Information Security Engineer

Full Time

Spreedly is a rapidly growing, growth private-equity funded digital payments company with headquarters located in downtown Durham, North Carolina. We've developed a high volume, global solution to support our vision that the world is better with a diversified, inclusive, payment ecosystem. 

Our employees help build a culture that values independence, transparency, and collaboration in a digital-first communication environment. We hope you do your best work at Spreedly and find a mature workplace striving to support the ebb and flow of work-life harmony.

It’s not enough to say“Spreedly takes Information Security Seriously” — a robust Information Security posture is at the fundamental core of what makes Spreedly successful. It’s what enables customers to trust us to securely vault 100+ million credit cards and process billions in annual payments annually.

Because Information Security is already woven into the fabric of Spreedly operations, much of the day-to-day information security tasks are federated out to those teams for whom security is already embedded into their core offering(think: security groups with Infrastructure, data loss protections with IT, secure software development practices with application engineering).  This allows the(smaller) information security team to assume more focused information security responsibilities.  To wit, Spreedly is looking for an accomplished information security engineer. For a small company, information security’s influence is far reaching and your capabilities match up to these tasks:

Vulnerability Management - Setup and administration of internal vulnerability scanning as part of a vulnerability management program.  Management of monthly PCI external vulnerability scans through remediation.

Security Testing - Coordination of semiannual information security testing with an external vendor; perform internal ad-hoc penetration testing when requested; setup and manage a(likely open source) phishing campaign; participate in table top exercises; eventually develop and execute red-team assessments.

Education & Awareness - Facilitate interactive OWASP security training for application developers, create and deliver general purpose security education and awareness materials periodically.

Secure Software Development - Perform code reviews of particularly sensitive application components(i.e.: cryptography, credential management, etc..); address and remediate“dependabot” and other SAST-based potential security defects. 

Governance & Oversight - Participate in periodic reviews of security operation duties that are federated out to other groups within Spreedly; participate in the information security council(part of a security governance program). Interfacing with Auditors(PCI, SOC-2, etc..).

Incident Response / Threat Intelligence - Continue to hone rulesets and dive deep into the data to provide insights into our adversaries and suggest plans to address a threat before it occurs. Participate in information security incidents.(Spreedly already leverages a managed security provider to deliver 24x7 SOC coverage).  

Pragmatic Security Advice - Provide consultation and lend expertise in a wide range of topics including strong defense-in-depth models, automating security within the CI/CD pipeline, cloud security best practices, IT risk assessments, customer security questions,  etc..

We may hire the right candidate into a Senior Information Security Engineer role, depending on candidate experience & strengths. Yes, we acknowledge that the above list is a tall ask. If you’ve fancied yourself a generalist security engineer who can“do a little bit of everything”, you are most heartedly encouraged to apply.

We think the right candidate will have most of the following:

  • Experience with cloud security(AWS preferred)
  • Understanding of security capabilities within a PCI-compliant SaaS organization(i.e.: WAF, Encryption, Identity and Access Management, etc..) 
  • Proficiency in a linux environment and the common security toolsets(nmap, wireshark, burp proxy, kali, etc..)
  • Ability to clearly articulate OWASP Top-10 vulnerabilities and their common mitigations
  • Experience with SIEM and data logging toolsets(Splunk, Datadog, Sumo Logic)
  • Some programming proficiency(python, ruby, Elixr, etc..)
  • A desire to mentor other engineers and foster a collaborative environment to improve our security posture
  • A willingness to be a generalist and dig into new things you've never done before.
  • Excellent written communications, and a track record of documenting your work.
  • A pragmatic, take-action approach but you’re open to failing fast and pivoting.
  • An ability to sort out immediate priorities from the ever shifting needs of a rapidly growing organization.

What we offer:

  • Competitive salary
  • Outstanding medical and dental benefits(we pay 100% of monthly premiums for employees + families)
  • Life and long-term disability insurance
  • Medical and dependent care FSA
  • Optional vision insurance
  • Open PTO policy
  • 12 weeks paid Family Leave
  • Matching 401k plan (5% up to $5,000 yearly)
  • Monthly digital lifestyle stipend ($150)
  • Professional development opportunities including $3,000 annual stipend and access to LinkedIn Learning

  • When travel and in-office work commences
  • Remote friendly work environment. Even our local employees are remote 3 days per week!
  • Tues./Thurs. are in-office days for local employees - the rest of the week employees are free to work wherever they choose
  • Paid lunches on in-office days for local employees
  • Quarterly visits to HQ for remote employees
Spreedly is an equal opportunity employer. We are committed to fostering, cultivating and preserving a culture of diversity, equity and inclusion. We actively work to drive out even unintentional discrimination in our hiring processes via practices like blindly graded work samples, structured interviews, and diversity awareness training.

Due to the sensitive nature of what Spreedly does- handling payment data- candidates must complete a successful background check. If you have concerns along those lines, please discuss with us sooner rather than later- we do not want you to waste time in the hiring process and get disqualified at the end if we can help it.

Some of our positions are open to remote applicants. If this is the case it will be sited in the job posting just below the position name. Unless otherwise stated, remote positions are open to candidates in the contiguous US only. We are not set up to support remote employees from CA, NY, WA or outside the contiguous US. All applicants must have a US work visa.  

We appreciate your interest in our company. Because of the high volume of resume flow, we will only respond to those candidates that we think will be a potential fit.
Apply Now
Share this job: