Logo
Klaviyo Inc.

Lead Security Risk Analyst

Klaviyo Inc., San Francisco, California, United States, 94199


We’re seeking a highly motivated

Lead Security Risk Partner

who will help us continue to evolve our Risk function by using engineering principles and data-driven strategies to precisely identify, understand, communicate, and prioritize mitigation of risk. This role will start out primarily focused on a subset of our Risk programs: internal security risk management (risk discovery, assessment, and governance) and security metrics (analysis, curation, reporting)

You’ll partner closely with Engineering, IT, Security, Leadership, and basically every other team at Klaviyo to create a holistic view of risk based on high quality data about our assets, weaknesses, threats, and safeguards (controls). You’ll help your fellow Klaviyos identify, understand, prioritize, and manage risks that they own. You will help evolve our risk management practices to be transparent and centered around evidence-based risk models. Through all of this, you’ll help Klaviyo scale securely and sustainably deliver value for our customers.

What you’ll be doing

Lead and execute new Risk program maturity projects that introduce more rigorous, streamlined, and automated approaches to risk management

Partner with other departments and teams to drive mutual understanding of security risks they own and how to prioritize managing those risks in support of Klaviyo’s goals

Create, tune, and operationalize business relevant security metrics (KPIs, KRIs, KCIs) that demonstrably improve security outcomes across Klaviyo

Review new products, product features, and internal business projects to guide teams toward secure paths forward and away from accruing new security debt

Collaboratively define and enable teams about security policies and standards that clearly establish Klaviyo’s risk tolerance bar

We’d love to hear from you if you have

most

of the following:

Experience doing security risk assessments, co-creating risk treatment strategies, and influencing risk treatment prioritization across diverse business units (Engineering, IT, Finance, Legal, etc.)

Thorough understanding of cloud-native web application architectures, security threats, and security best practices, especially in the context of AWS and Kubernetes

Experience using data visualization tools and SQL to build and operationalize security metrics (e.g. Apache Superset, Tableau, Domo, Amazon QuickSight)

Experience with scalable approaches to threat modeling, secure design reviews, and risk assessment methods that balance rigor and efficiency (e.g. Mozilla’s Rapid Risk Assessment)

Experience with security automation and process streamlining, ideally in the context of security risk management

Everyone on our team

must

have:

A strong bias toward evidence, logic, math, and reason when communicating risk (instead of fear, uncertainty, and doubt)

A strong bias toward “guardrails, not gates” and “paved security roads” philosophies (instead of rigid “centralized command-and-control” thinking)

Excellent ability to plan, prioritize, and deliver results cross-functionally and in a timely fashion

Proficiency discussing complex, nuanced topics with technical & non-technical audiences alike, especially software engineering teams

Strong alignment with

Klaviyo’s core values

Bonus points if you have

any

of the following:

Experience building tools with REST APIs and Python

Experience with data engineering tools (e.g. dbt, Airflow, Airbyte) or data lake platforms (e.g. Snowflake, Databricks)

Experience with cyber risk quantification (CRQ) tools and frameworks (e.g. FAIR, RiskLens, Safe Security, etc.)

#J-18808-Ljbffr