Gusto
Staff Security Engineer: Cloud Security
Gusto is a modern, online people platform that helps small businesses take care of their teams. On top of full-service payroll, Gusto offers health insurance, 401(k)s, expert HR, and team management tools. Today, Gusto offices in Denver, San Francisco, and New York serve more than 400,000 businesses nationwide. Our mission is to create a world where work empowers a better life, and it starts right here at Gusto. That's why we're committed to building a collaborative and inclusive workplace, both physically and virtually. We are seeking a highly experienced and motivated Staff Cloud Security Engineer to join our growing team. The ideal candidate will have a deep understanding of AWS security best practices and a proven track record of designing and implementing secure cloud architectures. You will be a key player in shaping the future of our AWS cloud security posture and will have the opportunity to work on a variety of challenging and rewarding projects. Gusto's Cloud Security team is a dedicated group within the company that focuses on protecting sensitive customer data and the platform itself. Their work is integrated across various aspects of the company's operations, with a strong emphasis on proactive security measures and a culture of shared responsibility. Here's what you'll do day-to-day: Design and implement secure and scalable multi-account AWS strategies, including the automation of account creation and security baseline enforcement. Develop and implement a comprehensive IAM strategy for a multi-account ecosystem, focusing on least privilege and role-based access control (RBAC). Lead the architectural design and rollout of permissions, ensuring a seamless and secure experience for our developers and operations teams. Take ownership of the security of our AWS environment, including the implementation of security controls, monitoring, and incident response. Leveraging your deep knowledge of AWS networking services such as VPC, Network Firewall, NAT Gateway, NACLs, Shield, CloudFront, and Cloud WAN. Implement and manage encryption standards across all AWS services, including KMS, CloudHSM, Secrets Manager, EBS encryption, and S3 encryption. Develop and implement a comprehensive tagging strategy for security and cost management purposes. Familiarity with AWS Service control policies (SCPs) Familiarity with AWS Config and best practice implementations of security tooling Implementation of detections and alerting based on AWS Cloudtrail logs Here's what we're looking for: 10+ years of experience in a hands-on cloud security role. Expert-level knowledge of AWS security best practices and services. Proven experience designing and implementing secure multi-account AWS strategies. Deep understanding of IAM and experience with implementing least privilege and RBAC in a complex environment. Strong network architecture skills and a detailed knowledge of all major AWS network-oriented services. Expertise in encryption standards and key management, including KMS, CloudHSM, and Secrets Manager. CI/CD expertise. IaC (infrastructure as code) expertise. Excellent communication and collaboration skills. Our cash compensation amount for this role is targeted at $190,000/yr to $210,000/yr in Denver & most remote locations, and $225,000/yr to $245,000/yr in New York, Seattle, and San Francisco Bay Area. Stock equity is additional. Final offer amounts are determined by multiple factors including candidate experience and expertise and may vary from the amounts listed above.
Gusto is a modern, online people platform that helps small businesses take care of their teams. On top of full-service payroll, Gusto offers health insurance, 401(k)s, expert HR, and team management tools. Today, Gusto offices in Denver, San Francisco, and New York serve more than 400,000 businesses nationwide. Our mission is to create a world where work empowers a better life, and it starts right here at Gusto. That's why we're committed to building a collaborative and inclusive workplace, both physically and virtually. We are seeking a highly experienced and motivated Staff Cloud Security Engineer to join our growing team. The ideal candidate will have a deep understanding of AWS security best practices and a proven track record of designing and implementing secure cloud architectures. You will be a key player in shaping the future of our AWS cloud security posture and will have the opportunity to work on a variety of challenging and rewarding projects. Gusto's Cloud Security team is a dedicated group within the company that focuses on protecting sensitive customer data and the platform itself. Their work is integrated across various aspects of the company's operations, with a strong emphasis on proactive security measures and a culture of shared responsibility. Here's what you'll do day-to-day: Design and implement secure and scalable multi-account AWS strategies, including the automation of account creation and security baseline enforcement. Develop and implement a comprehensive IAM strategy for a multi-account ecosystem, focusing on least privilege and role-based access control (RBAC). Lead the architectural design and rollout of permissions, ensuring a seamless and secure experience for our developers and operations teams. Take ownership of the security of our AWS environment, including the implementation of security controls, monitoring, and incident response. Leveraging your deep knowledge of AWS networking services such as VPC, Network Firewall, NAT Gateway, NACLs, Shield, CloudFront, and Cloud WAN. Implement and manage encryption standards across all AWS services, including KMS, CloudHSM, Secrets Manager, EBS encryption, and S3 encryption. Develop and implement a comprehensive tagging strategy for security and cost management purposes. Familiarity with AWS Service control policies (SCPs) Familiarity with AWS Config and best practice implementations of security tooling Implementation of detections and alerting based on AWS Cloudtrail logs Here's what we're looking for: 10+ years of experience in a hands-on cloud security role. Expert-level knowledge of AWS security best practices and services. Proven experience designing and implementing secure multi-account AWS strategies. Deep understanding of IAM and experience with implementing least privilege and RBAC in a complex environment. Strong network architecture skills and a detailed knowledge of all major AWS network-oriented services. Expertise in encryption standards and key management, including KMS, CloudHSM, and Secrets Manager. CI/CD expertise. IaC (infrastructure as code) expertise. Excellent communication and collaboration skills. Our cash compensation amount for this role is targeted at $190,000/yr to $210,000/yr in Denver & most remote locations, and $225,000/yr to $245,000/yr in New York, Seattle, and San Francisco Bay Area. Stock equity is additional. Final offer amounts are determined by multiple factors including candidate experience and expertise and may vary from the amounts listed above.