Senior Corporate Security Analyst

About the Role:

We are seeking a highly motivated and experienced Senior Corporate Security Analyst to join our expanding team. The ideal candidate will possess a comprehensive understanding of Corporate Security's strategic objectives and Toast's overarching goals, and will effectively achieve these in collaboration with the team. This role will be pivotal in safeguarding Toast's assets, reputation, and information through the implementation and management of comprehensive security solutions, the promotion of security awareness, and the assurance of resilience against emerging threats. This position will necessitate significant collaboration with various Infosec teams, R&D, and other internal teams to uphold a robust security posture. The Senior Security Analyst will also provide guidance and mentorship to junior security analysts, demonstrating exemplary security skills, contributing to policy and document creation, maintaining strong communication, and assisting leadership and management in assuming additional ownership.

A Day in Life (Responsibilities)

Vendor Security 

• Conduct security risk assessments for vendors (onboarding and annual), review their security reports (SOC2), and continuously monitor their security posture.
• Perform risk scoring, provide security recommendations, track and respond to security breaches involving vendors, and oversee the remediation of third-party vulnerabilities.
• Drive Security Improvement Initiatives: Coordinate with procurement teams, GRC team and other stakeholders to enhance the overall security related to third-party risks.

SAAS Security & Endpoint Security

• Supervise the deployment and operation of tools designed to identify installed software on endpoints and conduct comprehensive risk assessments of non-approved software.
• Liaise with Technical Governance for compliance oversight and action, facilitating the resolution of alerts, user account validations, and application misconfigurations.
• Develop and manage programs to conduct quarterly assessments of high/critical application vulnerabilities identified by Crowdstrike and all Chrome extensions utilized by Toasters, evaluating their actual risk.

Security Awareness Training Program & Phishing Simulation

• Oversee the initiation and implementation of organization-wide security awareness training programs.
• Engage in collaborative efforts with internal teams and external vendors to develop and deliver comprehensive training content.
• Administer phishing simulations for all employees.

G-Suite and Data Loss Prevention (DLP)

• Proactively identify opportunities within G-Suite to strengthen the security posture and provide comprehensive security recommendations to the IT Operations Team for implementation.
• Investigate and propose Data Loss Prevention functionalities across key Toast data exchange platforms (e.g., Google Workspace, Slack).

Corporate Security Team Responsibilities & Documentation

• Collaborate with the multiple stakeholders to precisely delineate responsibilities and identify tasks for the Corporate Security team, thereby precluding operational redundancies.
• Review and update policies, Standard Operating Procedures (SOPs), and runbooks in coordination with the Technical Governance team.

Security Tool Implementation and Management

• Demonstrated proficiency in the utilization of Identity and Access Management tools (Okta, BeyondTrust) to ensure secure access and authentication, and privileged access management.
• Possesses expertise in the BeyondCorp (Zero Trust) security model and its implementation for perimeterless security.
• Adept in patch management, encompassing processes, tools, and the timely application of security updates.

AI Automation

• Proactively identify opportunities to reduce manual effort through process automation and the strategic implementation of AI tools within security operations.

Work Mode: This role follows a hybrid work model, requiring a minimum of 2 days per week in the office.

We are excited about you if you have these things:

• Bachelor's degree in Computer Science, Information Security, or a related field; Master's degree preferred.
• 6 - 10 years of experience in information security, with a strong focus on corporate security, vendor security, and security operations.
• Strong technical knowledge and understanding of cybersecurity frameworks (e.g., NIST Cybersecurity Framework, ISO27001, CIS Controls, SOC 2, PCI DSS).
• Proven experience in developing and implementing security policies, procedures, and frameworks.
• Expertise in conducting vendor security risk assessments, including reviewing SOC2 reports and security questionnaires.
• Strong technical knowledge of Shadow IT and Software Asset Management tools and processes.
• Demonstrated experience in developing and delivering security awareness training and phishing exercises.
• Possess excellent skills and experience in leveraging AI tools for threat detection, incident response, vulnerability management, and other security functions.
• Familiarity with Google Workspace security features.
• Experience working with EDR solutions like Crowdstrike.
• Proficiency with security tools such as Reco.AI, Torq, Splunk, DataDog, bug bounty platforms, Okta Device Trust, BeyondTrust, BeyondCorp, and other SIEM and Security tools commonly used in the market.
• Ability to work autonomously and prioritize multiple tasks in a fast-paced environment.
• Excellent verbal and written communication skills, with the ability to effectively communicate technical information to both technical and non-technical audiences. Proven ability to collaborate effectively with cross-functional teams.
• Quick learner and adaptable to new security tools and technologies as they are procured and implemented.
• Ability to adapt to environments, understand requirements, and actively collaborate within the team, with other teams, and with vendors.
• Provide technical guidance and mentorship to P2 security analysts, fostering their professional growth and ensuring alignment with corporate security objectives. Take initiative in leading projects and driving security initiatives.
• Relevant security certifications are a plus.