Security Leadership
Security Leadership Roles at GitLab
Leaders in the security department at GitLab are customer focused. While they are technically credible and know the details of what security engineers and analysts work on, their time is spent hiring a world-class team and putting them in the best position to succeed. They own the delivery of security commitments and are always looking to improve productivity. They must coordinate across departments to accomplish collaborative goals. Security leaders embrace a set of shared values:
- Security Principles: Champion the security operating principles and develop the frameworks and strategies necessary to leverage principles in practice.
- Priority Setting: Spends their time and the time of others on what’s important: quickly zeros in on the critical few and puts the trivial many aside, can quickly sense what will help or hinder accomplishing a goal, eliminates roadblocks, creates focus.
- Process Management: Build efficient processes which are necessary to get things done: know how to organize people and activities, understand how to separate and combine tasks into efficient work flow, know what to measure and how to measure it, can see opportunities for synergy and integration where others can’t. Capable of simplifying or eliminating complex processes.
- Strategy: Able to see around corners and anticipate future consequences and emerging challenges accurately, have broad knowledge and perspective, is future oriented, can articulately paint credible pictures and visions of possibilities and likelihoods, can create competitive and breakthrough strategies and plans. Look toward the broadest possible view of an issue/challenge: has broad-ranging personal and business interests and pursuits, can easily pose future scenarios, can think globally, can discuss multiple aspects and impacts of issues and project them into the future.
- Diplomacy: Embrace discourse, seeing disagreement as opportunities: read situations quickly, good at focused listening, can hammer out tough agreements and settle disputes equitably, can find common ground and get cooperation with minimum noise.
- Influence: Skilled in communicating a compelling perspective to various audiences: one-on-one, small and large groups, with peers, reports, and leaders. Is effective both inside and outside the organization, on both cool data and hot and controversial topics, commands attention and can manage group processes during the presentation, can change tactics midstream when something isn’t working.
- Building Effective Teams: Inspires team members to do their best work. Creates and fosters environments where team members can grow and deliver their best work.
- Vision: Communicates a compelling and inspired vision or sense of core purpose: talks beyond today, talks about possibilities, is optimistic, creates mileposts and symbols to rally support behind the vision, makes the vision shareable by everyone, can inspire and motivate the entire organization.
Responsibilities
- Drive quarterly Objectives and Key Results (OKRs)
- Own a Sub-department of the GitLab Security Department
- Drive technical and process improvements
- Recruits, manage, motivate and develop high performing teams
- Lead teams to identify and mitigate technical risk
- Run multiple teams within their Sub-department
- Parter with cross-fucntional leaders, understand their business and how your sub-team can support their objectives
- Hire a world class team of managers and security engineers to work on their teams
- Assess and mitigate constantly changing threat landscape
- Help managers and team members grow their skills and experience
- Manage multiple teams and projects
- Create a sense of psychological safety on their Sub-department
- Represent the company publicly in media and/or at conferences
Requirements
- Ability to use GitLab
- Exceptional communication skills, including verbal, written, and presentation skills, to a variety of stakeholders
- You share our values, and work in accordance with those values
- Leadership at GitLab
Levels
Senior Manager, Security
The Senior Manager, Security role is defined for each Security Team individually. However, a Senior Security Manager may be appointed at the sub-department level.
Senior Manager, Security Job Grade
The Senior Security Manager is a grade 9.
Senior Manager, Security Responsibilities
- Effectively grow and develop sub-department Security managers and team members
- Guide, coach and mentor sub-department Security managers
- Review and assess sub-department team strategies, objectives and initiatives
- May also manage a Security team
- Manage company and Security department initiatives at the sub-department level
- Responsible for overflow Director responsibilities
- Ensure alignment across sub-department teams with Security department and Engineering orgnization objectives
- Generate and implement process improvements, especially cross-team processes
- Hold regular 1:1s with team managers and skip-level 1:1s with all members of their team
- Assist in building morale, support and alignment within their sub-department
- Work cross-functionally (both within and outside of Security) to promote and gain prioritization of sub-department needs
Senior Manager, Security Requirements
- Technical credibility: Significant experience in multiple domains of sub-department
- Management credibility: relevant, progressive experience in Security management
- Ability to understand, communicate and improve the quality of multiple teams
- Demonstrate longevity at, at least, one recent job
- Ability to be successful managing at a remote-only company
- Humble, servant leader
Hiring Process
Candidates for the senior manager positions can expect the hiring process to follow the order below. Please keep in mind that candidates can be declined from the position at any stage of the process. To learn more about someone who may be conducting the interview, find their job title on our team page.
- Qualified candidates will be invited to schedule a 30 minute screening call with one of our Global Recruiters.
- Next, candidates will be invited to schedule a 45-60 minute interview with a Director of Security to which the position reports to
- Candidates will then be invited to schedule 3 separate 45-60 minute interviews with additional directors and managers within the Security Organization
- Candidates will then be invited to schedule an interview with the CISO
- Successful candidates will subsequently be made an offer via email Additional details about our process can be found on our hiring page.
Director, Security
This position reports to the CISO
Director, Security Job Grade
The Director, Security Assurance is a grade 10.
Director, Security Responsibilities
- Proven ability to successfully recruit, manage, motivate and develop high performing teams
- Relevant, progressive experience managing information security and engineering teams
Hiring Process
Candidates for the director positions can expect the hiring process to follow the order below. Please keep in mind that candidates can be declined from the position at any stage of the process. To learn more about someone who may be conducting the interview, find their job title on our team page.
- Qualified candidates will be invited to schedule a 30 minute screening call with one of our Global Recruiters.
- Next, candidates will be invited to schedule a 45-60 minute interview with CISO
- Candidates will then be invited to schedule 2-3 separate 45-60 minute interviews with peer directors and reporting managers of the Security Organization
- Candidates will then be invited to schedule 2-3 separate 45-60 minute interviews with cross-functional partners
- Candidates may be requested to meet again with the CISO for a shortened conversation
- Successful candidates will subsequently be made an offer via email Additional details about our process can be found on our hiring page.
Director, Security Specialties
Product Security
Responsibilities
- Partners with the CISO in planning and development of enterprise information security strategy and best practices
- Drives strategy for the Product Security organization, aligned with broader GitLab business initiatives, with a specific focus on Application Security, Product Security and Infrastructure Security.
- Consults with senior leaders regarding their information security risks and drive mitigation efforts to reduce risk
- Drives operational efficiencies through process improvement and implementation of technical solutions
- Drives efforts to improve security awareness in the areas of application security and the secure development of code through education and training
- Champion technical efforts to obtain and maintain compliance with customer, regulatory, and security compliance framework requirements
- Secures the product and the company with innovative and industry leading technical security controls and practices
- Partners with the CISO to build and maintain the most transparent security program in the world
- Acts as an advocate for information security practices
Requirements
- Proficient experience with security technologies and engineering domains such as application security, cloud security, infrastructure security, containerized workloads and security automation
Security Assurance
Responsibilities
- Partners with the CISO in planning and development of enterprise information security strategy and best practices
- Drives strategy for the Security Assurance organization, aligned with broader GitLab business initiatives, with a specific focus on expansion of the security certification portfolio
- Consults with senior leaders regarding their information security risks and responsibilities in minimizing those risks
- Drives operational efficiencies through process improvement and implementation of technical solutions
- Manages a risk-based prioritization model for reviewing new project and work efforts
- Participate in key customer calls, contract reviews and/or assessments providing leadership assurance on GitLab security
- Act as an advocate for information security practices
Requirements
- Proficient experience with industry standard security and risk frameworks/standards/laws/regulations: NIST 800-53, NIST CSF, HITRUST, PCI, FedRAMP, ISO27002, ISO 31000, etc.
Security Operations
Responsibilities
- Secure our product, services (GitLab.com, package servers, other infrastructure), and company (laptops, email)
- Define and plan priorities for security related activities based on that risk analysis
- Determine appropriate combination of internal security efforts and external security efforts including bug bounty programs, external security audits (penetration testing, black box, white box testing)
- Analyze and advise on new security technologies
- Build and manage a team, which currently consists of Security Managers, Security Engineers, and Security Analysts
- Identify and fill positions
- Grow skills in team leads and team members, for example by creating training and testing materials
- Deliver input on promotions, function changes, demotions, and terminations
- Ensures our engineers and contributors from the wider community run a secure software development lifecycle for GitLab by training them in best practices and creating automated tools
- Involve in major security and service abuse events
- Ensures we’re compliant with our legal and contractual security obligations
- Evangelise GitLab Security and Values to staff, customers and prospects
Requirements
- Significant application and SaaS security experience in production-level settings
- This position does not require extensive development experience but the candidate should be very familiar with common security libraries, security controls, and common security flaws that apply to Ruby on Rails applications
- Experience managing teams of engineers, and leading managers
- Experience with incident management
Platform Security
Responsibilities
- Partners with the CISO in planning and development of platform security capabiliites
- Drives strategy for the Platform Security Engineering organization, aligned with broader GitLab business initiatives, with a specific focus on production security services, data security engineering, applied machine learning, and security automation.
- Consults with senior leaders regarding their security requirements and drive mitigation efforts to reduce risk
- Drives operational efficiencies through process improvement and implementation of technical solutions
- Drives efforts to improve security awareness in the areas of application security and the secure development of code through education and training
- Champion technical efforts to obtain and maintain compliance with customer, regulatory, and security compliance framework requirements
- Secure the product and the company with innovative and industry leading technical security controls and practices
- Partner with the CISO to build and maintain the most transparent security program in the world
- Act as an advocate for information security practices
Requirements
- Proficient experience with software development and engineering domains such as data engineering, machine learning, distrbuted systems, and security engineering
Senior Director, Security
This position reports to the CISO
Senior Director, Security Job Grade
The Senior Director, Security is a grade 11.
Senior Director, Security Responsibilities
- Expanded scope and functional area ownership over sub-department director responsibilities
- Assist in the mentoring and coaching of Security Directors and Managers
- Overflow security leadership responsibilities
- Ability to successfully drive department-level initiatives
- Ability to drive and influence change cross-company
- Provide a consistent/successful interface between all applicable stakeholders including, but not limited to, Engineering, Product, Finance and Sales
- Development, measurement, and management of key metrics for functional area’s performance
- Develop sub-department roadmap and strategic vision
- Ensure alignment of sub-department goals and iniatitives with department and company goals
- Public facing security champion towards customers, community and media
Senior Director, Security Requirements
- Technical credibility: Significant experience in all domains within sub-department
- Management credibility: Relevant, progressive experience Security management leadership
- Ability to understand, communicate and improve the quality of multiple teams
- Demonstrate longevity at, at least, one recent job
- Ability to be successful managing at a remote-only company
- Humble, servant leader
Hiring Process
Candidates for the director positions can expect the hiring process to follow the order below. Please keep in mind that candidates can be declined from the position at any stage of the process. To learn more about someone who may be conducting the interview, find their job title on our team page.
- Qualified candidates will be invited to schedule a 30 minute screening call with one of our Global Recruiters.
- Next, candidates will be invited to schedule a 45-60 minute interview with CISO
- Candidates will then be invited to schedule 3 separate 45-60 minute interviews with directors and reporting managers within the Security Organization
- Candidates may be requested to meet again with the CISO for a shortened conversation
- Candidates will then be invited to schedule an interview with CTO of Engineering
- Successful candidates will subsequently be made an offer via email Additional details about our process can be found on our hiring page.
Senior Director, Security Specialties
Security Assurance
Responsibilities
- Partner with the CISO, and other Security leadership, in planning and development of enterprise information security strategy and best practices aligned with broader GitLab business initiatives
- Provide vision and leadership for developing and supporting initiatives in the areas of security policy, external security audits, continuous control monitoring, customer assurance, risk assessments and security training
- Provide reporting to E-Group, and other key stakeholders, including the GitLab Board of Directors
- Design and communicate security assurance strategies and plans to executive team, team members, partners, customers, and stakeholders with a specific focus on expansion of the security certification portfolio
- Maintain and manage the security risk register and consult with senior leaders regarding their security risks and responsibilities in minimizing those risks
- Drive operational efficiencies through process improvement and implementation of technical solutions driving automation and dogfooding of the GitLab product
- Participate in key customer calls, contract reviews and/or security assessments providing leadership assurance on GitLab security
- Develop and provide key performance indicators, operational metrics and related reports
Requirements
- Superior understanding of the organization’s goals and objectives
- Ability to act as a champion for Security and convey cyber-security risks in layman terms
- Ability to build collaborative relationships with diverse stakeholders including executive team, management, privacy, engineering and external auditors
- Proficient experience with industry standard security and risk frameworks/standards/laws/regulations: SOX ITGCs, SOC, FedRAMP/NIST 800-53, NIST CSF, PCI, ISO27001, ISO 31000, etc.
- An effective communicator with the ability to escalate, coordinate, provide feedback, and ask for help
- Outstanding cross-functional partnership skills, with a confirmed ability to identify, initiate and lead efforts with both internal and external teams
- Embrace GitLab Values of Collaboration, Results, Efficiency, Diversity, Inclusion & Belonging, Iteration, and Transparency
Corporate Security & IT Operations
The Corporate Security & IT Operations function leads a team of highly-collaborative and results-oriented Security and IT team members tasked with delivering and securing global IT services across the company. The Senior Director, Corporate Security & IT Operations is in charge of securing, scaling, increasing performance, and providing great team member experience in order to help drive forward business success based on world class infrastructure & operations.
Responsibilities
- Head a multi-continent team in an all-remote Organization
- Build and lead a team of Corporate Security & IT Operations and Service Management staff
- Create the Strategy and roadmap, effectively defining and delivering on new SOPs, process improvements, and projects
- ITIL: Lead the design, implementation, and enhancement of ITIL processes like Incident, Problem, Change, Configuration, and Release Management to achieve operational excellence
- Service Desk: Foster customer-centricity in IT operations, manage a responsive IT service desk, focusing on end-user satisfaction. Prioritize incident resolution, escalate effectively, and strategize for optimal first-call resolution
- Identity & Access: Oversee secure identity and access management and data protection programs in conjunction with the InfoSec team to enforce policies and uphold data integrity
- Manage the IT Ops departmental budget
- Vendor Management: Build / maintain relationships with software and hardware vendors and service providers
- Directly participate in IT Security improvements and support as required (i.e., be hands-on)
- Establish seamless processes to onboard, change and offboard resources from IT services
- Own and maintain Corporate Security & IT Operations applications
- Document and enforce new and current IT policies and procedures
- Measure, monitor, and maintain team’s ability to meet or exceed contact and resolution Service Level Agreements (SLA)
- Run the IT Service desk, define and manage ticket SLAs, and move towards greater automation (and where appropriate) self-service of tickets
- Proven ability to successfully recruit, manage, motivate and develop high performing teams
- Negotiates and influences the opinions and decision making of internal senior leaders on matters of significance to the division
- Consistently demonstrates, models and coaches managers and senior managers on GitLab’s remote working competencies
- Proactively communicates with leadership about progress and outcomes and how strategy and contributions support higher-level priorities and initiatives
- Focuses the team’s communication and productivity
Requirements
- Bachelor’s degree in IT, Computer Science, or related field
- 10+ years of IT and/or Security leadership experience
- 5+ years’ experience in IT operations management, focusing on ITIL processes, service desk, identity and access management, infrastructure, and support
- Strong understanding of Identity Management (SSO, SAML, OAuth, etc.), API integration (REST), Scripting (Bash, Powershell)
- SaaS experience: Expert level understanding of tools like Google Workspace, Okta, Zoom, Slack etc.
- InfoSec experience partnering with internal information security and compliance teams. SOX experience is a plus
- Team building experience. Past experience managing a global support team
- Experience working on a fleet of MacOS and ChromeOS endpoints
- Proven ability to effectively lead and meet business objectives in a global, collaborative and high performance work environment
- Change management knowledge and ability to operate effectively in fast-paced environment
- Desirable: PMP, ITIL certification. CISSP or similar certification is a plus
- Demonstrated experience in vendor management and capacity planning in a fast growth environment
Vice President (VP), Security
This position reports to the CISO
VP of Security Job Grade
The VP of Security is a grade 12.
VP of Security Responsibilities
- Extends that of the Senior Director, Security requirements
- Set the vision of a GitLab Security function with a clear roadmap
- Build and maintain a rapidly growing team with top-tier talent
- Embrace GitLab’s values by balancing transparency and security
- Establish and implement security policies, procedures, standards, and guidelines
- External communications: Blog, conference speaking, stream company events to YouTube
- Work with customers and prospects to address security concerns
- Manage a best-in-class bug-bounty program with the highest rewards
- Act as central point-of-contact to Facility Security Officer for cleared facilities
VP of Security Requirements
VPs of Security must have all of the following attributes.
Must-haves:
- Relevant, progressive experience managing information security teams
- Excellent written and verbal communication skills
- Be able to hire and retain high-performing team members and managers
- Experience managing a multi-level security organization with managers and individual contributors
- Collaborate cross-functional teams such as Engineering, Product, Sales, Legal, People Ops, and Finance
- Ability to excel in a remote-only, multicultural, distributed environment
- Possess domain knowledge of common information security management frameworks, regulatory requirements, and applicable standards
- Excellent project and program management skills and techniques
- Experience leading security teams in a SaaS company
- Demonstrable success securing high-availability cloud services
Nice-to-haves Great candidates will have some meaningful proportion of the following.
- Working knowledge of the GitLab application
- Self-managed (on-prem) software experience
- Experience with internet-scale services
- Developer platform/tool industry experience
- Deep open source software (OSS) experience
- Relevant academic background
- US Government security clearance
VP, Security Performance Indicators
Hiring Process
Candidates for the director positions can expect the hiring process to follow the order below. Please keep in mind that candidates can be declined from the position at any stage of the process. To learn more about someone who may be conducting the interview, find their job title on our team page.
- Qualified candidates will be invited to schedule a 30 minute screening call with one of our Global Recruiters.
- Next, candidates will be invited to schedule an interview with CISO
- Candidates will then be invited to schedule separate 60 minute interviews with three leaders of the organization
- Candidates will then be invited to schedule separate two 45 minute interviews with cross-functional team members
- Successful candidates will subsequently be made an offer via email Additional details about our process can be found on our hiring page.
Career Ladder
For more details on the security engineering career ladders, please review the security engineering career development handbook page.
About GitLab
GitLab Inc. is a company based on the GitLab open-source project. GitLab is a community project to which over 2,200 people worldwide have contributed. We are an active participant in this community, trying to serve its needs and lead by example. We have one vision: everyone can contribute to all digital content, and our mission is to change all creative work from read-only to read-write so that everyone can contribute.
We value results, transparency, sharing, freedom, efficiency, self-learning, frugality, collaboration, directness, kindness, diversity, inclusion and belonging, boring solutions, and quirkiness. If these values match your personality, work ethic, and personal goals, we encourage you to visit our primer to learn more. Open source is our culture, our way of life, our story, and what makes us truly unique.
Top 10 Reasons to Work for GitLab:
- Mission: Everyone can contribute
- Results: Fast growth, ambitious vision
- Flexible Work Hours: Plan your day so you are there for other people & have time for personal interests
- Transparency: Over 2,000 webpages in GitLab handbook, GitLab Unfiltered YouTube channel
- Iteration: Empower people to be effective & have an impact, Merge Request rate, We dogfood our own product, Directly responsible individuals
- Diversity, Inclusion & Belonging: A focus on gender parity, Team Member Resource Groups, other initiatives
- Collaboration: Kindness, saying thanks, intentionally organize informal communication, no ego
- Total Rewards: Competitive market rates for compensation, Equity compensation, global benefits (inclusive of office equipment)
- Work/Life Harmony: Flexible workday, Family and Friends days
- Remote Done Right: One of the world's largest all-remote companies, prolific inventor of remote best practices
See our culture page for more!
Work remotely from anywhere in the world. Curious to see what that looks like? Check out our remote manifesto and guides.
46417d02
)