Security Program Manager

Sandbox Banking is looking for an exceptional security program manager who wants to help accelerate banking innovation across the world! We are a remote team with employees across the US.

Successful candidates will be excited to maintain and improve every aspect of our SaaS company’s security posture! Deep understanding of organizational/human behavior, policy design, employee training, third-party audit processes, cloud architecture, software engineering, customer due diligence, red-team penetration testing, and vulnerability discovery/remediation program management will be required. The individual will be considered a member of the Sandbox Banking leadership team, and their input will significantly influence product and technology strategy.

Security is never an after-thought for us. Our bank customers trust us to connect their most sensitive data sources – we’ve always treated the safeguarding of their systems/data as both a business necessity and ethical responsibility.

Successful candidates will be expected to demonstrate relevant experience working in a dynamic environment dealing with complex challenges, and continuously communicate with all members of the business to achieve security objectives. Sandbox is an equal opportunity employer. We celebrate diversity and are committed to creating an inclusive environment for all employees.

Product We provide a low-code integration builder called Glyue for banks and fintechs to quickly connect their systems. US regional/community banks and credit unions are looking to overhaul the digital experiences they deliver to customers. Increasingly, they solve this challenge by sourcing software from fintech companies that specialize in building and operating financial services software. Unfortunately, distributing new software to FIs has historically been a long and painful process because of data security and system integration hurdles.

Sandbox empowers FIs and fintech vendors to quickly and safely build new integrations – our Glyue application lets anyone who can use Excel formulas connect banking systems. Furthermore, the platform’s fine-grained authentication and permissions model provides FIs with strict control over which people/software can access particular banking data and operations.

FIs and fintechs love the platform. FIs are able to quickly and cost-effectively leverage cutting-edge solutions without compromising on integration; fintechs don’t need to spend time and money on activities outside of core product development and distribution.

Why Work at Sandbox? -Small team of just over 30 full-time employees – you will own problems from start to finish and meaningfully impact company outcomes; -Teammates who are smart, curious, and driven to succeed. You will always be learning; -Your ideas and opinions about the product will matter. Everyone in our company contributes to our product roadmap; -You’ll use a variety of technologies across our entire software stack; -Remote-first organization that provides geographic flexibility (although all employees must live in the US); 70+ bank and credit union clients; -$5.35MM of venture capital raised in 2022; -Top-tier investors like Y Combinator; -Competitive salary and stock option compensation; -Your work will transform an entire industry;

Responsibilities Our security program manager will need to perform a variety of tasks to help maintain the security posture and requirements of Sandbox Banking: Work closely with the CTO, architects, engineers, and system administrators to ensure security is maintained as new functionality is delivered; Design and implement standards, policies, guidelines and appropriate architectural principles to ensure the firm’s cyber security goals continue to be met; Provide risk-based direction in conjunction with IT teams for future system enhancements in line with the overall firm’s strategy; Recognize potential opportunities to enhance the firm’s security and help deliver the necessary changes to realize such gains; Provide security subject matter expertise to support relationships with partners, customers, and vendors; Ensure systems and their information handling comply with current and (to the extent they’re predictable) future requirements; Ensure Sandbox Banking runs effective data classification processes; Ensure Sandbox Banking runs effective data retention processes; Ensure governance, policy and procedures in relation to information security meet agreed standards within the company; Appropriately scope and manage penetration testing of company infrastructure, products, services, and processes; Scope and implement appropriate vulnerability discovery technologies and processes; Project manage and complete annual internal security audit; Project manage and complete annual SOC 2 Type 2 audit; Project manage and complete quarterly access reviews; Maintain sufficiently updated standard vendor due diligence packets for partners and customers; Handle bespoke vendor due diligence requests from partners and customers; Provide security-related feedback and suggestions to help harden the company’s products and services; Scope, design/source, and ensure the delivery of appropriate security training for Sandbox Banking personnel; Refine and test the company’s incident reporting and breach management policies; Execute the company’s incident reporting and breach management procedures as necessary. This would require oversight and guidance during security incidents and investigations. It would include root cause analysis, communication with appropriate internal and external parties, and deriving appropriate learnings to be utilized for strengthening the company’s security posture; Provide quality reporting to summarize security posture details and security testing outcomes. Reports will include objectives, planning, methodology, results, analysis and recommendations to both technical and non-technical audiences; Extend system development life cycle (SDLC) and enforce SDLC compliance to maintain and enhance security; Selectively perform security code reviews of product changes; Selectively perform security reviews of infrastructure and network changes; Selectively perform security reviews of integration logic changes; Perform initial and ongoing security reviews of (sometimes prospective) company vendors and providers; Continuously update the candidate’s own knowledge of security trends, developments, and best practices; Continuously nurture the company’s cultural focus on security;

Qualifications Successful candidates will meet the following requirements: Minimum of 3 years experience working in full-time role focused on cyber security, with additional experience strongly preferred; Minimum of 3 years experience working in a full-time role as a software engineer or application developer, with additional experience strongly preferred; Proficiency with both Python and JavaScript; Strong understanding of network engineering, architecture, and standard network diagnostics tooling; Strong understanding of the SOC 2 Type 2 audit process and experience leading a company’s efforts to complete the audit; One of the following qualifications/certifications:OSCP, ISACA, CISSP, CISA, CRISC, SABSA. Multiple credentials are preferred; Broad and deep understanding of information security principles and best practices (e.g., ISO 27001, ISF Standards of Good Practice for Information Security), especially as they relate to cloud-based SaaS products; Broad knowledge of information technology systems and deep understanding of the inherent security risks associated with these technologies; Strong communication skills, including the ability to present security topics to a non-technical audiences, articulate the business value and risks of various decisions, and train our employees; Abreast of current industry security trends, developments, and related government regulations; Strong understanding of Amazon Web Services (AWS) and related security best-practices; Strong project management and organizational skills, especially as they relate to the cross-functional management of individuals within different departments to complete security-focused work; Strong analytical and creative skills; ability to provide security solutions that sufficiently protect systems and data while maximizing employee productivity and customer value; There are further qualifications which are considered a significant bonus: Understanding of the ISO 27001 certification process and experience leading a company’s efforts to obtain the certification; Understanding of PCI DSS compliance and experience leading a company through PCI DSS compliance validation; Experience with bank or credit union regulatory compliance; Experience working at bank or credit union technology companies; Experience working at early-stage startups;

Compensation Salary will be competitive for our stage of company, and the role includes a stock option package that provides significant upside. It’s important to us that our early employees win if the company succeeds.