Information Security Analyst

About Betterment

Betterment is a leading, technology-driven financial services company that offers investing, savings and retirement solutions for retail investors and investment advisors as well as financial wellness solutions, including a 401(k) for small and medium-sized businesses. Our team is passionate about our mission, to empower people to build wealth with confidence and ease.  We’re headquartered in NYC and offer hybrid NY-based positions (four days/ week in-office, with no required office days during the summer and winter holidays).

About the Role:

We are looking foran information security professional with 2+ years experience in technology operations, technology audit, or GRC. The successful candidate in this role will perform a variety of governance, risk, and compliance activities related to security. Examples of assigned activities will include perform risk assessments for SaaS applications, consulting with application owners to apply strong logical access controls, monitoring and reporting on the timely remediation of vulnerabilities, or gathering evidence to support audits or examinations.

As a technology-driven financial services company, managing information security risk is critical to the trust that we foster with our clients, investors, and regulators. This role will operate within our Govern & Control team, which is a small independent (second line-of-defense) team which is integrated with the broader security program. The role reports to the Director of Information Security, and works closely with the security teams within engineering, lines of business throughout the company, and other risk management teams including Compliance and Legal.

This role is based out of our NYC office. Below we've reflected the base salary range for this position. Actual salaries may vary depending on factors including but not limited to location, experience, and performance. The range listed is just one component of Betterment’s total compensation package for employees. 

• New York City: $115,000-$125,000

This job may also be eligible for variable compensation in the form of a company incentive bonus. 

A Day in the Life:

• Operates assigned risk management processes such as vulnerability monitoring, due diligence questionnaire completion, audit or examination evidence gathering. A number of AI and automation tools will be available to facilitate increasing efficiency and scale in this work over time. The role will have some flexibility for specialization among the team.
• Perform application-level risk assessments by interviewing and documenting the key business processes and risks related to an application, and providing guidance regarding strong logical access controls to reduce risk. When appropriate, document issues and foster management attention related to remediation for control deficiencies.
• Perform due diligence or ongoing monitoring activities to evaluate security risks introduced through third-party relationships or applications or tools used by employees.
• Contribute to security awareness training or phishing simulation activities for training of employees and contractors.
• Gather data and ensure management attention towards key risk indicator (KRI) metrics for security. 
• Monitor assigned issues through regular follow-up and reporting to ensure management attention and timely remediation.

What We’re Looking For:

We are seeking a team member with 2+ years experience in technology operations, technology audit, or GRC. They will be a significant contributor to the security program.

The following skills/competencies are required:

• You’ve operated security controls in an IT operations role, or served as a Staff or Senior-level auditor (in public accounting or internal audit), or previously worked in a security role successfully.
• You have knowledge and familiarity with the principles of security risk management, including the CIA triad, design and operation of controls, and one or more control governance frameworks.
• You have a familiarity with security controls applicable to cloud computing and third-party SaaS applications, including logical access management processes, third-party due diligence and monitoring, and more
• You have experience learning new skills, including through research and the use of AI and automation.