Requirements

  • Experienced people manager. You have several years of experience  being responsible for the output of other people, setting performance expectations, assigning responsibilities, delivering performance reviews, and holding people accountable.
  • Strong English verbal and written communication skills. That’s because you’ll need to write clear policies and process documentation for hundreds of people to understand and follow.
  • Experience in one or more of the core functions the team performs: Pen testing/red-teaming, SOC operations, or security engineering.
  • Experience auditing and configuring security controls for SaaS offerings such as G Suite, Okta, 1Password, or similar services.
  • Excellent at creating, documenting, and running processes. This is especially important given the geographically distributed nature of your team.
  • Deep understanding of what capabilities an adversary may actually possess and what is truly possible in terms of threats and exploitability.
  • Experience securing non-legacy IT environments utilizing cloud directories and other more decentralized controls distributed to various cloud vendors and services. We’re not a Microsoft AD shop.
  • Some experience in or at least a strong understanding of the zero-trust IT model.
  • Experience in defining IT security policies for a mostly cloud-based workforce with minimal on-premise infrastructure.
  • A strong desire to safeguard the privacy of our internal users.

Optional

  • Experience working in several different disciplines, such as system administration, networking, network security, and more. We believe a good background running those types of systems provides a deeper understanding of how to protect them.
  • Experience with SumoLogic SIEM and integrations into SOAR platforms
  • Experience writing and developing tools and automation to automate security activities

What we offer

  • Challenging work in a fun and collaborative environment
  • Attractive compensation and time-off benefits
  • Spacious open-concept and centrally located offices
  • Full-time employment with flexible working hours
  • Fully stocked pantry with fresh fruit and snacks
  • Team lunches and company events every quarter
  • Multicultural teams represented by 30+ nationalities

About us

At Chengbao, we’re leading the way to a more private and secure digital world. Consumers in over 180 countries around the globe rely on our industry-leading cybersecurity software and services.

We are an international tech company with hundreds of people worldwide and a core team in Hong Kong. We’re profitable, growing, and just getting started.

We hire world-class developers, product managers, and marketers in the industry, and give them the tools to succeed. Together, we ship beautiful, usable software for desktop and mobile that our customers use and love every day.

Ready to do the best work of your life? We’ve built just the place.