Senior Principal Security and Risk Engineer

Job Description

Responsible for the planning, design and build of security architectures; oversees the implementation of network and computer security and ensures compliance with corporate security policies and procedures.

• Influence roadmaps, service designs, internal cloud security standards, and customer-facing products for OCI’s global cloud infrastructure
• Represent product security to internal development teams and senior leadership
• Function as a de facto expert for product security decisions across Oracle’s cloud platform
• Pull apart Cloud Services down to the nuts & bolts to understand how they work, how they can work better, and how they should be leveraged or extended to meet business goals
• Work on a combination of 3-10 big projects a year or 5-20 small projects a year
• Know when you should spend your time “hands on keyboard” vs. white‑boarding solution (e.g. coding/prototyping vs. zoom/design work)
• Collaborate with your teammates to collectively support security initiatives across 175 services and 10,000 developers in their mission to continuously “level up” security of service families and the OCI platform
• Collaborate with service team’s architects to lend your security expertise to product design conversations and implementation decisions
• Develop how Oracle will meet future security goals, support development of organization‑wide plans for making it happen, and embed with teams as necessary to validate we’re doing the right things.
• Periodically embed with service teams for 1-6 weeks to provide technical direction, answer questions, and guide teams to enable meeting security goals
• Writing code to (for example): prototype ideas, demonstrate proof‑of‑concepts, extract and analyze data and intelligence from existing data sources to inform designs & decisions
• Lead cross‑functional tiger teams to solve complex problems

• Responsible for advanced planning, design and build of security systems, applications, environments and architectures; oversees the implementation of security systems, applications, environments and architectures and ensures compliance with information security standards and corporate security policies and procedures.
• Provides technical advice and direction to support the design and development of secure architectures.
• May participate in an incident management team, bringing advanced‑level skills to respond to security events in line with Oracle incident response playbooks. Investigates purported intrusions and breaches, and oversees root cause analysis.
• Coordinates incidents with other business units and may act as Incident Commander of serious incidents. Develops new methods, and playbooks, as well as sophisticated scripts, applications, and tools, and trains others in their use.
• May participate in an incident management team, responding to security events in line with Oracle incident response playbooks. Investigates purported intrusions and breaches, and oversees root cause analysis.
• Coordinates incidents with other business units and may act as incident commander of serious incidents.
• Participates in developing new methods, playbooks throughout Oracle.
• Evaluates existing and proposed technical architectures for security risk, provides technical advice to support the design and development of secure architectures and recommends security controls to mitigate those risks.
• Evaluations of internal security architecture may include design assessment, risk assessment, and threat modeling.
• Brings advanced‑level skills to research, evaluate, track, and manage information security threats and vulnerabilities in situations where in‑depth analysis of ambiguous information is required, and where computer programming/scripting knowledge is required.
• Work with Senior management to develop and implement a multi‑year security roadmap
• Focus on operational and strategic level tasks, and provide counsel and guidance to the junior level security operations engineers in the department.

Certain US customer or client-facing roles may be required to comply with applicable requirements, such as immunization and occupational health mandates.