Staff Information Security Program Manager - FedRAMP
Rubrik
About the team:
The Information Security organization advances the overall state of security at Rubrik through purposeful initiatives and coordination of large security projects. Information Security builds technologies, tools, and processes to better enable teams at Rubrik to develop secure software and protect data and systems with appropriate security controls. Information Security also develops systems to monitor and respond to attacks against our systems, provides awareness education to teams on security best practices for data protection, and ensures data sharing relationships with third parties in order to securely protect Rubrik information.
About the role:
Information Security is looking for a success-driven, US-based Staff Program Manager to organize, plan, lead, and execute on public sector certification and compliance activities for Rubrik’s government-focused cloud and on-premises product offering(s). This mission-critical position will lead or support product security accreditation under frameworks such as Common Criteria, NIAP Protection Profile, DoD Impact Level, CMMC, FedRAMP, GovRAMP, DISA STIG, and more. In addition, s/he may perform a limited set of Facility Security Officer (FSO) duties.
Our ideal candidate brings previous experience across public sector product certification and compliance activities for a Cloud Product Provider organization. They will also bring excellent leadership aligned with Rubrik’s values, demonstrating personal accountability for results, and reliable attention to detail. The selected candidate must have solid skills in communication, presentation, collaboration, decision-making, and organization.
This role represents Rubrik externally with selected Government / Agency Partner(s) and certification offices, third party assessors / lab testers, and in sales calls with customers and prospects. The incumbent will help Rubrik accelerate and assure the growth of our government-based business through implementing security controls, ensuring flaw remediation, performing continuous monitoring, and meeting timely reporting requirements for each product certification we obtain.
The environment at Rubrik is dynamic and fast-paced, with strong, supportive leadership and amazing colleagues who enjoy getting things done. You’ll need to be comfortable solving complex problems, working through ambiguity, and relentlessly pursuing progress over perfection. Assignments here can vary from starting new programs, handling operational tasks and delivering cross-functional projects. Consistently strong performance is essential here. In return, you’ll enjoy a culture that rewards excellence while honoring the importance of a healthy work-life balance.
What you'll do:
Program / Development
- Implement and serve as Program Lead / Control Owner for assigned program frameworks and activities, staying current on changes in the landscape, standards, and associated procedures for certification. Knows the role and technology inside out; drives multiple programs internally and cross functionally.
- This role translates certification and compliance gaps into Engineering or Process requirements. Each translation must clearly identify product or control gaps and effectively propose options and success criteria for ensuring risk-based remediation on a timely basis.
- Lead by influence, and collaborate with a range of stakeholders from individual contributors to senior leadership to external parties including Gov/Agency Partners and/or Third Party Security Labs or Assessors.
- Drive activities related to the remediation of technical security and compliance risks with cross-functional teams, including, but not limited to, engaging third party services, using Jira to manage initiatives / epics / stories / tasks, leading meetings or presentations, assigning and tracking work items, producing reports, and escalating risks and issues.
- Serve as a subject matter expert and an integral member of the public sector compliance team, cultivating strong relationships across the company to aid in achieving consensus, expectation setting, risk and vulnerability awareness, and continual process improvement.
- Work continually toward process improvements and enhancements in security capability or maturity. Drives organizational change and defines objectives for projects and programs, setting the desired outcomes and timing for execution. Implements automation for scalability as opportunities arise.
- Contribute data / metrics to IS leadership; is capable of presenting to executives, leadership, customers / external partners.
- Cross-train team members to enable continuous monitoring and program coverage. Teaches and mentors others to educate them on the applicable program or control(s).
- Develop and maintain the definitive calendar of compliance requirements for assigned public sector security certification and compliance programs.
Operations
- Support Sales and Customer Trust by assisting with inquiries about assigned programs and discussing Rubrik’s security posture or certifications on customer calls as needed.
- Develop, maintain, and disseminate Rubrik’s government Authorization Package(s) and related product certification artifacts, obtaining updates from Control Owners when needed and ensuring each item is correct, complete, and current.
- Develop and maintain POA&M, risk register, and/or compliance gap list and use it to log and report vulnerability remediation status for in-scope product or service offering(s).
- Perform and document Security Impact Analyses on proposed product changes, ensuring consensus on how we view risks and security posture whenever possible.
- Package and submit required reporting and documentation for assigned programs.
- Ensure approval or concurrence for monthly reporting and any associated annual test plans and exercises required such as Incident Response and Contingency Plans.
- Respond to requests from DISA, CISA, and other entities that require reporting, and assist as needed with incident response involving public sector organizations.
- Bridge gaps by performing manual processes until automation is delivered.
- Participate in Change Control Board activities to present security impact analyses and make recommendations as to whether requested changes should be approved and implemented.
Technical
- Organize, document, and manage activities using JIRA as a primary project and work tracking tool.
- Drive automation where opportunities exist for effectiveness, efficiency, and scalability.
- Share expertise in certification processes and related control requirements.
- Manage third party assessors, labs, and/or auditors as well as the associated procurements.
Experience you'll need:
- Demonstrated leadership capability including prior experience with people management and driving cross functional performance using influence to achieve targeted outcomes
- 7+ years of related work experience in Information Security or relevant Compliance roles in the tech / SaaS / software product industry
- 4+ years of experience in a U.S. public sector compliance role associated with DoD Impact Levels, Controlled Unclassified Information, or Assurance & Authorization activity
- 2+ years of product management experience or history of working with Engineering road maps to remediate product vulnerabilities or compliance gaps
- Alignment with Rubrik’s RIVET values and a culture of collaboration and respect
- Experience in a dynamic, high growth / start-up business environment
- Comfortable wearing many hats in a small and agile team that stays upbeat and enjoys working together to get things done
- Advanced knowledge of government compliance and cloud security risks, vulnerabilities, and threats, and can take these issues through triage / risk treatment conversations
- Deep understanding of relevant information security frameworks
- Detail-oriented and able to understand the bigger picture by using technical expertise and problem solving abilities to prioritize efforts and work through ambiguity and issues
- Ability to ramp up quickly and learn new technologies with minimal lag time
- Bachelor’s degree or equivalent in Security, Computer Science, Management Information Systems, Business Administration or related field preferred
- Professional certifications in Information Security, Cloud Security, or Systems Audit/Assessment (e.g., CISSP, CISA, CCSK) preferred
Security and Privacy Responsibilities:
This position carries special Security and Privacy Responsibilities for protecting the U.S. Federal Government’s interests:
- Know, acknowledge, and follow system-specific security policies and procedures;
- Protect data and individual privacy per requirements and regulations;
- Perform ongoing activities in compliance with service and contractual obligations;
- Participate in role-based training, completing assignments on a timely basis;
- Report security issues promptly, and aid investigation when needed;
- Support controlled changes and vulnerability remediation activities; and
- Work collaboratively with Information Security in designing, implementing, assessing or enhancing system-specific security and privacy controls.
Position Risk Designation:
This position carries duties and responsibilities involving the U.S. Federal Government’s interests. The selected incumbent may be subject to one or both of the additional background checks with periodic re-screening as noted below:
Position Risk Designation: Non-Sensitive, Low Risk, Tier 1
Incumbents without access to U.S. Government data may be required to complete Standard Form 85 and undergo a Tier 1 Investigation (T1) for non-sensitive positions of Low Risk. (Baseline screening; formerly National Agency Check and Inquiries (NACI)).
Position Risk Designation: Non-Sensitive, Moderate Risk, Tier 2 (Public Trust)
Incumbents with access to U.S. Government data may be required to complete Standard Form 85P and undergo Tier 2 (T2) Investigation for non-sensitive positions designated Moderate Risk.
Position Risk Designation:Moderate Risk Law Enforcement (CJIS)
When hired for a position where access to Moderate Risk criminal justice information is required, the employee must complete a fingerprint-based national criminal history background check within 30 days after the employee’s start date.
Join Us in Securing the World's Data
Rubrik (NYSE: RBRK) is on a mission to secure the world’s data. With Zero Trust Data Security™, we help organizations achieve business resilience against cyberattacks, malicious insiders, and operational disruptions. Rubrik Security Cloud, powered by machine learning, secures data across enterprise, cloud, and SaaS applications. We help organizations uphold data integrity, deliver data availability that withstands adverse conditions, continuously monitor data risks and threats, and restore businesses with their data when infrastructure is attacked.
Linkedin | X (formerly Twitter) | Instagram | Rubrik.com
Inclusion @ Rubrik
At Rubrik, we are dedicated to fostering a culture where people from all backgrounds are valued, feel they belong, and believe they can succeed. Our commitment to inclusion is at the heart of our mission to secure the world’s data.
Our goal is to hire and promote the best talent, regardless of background. We continually review our hiring practices to ensure fairness and strive to create an environment where every employee has equal access to opportunities for growth and excellence. We believe in empowering everyone to bring their authentic selves to work and achieve their fullest potential.
Our inclusion strategy focuses on three core areas of our business and culture:
-
Our Company: We are committed to building a merit-based organization that offers equal access to growth and success for all employees globally. Your potential is limitless here.
-
Our Culture: We strive to create an inclusive atmosphere where individuals from all backgrounds feel a strong sense of belonging, can thrive, and do their best work. Your contributions help us innovate and break boundaries.
-
Our Communities: We are dedicated to expanding our engagement with the communities we operate in, creating opportunities for underrepresented talent and driving greater innovation for our clients. Your impact extends beyond Rubrik, contributing to safer and stronger communities.
Equal Opportunity Employer/Veterans/Disabled
Rubrik is an Equal Opportunity Employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, or protected veteran status and will not be discriminated against on the basis of disability.
Rubrik provides equal employment opportunities (EEO) to all employees and applicants for employment without regard to race, color, religion, sex, national origin, age, disability or genetics. In addition to federal law requirements, Rubrik complies with applicable state and local laws governing nondiscrimination in employment in every location in which the company has facilities. This policy applies to all terms and conditions of employment, including recruiting, hiring, placement, promotion, termination, layoff, recall, transfer, leaves of absence, compensation and training.
Federal law requires employers to provide reasonable accommodation to qualified individuals with disabilities. Please contact us at hr@rubrik.com if you require a reasonable accommodation to apply for a job or to perform your job. Examples of reasonable accommodation include making a change to the application process or work procedures, providing documents in an alternate format, using a sign language interpreter, or using specialized equipment.