Security Compliance - Roles & Responsibilities

Security Compliance professionals at GitLab focus on operating our security compliance programs and are proficient in all things security compliance.

For members of GitLab’s Security Assurance sub department, it is the goal of Security Compliance to:

Enable security to scale through the definition of security controls and document the boundaries and applicability of the information security management system to establish its scope.
Work across industries to support GitLab customers in their own compliance journey.
Identify and mitigate GitLab information security risk through continuous control monitoring and automation.

Security Compliance professionals at GitLab focus on operating our security compliance programs and are proficient in all things security compliance. They are comfortable operating within our transparent compliance programs and understand how compliance works with cloud-native technology stacks.

Responsibilities

Professionally handle communications with internal and external stakeholders on compliance issues
Maintain up-to-date knowledge of GitLab’s product, environment, systems and architecture
Educate control owners on compliance workflows and processes
Maintain GitLab’s security control framework and continuous control monitoring activities
Gather and report on established metrics within the security compliance programs

Requirements

Ability to use GitLab
Prior experience working with a SaaS company preferred
Passion for transparent compliance programs

Levels

Security Compliance Engineer (Intermediate)

This position reports to the Security Compliance Manager role at GitLab.

Security Compliance Engineer (Intermediate) Job Grade

The {Security Compliance Engineer} is a 6.

Security Compliance Engineer (Intermediate) Responsibilities

Conduct security control test of design and test of operating effectiveness activities
Identify observations and manage remediation tasks through to closure while adhering to strict deadlines
Support internal and external auditors or advisors as needed
Maintain handbook pages, procedures and runbooks related to security compliance
Identify opportunities for security compliance control automation
Maintain security compliance automation tasks

Security Compliance Engineer (Intermediate) Requirements

A minimum of 2 years’ experience working with security compliance programs
Demonstrated experience with at least two security control frameworks (e.g. SOC 2, ISO, NIST, COSO, COBIT, etc.)
Working understanding of how compliance works with cloud-native technology stacks

Senior Security Compliance Engineer

This position reports to the Security Manager, Compliance role at GitLab.

Senior Security Compliance Engineer Job Grade

The {Senior Security Compliance Engineer} is a 7.

Senior Security Compliance Engineer Responsibilities

The responsibilities of a Security Compliance Engineer, plus;
Execute end to end compliance initiatives in accordance with the compliance roadmap
Design high-quality test plans and direct security control test activities
Continuously improve GitLab’s security control framework
Draft and implement handbook pages, procedures and runbooks related to security compliance
Direct external audits
Build and maintain security controls that map to GitLab security compliance requirements and provide implementation recommendations
Peer review control test worksheets and provide feedback and guidance to Security Compliance Engineers
Identify manual security compliance controls that can be improved through automation
Design requirements for security compliance automation tasks
Recommend new security compliance metrics and automate reporting of existing metrics

Senior Security Compliance Engineer Requirements

A minimum of 5 years’ experience defining and shaping compliance programs
Demonstrated experience with at least four security control frameworks (e.g. SOC 2, ISO, NIST, COSO, COBIT, etc.)
Detailed understanding of how compliance works with cloud-native technology stacks

Staff Security Compliance Engineer

This position reports to the Security Manager, Compliance role at GitLab.

Staff Security Compliance Engineer Job Grade

The {Staff Security Compliance Engineer} is a 8.

Staff Security Compliance Engineer Responsibilities

The responsibilities of a Senior Security Compliance Engineer, plus;
Maintain expert knowledge of GitLab’s product, environment, systems and architecture while mentoring others on this knowledge and helping to shape designs for the sake of security compliance efficiencies
Participate in the development and continuous improvement of security compliance metrics
Provide actionable and constructive advisement to cross-functional teams, to include driving remediation activities for high and select moderate risk Observations across several GitLab departments
Implement security compliance technical and process improvements
Mentor other Security Compliance Engineers and improve quality and quantity of the team’s output
Design and implement major iterations on GitLab’s security control framework in alignment with industry trends
Participate in security assurance roadmap development based on customer needs
Predict future industry trends and demands to position GitLab as an industry expert of Security Compliance and execute initiatives to support these trends
Create dynamic open-source security compliance programs that deliver value to the GitLab community
Build the GitLab Security Compliance brand through regular internal and external presentations and publications
Design, develop, and deploy scripts to automate continuous control monitoring, administrative tasks and metric reporting for all security compliance programs
Successfully execute on quarterly KRs associated with OKRs

Staff Security Compliance Engineer Requirements

A minimum of 10 years’ experience defining and shaping compliance programs with a minimum of 3 years’ experience building new compliance programs
Proven experience building, maintaining and improving compliance programs from the ground-up
Proven experience with successful first-time external certification and attestation audits
Demonstrated experience with at least six security control frameworks (e.g. SOC 2, ISO, NIST, COSO, COBIT, etc.)
Expert understanding of how compliance works with cloud-native technology stacks

Principal Security Compliance Engineer

This position reports to the Senior Manager, Security Compliance role at GitLab.

Principal Security Compliance Engineer Job Grade

The {Principal Security Compliance Engineer} is a 9.

Principal Security Compliance Engineer Responsibilities

The responsibilities of a Staff Security Compliance Engineer, plus;
Collaborates and makes proposals across several departments on their security compliance work, and helps their team members make informed decisions in alignment with security assurance strategic plans
Exposes technology and organizational needs throughout security assurance and proposes technical implementation plans
Teach, mentor, grow, and provide advice to other domain experts, individual contributors, across several teams in security
Play a central role in technical, business, and organizational contributions affecting security compliance/security assurance
Interfaces with Senior management, and enables Staff Security Assurance Engineers to engage on security compliance aspects of larger security assurance initiatives
Looks for innovation opportunities between several teams with a willingness to experiment and to boldly confront problems of large complexity and scope
Ensures that OKR level goals are aligned across all teams in security assurance
Guides conversations to remove blockers and encourage collaboration across teams and departments
Provides a point of escalation for security compliance team members facing complex technical challenges
Attain a measurable impact on the work of security compliance
Interact with customers and other external stakeholders as a consultant and spokesperson for the work of security assurance
Exposes the work of security compliance and their business impact internally
Knowledgeable in all specialties practiced within security assurance
Demonstrated achievements that make GitLab’s security compliance program an industry leader

Principal Security Compliance Engineer Requirements

A minimum of 15 years’ experience defining and shaping compliance programs with a minimum of 5 years’ experience building new compliance programs
Industry recognized expert at building, maintaining and improving compliance programs from the ground-up
Direct experience of successful first-time external certification and attestation audits at GitLab
Industry recognized expert with at least six security control frameworks (e.g. SOC 2, ISO, NIST, COSO, COBIT, etc.)
Expert understanding of how compliance works with cloud-native technology stacks

Manager, Security Compliance

This position reports to the Director, Security Assurance.

Manager, Security Compliance Job Grade

The {Manager, Security Compliance} is a grade 8.

Manager, Security Compliance Responsibilities

Hire and oversee a world class team of security compliance engineers and Engineers
Hold regular 1:1s with team members
Maintain a robust common control framework and continuous monitoring program aligned with GitLab’s certification roadmap
Proactively identify changing regulatory requirements and appropriately adjust the scope of the security compliance program to accommodate these changes
Ensure execution of required testing and remediation activities leading to successful security certification(s)
Make broad recommendations on improving security compliance related processes and/or procedures across GitLab; partner with stakeholders to implement solutions
Achieve and maintain SaaS and Corporate security certifications, to include oversight of external audits
Prepare and deliver meaningful metrics to Security Assurance leadership
Identify and implement automation of manual processes to shorten processes and cycles
Successfully execute on quarterly OKR(s)

Manager, Security Compliance Requirements

At least 3 years prior experience managing security compliance teams
Detailed knowledge of common information security management frameworks, regulatory requirements and applicable standards such as: ISO 27001/2, ISO 27017, ISO 27018, SOC 2, HIPAA, GDPR, PCI, SOX, etc.
Detailed knowledge of audit methodologies and standard deliverables

Senior Manager, Security Compliance

This position reports to the Director, Security Assurance.

Senior Manager, Security Compliance Job Grade

The {Senior Manager, Security Compliance} is a grade 9.

Senior Manager, Security Compliance Responsibilities

The same responsibilities of a Security Compliance Manager, plus the below:
Hold regular 1:1s with team managers and skip-level 1:1s with all members of their team
Plan and execute long term strategies that benefit your team and align with strategic objectives
Identify and independently manage new security certification lifecycle, from planning to maintenance
Partner with the product organization to dogfood and drive GitLab compliance features internally
Create and deploy innovative and effective strategies for continuous control auditing and monitoring
Maintain reliable, up-to-date, information regarding security and compliance changes and trends
Proactively identify new metrics along with strategic recommendations to Security Assurance leadership
Draft and successfully execute on multiple quarterly OKRs

Senior Manager, Security Compliance Requirements

At least 6 years prior experience managing security compliance teams
Expert knowledge of common information security management frameworks, regulatory requirements and applicable standards such as: ISO 27001, SOC 2, HIPAA, GDPR, PCI, SOX, etc.
Expert knowledge of audit methodologies and standard deliverables

Specialties

Dedicated Markets

The dedicated markets specialty is for compliance professionals highly skilled in federal, financial, life sciences and other highly regulated markets. Areas of expertise include Federal, Financial and Quality domains.

Dedicated Markets Responsibilities

For level: Manager, Security Compliance

Hire and oversee a world class team of security compliance engineers experienced in regulated markets
Hold regular 1:1s with team members
Work closely with the Manager, Security Compliance and provide requirements for the common control framework aligned with GitLab’s dedicated markets certification roadmap
Maintain a scoped continuous monitoring program aligned with GitLab’s dedicated markets certification roadmap
Execute quarterly POA&M activities, maintain SSP and manage significant change requests
Proactively identify changing regulatory requirements and appropriately adjust the scope of the dedicated markets program to accommodate these changes
Ensure execution of required testing and remediation activities leading to successful security certification(s) for dedicated markets
Make broad recommendations on improving dedicated markets related processes and/or procedures across GitLab; partner with stakeholders to implement solutions
Achieve and maintain Dedicated and dedicated markets security certifications, to include oversight of external audits
Prepare and deliver meaningful metrics to Security Assurance leadership
Identify and implement automation of manual processes to shorten processes and cycles
Successfully execute on quarterly OKR(s)

Dedicated Markets Requirements

For level: Manager, Security Compliance

At least 3 years prior experience managing security compliance teams supporting regulated markets and FedRAMP ATO
Experience leveraging OSCAL for SSP development and OSCAL validation tools for continuous control monitoring
Detailed knowledge of regulated information security management frameworks, regulatory requirements and applicable standards such as: NIST 800-53/FedRAMP, NIST 800-171/CMMC, DoD IL, STIGs, FIPS 140-2, HITRUST, GxP, ISO 9001, SOC 1 and SOC 2
Detailed knowledge of audit methodologies and standard deliverables

Segment

Security Leadership

For details on the Security organization leadership roles, to include the Security Assurance Director and VP of Security, see the Security Leadership page.

Performance Indicators

Security Control Health

Career Ladder

graph LR; sec:se(Security Compliance Engineer)-->sec:sse(Senior Security Compliance Engineer); sec:sse(Senior Security Compliance Engineer)-->sec:stse(Staff Security Compliance Engineer); sec:stse(Staff Security Compliance Engineer)-->sec:pse(Principal Security Compliance Engineer); sec:sse(Senior Security Compliance Engineer)-->sec:sem(Manager, Security Compliance); sec:sem(Manager, Security Compliance)-->sec:sesm(Senior Manager, Security Compliance); sec:sesm(Senior Manager, Security Compliance)-->sec:ds(Director, Security Assurance);

Hiring Process

Candidates for this position can expect the hiring process to follow the order below. Please keep in mind that candidates can be declined from the position at any stage of the process. To learn more about someone who may be conducting the interview, find their job title on our team page.

Qualified candidates will be invited to schedule a 30 minute screening call with one of our Global Recruiters.
Next, candidates will be invited to schedule a 50-minute interviews with the hiring manager,
Then, candidates will be invited to schedule 3 separate 50-minute interviews with 3 different peers from within the Security orgnaization,
Finally, candidates will be invited to schedule a 25-minute interview with the Director, Security Assurance.

Additional details about our process can be found on our hiring page.

About Gitlab

GitLab Inc. is a company based on the GitLab open-source project. GitLab is a community project to which over 2,200 people worldwide have contributed. We are an active participant in this community, trying to serve its needs and lead by example. We have one vision: everyone can contribute to all digital content, and our mission is to change all creative work from read-only to read-write so that everyone can contribute.

We value results, transparency, sharing, freedom, efficiency, self-learning, frugality, collaboration, directness, kindness, diversity, inclusion and belonging, boring solutions, and quirkiness. If these values match your personality, work ethic, and personal goals, we encourage you to visit our primer to learn more. Open source is our culture, our way of life, our story, and what makes us truly unique.

Top 10 Reasons to Work for GitLab:

Mission: Everyone can contribute
Results: Fast growth, ambitious vision
Flexible Work Hours: Plan your day so you are there for other people & have time for personal interests
Transparency: Over 2,000 webpages in GitLab handbook, GitLab Unfiltered YouTube channel
Iteration: Empower people to be effective & have an impact, Merge Request rate, We dogfood our own product, Directly responsible individuals
Diversity, Inclusion & Belonging: A focus on gender parity, Team Member Resource Groups, other initiatives
Collaboration: Kindness, saying thanks, intentionally organize informal communication, no ego
Total Rewards: Competitive market rates for compensation, Equity compensation, global benefits (inclusive of office equipment)
Work/Life Harmony: Flexible workday, Family and Friends days
Remote Done Right: One of the world's largest all-remote companies, prolific inventor of remote best practices

See our culture page for more!

Work remotely from anywhere in the world. Curious to see what that looks like? Check out our remote manifesto and guides.

Last modified May 19, 2023: Adding new roles (b88e5bb)