Lead Information Security Risk Analyst
At Shutterfly, we’re all about people — bringing them together, making them feel welcome, and connecting them to experiences. We make our customers’ memories last a lifetime by capturing, preserving, and sharing them through photography and personalized products. Through our family of brands, trend setting products, cutting edge technology, and best in class customer service, we help our customers, and each other, share life’s joy.
This is an exciting time to join Shutterfly’s Information Security team. In this position you will be an integral part of advancing the company’s enterprise Information Security Program and manage, measure, operationalize and communicate a myriad of Risk assessments across the organization and third-party assessment of Shutterfly’s third parties. The Lead Information Security Risk Analyst will drive information security Risk management, compliance, privacy issues, policy evolution and contribute to the overall advancement of Shutterfly's Information Security Governance Risk capability.
This lead analyst will have a depth of experience enabling them to understand both information security Risks AND business context. This individual contributor will be a skilled communicator across all audience types from line-level employees to executive leaders. This individual in this position will be expected to take ownership of their area(s) and offer recommendations for improvement to leadership to gain buy-in and be able to drive those improvements.
The Lead Information Security Risk Analyst will help to coordinate across the organization to understand, categorize and prioritize security Risks, applying business context, leading to clear security Risk mitigation strategies.
Your primary duties and responsibilities will include:
- Lead, navigate, and evolve the Information Security Risk Management program by driving best practice improvements to the identification, remediation and risk reporting processes.
- Responsible for being the primary lead on Shutterfly’s Third Party Risk Management capability. This includes executing assessments, identifying efficiency opportunities, partnering with the legal team on contract provisions relating to security, championing maturation initiatives and improving end user experience and reporting.
- Ability to assess security Risks against industry standards, and regulatory requirements, while maintaining a clear understanding of the Shutterfly business. Ability to flex between inherent and residual Risk is imperative as is the ability to innately recognize various Risk levels, focusing time and effort on the most critical Risks.
- Ability to problem-solve and work through day to day blockers while building and maintaining productive business relationships.
- Work closely with Information Security Architecture, Engineering and relevant operational teams to gather data and insights leading to holistic security risk
- Communicate information security and compliance Risks to executive management to ensure proper awareness and decision making.
- Maintain Risk management initiatives and/or assessments in a GRC platform such as Archer, Service Now or others.
- Contribute security inputs to metrics team for periodic reporting and insights
- Conduct periodic internal assessments for security, Risk and compliance
- Strong background in cloud security controls and experience implementing information security requirements in a cloud environment (e.g., AWS, Google Cloud, Azure)
- Provide consultation to business units and technology teams on security best-practices and ongoing requirements
- Partner with Privacy and legal teams to ensure practices and approach are complementary to each other's goals and do not necessarily cause undue friction to stakeholders.
- Conduct ongoing research to keep current of the latest security issues, threats and technical capabilities.
- Ability to advise legal teams on information security requirements within contracts.
- In-depth knowledge of information security management system standards (e.g. SOC 2), frameworks, information technology regulatory and compliance requirements (e.g., PCI-DSS, GDPR, CCPA, HIPAA, HITRUST), and industry best practices
- 6-8 years of experience within large-scale information security Risk management programs or information security audit.
- 4-6 years of Information Technology and/or Information Security experience
- Demonstrated knowledge of a broad range of technical concepts: logical access control, agile development process/DevSecOps, secure coding principles, security architecture frameworks and methods, information security, network security, and privacy
- Strong organizational skills with ability to thrive in a sense-of-urgency environment, leveraging best practices, and approaching any problem as a team-player with a can-do attitude
- Superior written and verbal communication skills and ability to interface with all levels of business and executive leadership
- Strong understanding of compliance frameworks such as PCI, SOC2, HIPAA, HITRUST, ISO 27001/2, etc.
- Strong grasp of key elements for a successful Risk Management Program and related frameworks or standards (e.g. NIST, ISO, COBIT)
- Ability to travel up to 10-15%
- Bachelor of Science and/or Master’s in CIS/MIS/CS/CE, Engineering/Technology or related field or equivalent experience/training
- CISSP, CISA, CISM, GIAC or equivalent, proven experience. Demonstrates a desire to attain industry-relevant certifications over time
- Experience with interpreting results of scanning tools such as Qualys or Nessus as it pertains to documenting information security Risk(s)
- Experience with Axonius and/or Kogni.
- Information security consulting experience or substantial cross-functional responsibilities