Job Opportunity: Director of Software Security Services

Quandary Peak Research seeks to hire an ambitious software security professional to join our team of expert software consultants. Our team provides technical expertise and advice to companies and government agencies on complex regulatory and legal matters involving software.

  • Base Salary: $200,000-$250,000
  • Location: Nashville, Los Angeles, Washington DC, Chicago, or Bay Area (SV, SF, SJ)
  • Benefits: Health and dental insurance, 401k with match, performance-based bonus up to 20% of salary, 3 weeks paid vacation, paid parental leave, immigration support (if needed), subsidized relocation 
  • Education Required: 4-year degree in Computer Science, Computer Engineering, or Computer Information Systems
  • Job Type: Full-time

Responsibilities

A Director of Software Security Services will lead and grow the company’s division and services line for evaluating and improving the security of software applications and IT systems. These security-based evaluations are offered through one or more of Quandary Peak’s primary lines of service: technical, health or regulatory audits, due diligence (i.e., merger or acquisition) analysis, or a dispute between parties (i.e., litigation or pre-litigation related matter).  The job requires identifying security risks and vulnerabilities through investigations and interviews and recommending actions to address them. The consultant will perform research in emerging software security standards and best practices, serving many major industries and technology sectors, from cloud computing, AI and Big Data, to cellular devices, networking equipment, and IOT.  The candidate will work with clients in the Health IT space (such as Health IT vendors, hospitals, medical device companies) and with departments of  the federal or state governments and agencies (such as HHS, ONC, and the OIG).  

Job Highlights

  • Lead and grow Quandary Peak’s security-focused vertical – including building a team of security experts, landing and managing projects, and developing new service offerings 
  • Develop proposals and bids for security services for government audits, research projects and other contracts
  • Help clients and the public by improving the security and safety of modern software – in particular Health IT software
  • Collaborate with distinguished professors, research institutes, and tech industry leaders
  • Assist private companies, research institutes, and the federal government (HHS, ONC) in investigating software security and privacy issues
  • Become a leader and trusted source of insight in software security standards
  • Continually expand and strengthen your knowledge, skills, and credentials
  • Contribute meaningfully to the strategic direction of our small but growing company
  • Work in a casual office environment with flexible hours – light (infrequent) travel to interesting places

Day-to-day activities may include

  • Make recommendations for improving software security based on industry best practices and a thorough understanding of external factors
  • Perform code reviews and audits  based on software application security standards and best practices, such as CWE, CVSS, OWASP, etc. 
  • Perform evaluation of IT infrastructure security tools and techniques, including network and endpoint monitoring, device and network hardening, threat detection, firewall configurations, incident response systems, etc. 
  • Evaluate compliance with security and privacy regulatory requirements such as HIPAA, PCI, FIPS, GDPR, CCPA; evaluate application code management and code deployment strategies and plans from a security perspective
  • Monitor, analyze, detect and provide technical guidance on various types of security events and incidents related to software systems
  • Investigate the root causes of security incidents and recommend mitigating actions to address them 
  • Assist in configuration and tuning of security frameworks, tools and threat monitoring systems, as well as policies and procedures to improve overall software security standing 
  • Present technical findings and actionable plans to a non-technical audience and answer questions

Work Experience Required

Candidates must have 5+ experience as a senior software developer, software architect, security analyst, or manager of software security testing. Relevant experience in Health IT or medical devices (e.g., EHR software) is a big plus. In addition, all candidates should have the following:

  • Experience in working with federal or state agencies on cybersecurity (i.e., NIST, FDA, DoD, DoE, etc.) 
  • A deep understanding of software security fundamentals — both theory and practice, including: cryptography, networking, threat monitoring, risk management and security frameworks, vulnerability management, incident response and business continuity, security operations center, application security and security architecture, security awareness and policies, red/blue team approaches
  • In depth knowledge of IT and software security standards, frameworks, and models (i.,e OWASP, NIST standards, guidelines and the CSF Framework, ISO 27001, COBIT, CIS Benchmarks, FIPS, etc.)  
  • Professional experience managing software projects and applying application and/or IT security standards
  • 8+ years of experience with a core set of application or IT security tools and platforms (e.g. AppScan, GitLab, Metasploit, Cisco, F5, PaloAlto, Fortigate, OpenSSL, OpenVAS, QRadar, Splunk, Snort, Terraform, WebInspect, Wireshark)
  • 5+ years of experience in any of: Java, C++, C#, Python/Ruby, PHP, Linux, SQL, Android, iOS, or other similar platforms or languages with a security/architecture focus.
  • A thorough understanding of, and experience with, modern development practices (agile, scrum), and DevOps practices and tools (CI/CD, Infrastructure-as-Code, Jenkins, Chef, Terraform, etc).
  • In-depth knowledge of cloud-based software and traditional client-server architectures
  • Ability to perform compliance-driven technical audits and make insightful, well-formed recommendations for external organizations
  • Excellent written and verbal communications skills with experience presenting to executives and leadership teams with the ability to communicate security and risk-related concepts to technical and non-technical audiences
  • Proven experience interfacing with senior executives and communicating complex cyber security concepts in business-relevant ways
  • Very strong business analysis skills, problem solving techniques, and follow-up habits
  • Willing and able to ‘roll up’ sleeves and lead from the front
  • A self-starter with a ‘can-do’ attitude
  • Financial, planning and strategic management skills
  • Supervisory and incident management skills

Preferred Qualifications

  • CISSP Certification; Additional CRISC, CISM, GSLC, CISO certifications are favorable as well
  • Software security work in a highly regulated industry (medical devices, transit, aviation, defense)
  • Experience applying formal IT risk-management and compliance criteria to software development and IT management (e.g., ISO 27001, COBIT)
  • Experience with software process development standards, quality management systems (such as ISO 13485, ISO 9001/9003), or software quality standards and models (ISO 25010, IEEE, ISO 9003, ISO 14791, or similar)
  • A Ph.D. in CS or EE
  • Research experience in academic or government labs
  • Published peer-reviewed papers in academic or industry journals and conferences
  • Willingness to travel to New York, San Francisco, Washington DC, Nashville and other US cities

About Quandary Peak Research

Quandary Peak Research was formed in 2012 and now stands at a 30+ member consulting group, with a proven reputation in providing computer and software expertise to companies, government agencies, inventors, and attorneys, with offices in Los Angeles, Nashville, Silicon Valley and New York. Our client list includes companies like Google, Microsoft, Samsung, Nokia, GE, Echostar, and government agencies at the state and federal level. Our recent Health IT clients include major EHR vendors, community hospitals, the ONC, and the OIG. We thrive on unraveling tough technical problems and applying the fundamentals of software engineering to compliance and legal challenges in a trusted, unbiased and professional manner. 

Visit https://quandarypeak.com/health-it-and-audits/ to learn more.

Candidates should send their resume and a brief cover letter to careers@quandarypeak.com

More Career Listings

Job Opportunity: Software Litigation Consultant

Smart and ambitious CS PhD candidates or grads are encouraged to submit their resumes to become one of our elite software consultants. Quandary Peak Research provides computer science expertise to companies and government agencies engaged in high-stakes lawsuits involving software. We help our clients understand complex web and cloud applications, smartphones, digital…

View Job Listing

Job Opportunity: Health IT Software Consultant

We have an open position at Quandary Peak Research for a seasoned CS or EE professional looking to join our tight-knit team of elite software consultants. We provide technical expertise and advice to companies and government agencies regarding complex regulatory and legal matters involving software. New consultants are responsible for analyzing Health…

View Job Listing