Assurance Analyst, Security

Lyft, San Francisco, CA

Lyft is your friend with a car, whenever you need one

Our drivers and passengers entrust Lyft with their personal information and travel details to get where they're going, and expect us to keep that data safe. Lyft's security team leads efforts across the company to ensure our systems are secure and worthy of our users' trust.

The security team designs and builds Lyft's security architecture, consults with other teams as they build and launch new products and features, proactively plans for the unexpected, and responds to incidents that occur. Our work affects the entire company and takes place at all levels of the stack, from infrastructure to web application security, as well as mobile apps, IT, and of course self-driving cars. We try to approach security from a software engineering standpoint. We believe in scaling security through automation and tooling and we ship frequently. Check out our blog posts at https://eng.lyft.com/tagged/security to learn more about some of the things we've built.

About the role:
The mission: Empower the company to scale securely.  Provide clear guidance on secure business operations and verify we do what we say we do.

We believe that an effective, scalable security program is documented and monitored for deviations from known good state. We’re looking for the right person to join our team, document the current state of our controls, and move us along our maturity journey. What makes this scalable is that each control must have an automated check. In fact, screenshot based evidence collection is officially forbidden! The secret sauce (ssh, don’t tell anyone) to all of this will be the automation of the control checks. Our grand vision is a live dashboard that we can look at at any point and know the current status of any or all of our controls. In short, we’re building a robot army that constantly validates our current security status. Don’t you want to live in this beautiful world?

We're specifically looking for someone to take on the following responsibilities:

  • Create our controls catalog (this would be a derivative of NIST CSF)
  • Document the current state of our controls against NIST CSF by engaging with engineers and product managers
  • Assess efficacy of our management, operational, and technical security controls
  • Work with our Lyft for Business teams to ensure our customers have the evidence they need to clearly understand our trustworthiness
  • Maintain and enhance our library of customer facing security documentation
  • Work with our Government Relations and Public Policy teams on security related regulatory issues
  • Act as point person for security related compliance needs (SOC2, PCI, etc)

Minimum Qualifications - You have (and can demonstrate) deep knowledge of the following areas:

  • Computer networking concepts and protocols, and network security methodologies
  • Laws, regulations, policies, and ethics as they relate to cybersecurity and privacy
  • Vulnerability information dissemination sources (e.g., alerts, advisories, errata, and bulletins)
  • Infrastructure security principles and methods (e.g., firewalls, DMZs, encryption)
  • Current industry methods for evaluating, implementing, and disseminating security assessment, monitoring, detection, and remediation tools and procedures utilizing standards-based concepts and capabilities
  • New and emerging IT and cybersecurity technologies
  • Supply chain security and supply chain risk management policies, requirements, and procedures
  • Network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth)

Minimum Qualifications - You have the following skills:

  • Interfacing with customers
  • Conducting reviews of systems
  • Integrating and applying policies that meet system security objectives
  • Assessing security controls based on cybersecurity principles and tenets (e.g., CIS CSC, NIST SP 800-53, Cybersecurity Framework, ect.)
  • Technical writing, knowledge management, technical documentation techniques
  • Preparing and presenting briefings/presentations

Minimum Qualifications - You possess the following abilities:

  • Communicate complex information, concepts, or ideas in a confident and well-organized manner through verbal, written, and/or visual means
  • Collect, verify, and validate test data
  • Evaluate information for reliability, validity, and relevance
  • Recognize and mitigate cognitive biases which may affect analysis
  • Understand technology, management, and leadership issues related to organization processes and problem solving
  • Apply cybersecurity and privacy principles to organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation)

Preferred Qualifications - You have knowledge of some of the following areas:

  • Public cloud security risks (AWS, Azure, GCP)
  • Business continuity and disaster recovery continuity of operations plans
  • Application security risks (e.g. OWASP Top 10)
  • Experience defining metrics for service availability

Preferred Qualifications - You have some of the following skills:

  • Experience making tough prioritization trade-offs
  • Discerning the protection needs (e.g., security controls) of information systems and networks
  • Conducting vulnerability scans and recognizing vulnerabilities in security systems
  • Determining how a security system should work (including its resilience and dependability capabilities) and how changes in conditions, operations, or the environment will affect these outcomes
  • Assessing security systems designs

Preferred Qualifications - You possess some of the following abilities:

  • Interpret and translate customer requirements into operational action
  • Work across departments and business units to implement organization's privacy principles and programs, and align privacy objectives with security objectives
  • Identify critical infrastructure systems with information communication technology that were designed without system security considerations

About Lyft

Wherever you’re headed, count on Lyft for rides in minutes. The Lyft app matches you with local drivers at the tap of a button. Just request and go.

Ride by ride, we’re changing the way our world works.

Want to learn more about Lyft? Visit Lyft's website.