GRC Engineer - Cloud & Application Security

About One

One’s mission is simple - to help customers achieve financial progress. We’re doing this by creating simple solutions to help our customers save, spend, borrow, and grow their money – all in one place.

The U.S. consumer today deserves better. Millions of Americans today can’t access credit, build savings or wealth, and are left to manage their financial lives through multiple disconnected apps. Almost a quarter of U.S. adults are unbanked or underbanked and roughly 80% of fintech users rely on multiple accounts to manage their finances.

What makes us unique? We are backed by a preeminent fintech investor (Ribbit) and the world’s largest retailer (Walmart), maintain the speed and independence of a startup, and employ a strong (and growing) collection of world-class talent.

There’s never been a better moment to build a business that helps people achieve financial progress. Come build with us!

The role

As a GRC Security Analyst, you will be instrumental in defining and implementing the overall strategy for One’s Information Security program, and will have opportunities to identify control gaps and lead initiatives to remediate such gaps. 

You will be designing, overseeing and executing One’s information security risk management processes, including defining security standards and policies, performing internal and external security assessments, identifying and managing security risks, and supporting audits conducted by independent parties. You will be focusing on evaluating the security posture of our cloud infrastructure and application security designs, ensuring they comply with compliance frameworks such as SOC 2 and PCI DSS controls. The ideal candidate will have a strong technical background in cloud security and application security architecture, as well as a deep understanding of AWS services, containerized environments, and modern application frameworks.

This role’s responsibilities include: 

• Proactively evaluate the security configurations of One’s applications and AWS services, such as IAM, VPC, S3, EKS, RDS, and Lambda, based on best practices and One’s established security standards
• Determine detailed remediation plans and steps for security gaps, and work independently or in conjunction with stakeholders to resolve such gaps
• Define, publish, and maintain company-wide security standards and requirements based on industry best practices, evolving threat landscape, and new security-related regulations & frameworks
• Perform in-depth security assessments of third party hosted applications and systems, and provide security recommendations on the desired integration with such systems
• Collaborate with team members on performing security reviews on new product features, system architectures, and business processes
• Support ongoing information security audit initiatives and compliance projects with the team
• Share guidance and training to internal One teams on overall information security, AWS security, and compliance requirements
• Engage with both technology and business teams as a consultant for any security-related issues that affect One’s product features and offering.

You bring

• 5+ years of experience in security governance, cloud and application security assessments, risk management, and/or third party risk
• Strong knowledge of various industry standard frameworks such as NIST, FFIEC, SOC 2, PCI DSS, HiTrust, etc
• Thorough knowledge of enterprise-scale security architecture, cloud security, and application security best practices
• Domain knowledge of multiple disciplines including IT systems, networking, security, and compliance
• Familiarity with containerization technologies (e.g., Docker, Kubernetes) and CI/CD pipelines.
• Excellent written and verbal communication skills, with the ability to convey technical concepts to both technical and non-technical audiences
• Strong analytical and problem-solving skills with the ability to work independently and as part of a team.
• Relevant certifications such as AWS Certified Security Specialty, Certified Information Systems Security Professional (CISSP), or Certified Cloud Security Professional (CCSP) are a plus

Pay Transparency

The estimated annual base salary for this position ranges from $175,000 to $190,000. Pay is generally based upon the level, complexity, responsibility, and job duties/requirements of the specific position. We then source candidates with the requisite skills, expertise, education, training, and experience.  If you are selected for an interview, please feel welcome to speak to a Talent Partner about our compensation philosophy and other available benefits.

What it’s like working @ One

• Competitive cash
• Benefits effective on day one
• Early access to a high potential, high growth fintech
• Generous stock option packages in an early-stage startup
• Remote friendly (anywhere in the US) and office friendly - you pick the schedule
• Flexible time off programs - vacation, sick, paid parental leave, and paid caregiver leave
• 401(k) plan with match

We use Covey as part of our hiring process for jobs in NYC and certain features may qualify it as an AEDT. As part of the evaluation process we provide Covey with job requirements and candidate submitted applications. We began using Covey Scout for Inbound on May 31, 2024.

Please see the independent bias audit report covering our use of Covey here.

Leveling Philosophy

In order to thoughtfully scale the company and avoid downstream inequities, we’ve adopted a flat titling structure at One. Though we may occasionally post a role externally with a prefix such as “Senior” to reflect the external level of the position, we do not use prefixes in titles like that internally unless in a position which manages a team. Internal titles typically include your specific functional responsibility, such as engineering, product management or sales, and often include additional descriptors to ensure clarity of role and placement within our organization (i.e. “Engineer, Platform”, “Sales, Business Development” or “Manager, Talent”). Employees are paid commensurate with their experience and the internal level within One.

Inclusion & Belonging

To build technology and products that are used and loved by people and solve real-world problems, we need to build a team with many different perspectives and experiences. We are an equal opportunity employer and value diversity at our company. We do not discriminate on the basis of race, religion, color, national origin, gender, sexual orientation, age, marital status, veteran status, or disability status. We encourage candidates from all backgrounds to apply. Applicants in need of special assistance or accommodation during the interview process or in accessing our website may contact us at talent@one.app.