What you’ll be doing (ie. job duties)

📍Assessments: Facilitate technical security risk assessments across our production and corporate environments, enabling security and privacy teams to describe risk in both qualitative and quantitative terms 📍Maintain the Security Risk Register data: quality control of data, tooling support and automation/process improvements 📍Manage security risks via the risk lifecycle: 📍Intake to the risk register, triage, residual risk calculation, and analysis with subject matter experts and risk owners 📍Facilitate agreement and execution of mitigation plans across stakeholders 📍Enable teams and leadership to risk-based decisions and trade-offs impacting, security investment strategies and project prioritization 📍Document and monitor risk treatment decisions to accept or remediate risks 📍Support reporting out on findings, metrics, and recommend mitigations to security and business leadership 📍Ad-hoc meeting planning support for risk meetings with security leadership and business risk owners 📍Communications/Training: Develop/maintain communication/training plans to roll out the security risk program across the organization 📍Global Engagement: Collaborate with stakeholders to help scale the program’s risk framework across Coinbase entities, products, and geographies/markets 📍Enterprise Risk: Work in lockstep with Enterprise Risk Management to escalate risks the enterprise risk register and report relevant metrics to senior leadership 📍Legal: Regularly collaborate with GRCP teams, Legal and Compliance for risks, assessments, and reporting to meet regulatory requirements 📍Audits: support data compilation to respond to US and international audit/regulator inquiries 📍Industry pulse: Maintain awareness of international regulation, emerging threats, forecasts, policies, and benchmarks 📍Maintain team runbooks, team intra-web pages, and risk register metrics dashboards

What we look for in you (ie. job requirements):

📍2-3+ years of experience working in Security Risk and/or GRCP/Compliance 📍Security Risk domain knowledge: security and cyber security risks, standards and frameworks i.e. ISO 27001/5, NIST CSF, FAIR risk quant methodology, etc. 📍Experience with controls/risk management frameworks to measure controls/risks, monitor controls/risks, and validating/racking/evidencing remediation 📍Ability to dig into technical risk solutions and to work on technical quantitative risk assessments 📍Comfortable working with GRCP tools e.g. Jira, Archer etc. and quant and qualitative data analytics 📍Ability to translate controls/risk standards out of compliance speak and into functional requirements 📍Knowledge of risk/control best practices and knowledge of major regulatory/legal frameworks (US/international)