Manager, Security Policy and Governance


March 24, 2021

Coinbase has built the world's leading compliant cryptocurrency platform serving over 30 million accounts in more than 100 countries. With multiple successful products, and our vocal advocacy for blockchain technology, we have played a major part in mainstream awareness and adoption of cryptocurrency. We are proud to offer an entire suite of products that are helping build the cryptoeconomy and increase economic freedom around the world.
There are a few things we look for across all hires we make at Coinbase, regardless of role or team. First, we look for signals that a candidate will thrive in a culture like ours, where we default to trust, embrace feedback, disrupt ourselves, and expect sustained high performance because we play as a championship team. Second, we expect all employees to commit to our mission-focused approach to our work. Finally, we seek people with the desire and capacity to build and share expertise in the frontier technologies of crypto and blockchain, in whatever way is most relevant to their role.
Coinbase is looking for an experienced Security Policy and Governance Manager to join the team. The Security Policy Manager will steer development, maintenance, and evolution of the security policy framework, and work with all security teams to implement and track exceptions to policies, standards, and plans over time. This role will also partner across Security to define and collect Security-wide KPIs and other key metrics, and advise teams on achieving their maturity targets over time.
What you’ll be doing (ie. job duties):
  • Design, organize, and implement the policy framework for all Security policies, standards, procedures, and plans in partnership with Security teams (including information security and physical security) and Enterprise Risk Management
  • Review and make recommendations for streamlining existing and future security policies
  • Create a process and collateral for rolling out new security policies to the whole company
  • Establish, document, and broadly communicate security policy norms to the Security organization, outlining how to create, update, and deprecate security policies in line with enterprise policy requirements
  • Collaborate within Security GRC and regional partners to support audits and examinations, track policy implementation and issues, and incorporate global security compliance requirements into the Security policy framework
  • Manage the Security Exception Process to enable Security teams to track exceptions, manage approvals, and improve automation
  • Collaborate with US and other regional technology partners, including regional security managers, to streamline security and technology risk policy development and implementation across multiple Coinbase entities, products, and locations
  • Assess security policies of Coinbase acquisitions, and appropriately integrate them into the Coinbase policy hierarchy
  • Partner with Security and Privacy teams to develop key performance indicators for the Security organization
  • Grow a small team of Policy Analysts over time to document effective policies for Coinbase, track policy implementation, and advise on governance models

What we look for in you (ie. job requirements):
  • Minimum of 7+ years of relevant experience in information security policy, risk or compliance, including assessing security risks and controls for global organizations
  • Experience with global security standards such as ISO 27001, NIST CSF, PCI DSS 3.2, or SOC 2
  • Expert, communicator and writer; you can coach others on their writing skills, you can adapt your communication style for your audience, and you have experience drafting policies, reports, and other written materials for a variety of executive audiences
  • Knowledge of global cybersecurity and data privacy regulatory requirements for financial services
  • Experience reporting policy and compliance posture to senior stakeholders
  • Ability to direct cross functional work and hold others accountable to committed deadlines
  • Knowledge of a cloud-services environment

Nice to haves:
  • Security certifications, e.g. CISA, CISM, CISSP, CRISC
  • Experience working with GRC tools, e.g. RSA Archer, Metricstream