Security Engineer II (Cloud Security & GRC)

As a member of the ShipBob Team, you will...

• Grow with an Ownership Mindset: We champion continuous learning and proactive innovation. Team members are encouraged to identify challenges and take ownership of initiatives that drive merchant, company and personal growth. By tackling complex problems and exploring creative solutions, you won’t just follow a playbook, you’ll be actively building the future of ShipBob.
• Collaborate with Peers and Leaders Alike: ShipBob values collaboration and support, where team members and leaders alike are committed to helping each other succeed. We all set high standards and understand the importance of transparency at all levels. We’ve created an environment where trust, open communication, and mutual respect motivate our teams to reach new heights.
• Experience a High-Performance Culture and Clear Purpose: Our commitment to delivering results creates a goal-driven, high-performance culture where everyone is empowered to contribute to our mission with a clear understanding of their direct impact and accountability. We measure success in tangible ways, allowing each team member to see the positive outcomes of their work and celebrate shared victories.

Location: Remote - India

Shift Timings: US Hours 7 pm- 4 am IST

Role Description:

As a Security Engineer II you will play a pivotal role in ShipBob’s security, governance, risk, and compliance programs. You will design, implement, and maintain access control and threat detection solutions, participate in risk assessments and audits, and collaborate across teams to ensure the confidentiality, integrity, and availability of our critical data and systems. You will also support compliance initiatives, manage third-party risk, and contribute to the continuous improvement of our security posture.This role reports to Vice President, Information Tech & Security.

What you’ll do:

• Design, implement, and maintain threat detection, response, and access control solutions for cloud-native environments and applications (e.g., Azure AD, M365, Google Workspace, Salesforce).
• Develop and automate security workflows, playbooks, and tools to improve the efficiency and effectiveness of security operations.
• Develop, enforce, and update security policies, procedures, and guidelines for access control, threat detection, and compliance with standards such as ISO 27001, SOC 2, PCI, NIST CSF, and Sarbanes-Oxley.
• Participate in and oversee risk assessments, compliance reviews, and audits (internal and external), including evidence collection and control implementation.
• Maintain and monitor control effectiveness and operations in GRC platforms (e.g., Vanta).
• Communicate concerns and risks to stakeholders, document remediation plans, and proactively share information with management.
• Conduct third-party risk reviews for SaaS tools, service providers, AI tools, and open-source software; manage the third-party audit pipeline and vendor responses.
• Build and execute regular threat hunting campaigns focused on current, emerging, and obscure tactics, techniques, and procedures.
• Proactively search for, identify, and analyze new and existing techniques to detect advanced and targeted threats.
• Utilize advanced threat hunting techniques to detect anomalies and suspicious activities.
• Guide the incident response process, from triage to closure, providing support and coordination across multiple teams.
• Collaborate with security team members, developers, operations, and stakeholders to share knowledge and best practices.
• Participate in security awareness initiatives (e.g., newsletters, phishing simulations, training sessions).
• Respond to customer questionnaires about ShipBob’s security program and maintain the knowledge base.
• Identify process improvements and provide actionable guidance.
• Perform other duties as assigned.

What you’ll bring to the table:

• 4+ years of hands-on work experience with security architecture and engineering in a cybersecurity operations program.
• 2+ years of experience in incident response, detection, threat intelligence, or access control security engineering roles.
• 1+ years’ security experience focused on risk and compliance, including ISO 27001 and SOC 2 audits.
• Strong knowledge and experience with access control frameworks and tools (IAM, RBAC, ABAC, OAuth, SAML), cloud security, network security, endpoint security, and threat intelligence.
• In-depth knowledge of Azure services (especially Azure Active Directory, Azure AD Identity Protection, Azure RBAC), and experience securing cloud-based infrastructures (Azure, M365, Google Workspace, Salesforce).
• Proficiency in scripting languages such as Python, PowerShell, Go, or Bash.
• Excellent knowledge of industry-standard frameworks (MITRE ATT&CK, ISO 27001, SOC 2, NIST CSF, PCI, SOX, GDPR).
• Experience with GRC tools and standard practices.
• Proven ability to manage multiple risk and compliance projects.
• Strong written and verbal communication; effective collaborator with outstanding interpersonal skills.
• Excellent analytical and problem-solving skills supporting business objectives.
• Detail-oriented, organized, and able to balance precision with big-picture thinking.
• Quick learner who proactively drives personal and professional growth.
• Demonstrated initiative and ownership in problem-solving.
• Strong design and solution implementation skills for a Zero Trust Architecture.
• Desire to solve response challenges with automation.
• Security+, CISSP, CISA, CISM, CRISC, GCIA, GCIH, GREM, or similar certifications preferred; equivalent experience accepted.