Security Policy Engineer (m/w/d)

at  Mondoo

Mondoo is creating a new way that helps companies keep their users and data safe from hackers around the world. We believe that a great user experience and visual design will help our users to love and enjoy our product and make it easier to take action against attackers.

REQUIRED QUALIFICATIONS

• Bachelor’s degree in Computer Science, Cybersecurity, or related field
• 3+ years of experience in security engineering or policy implementation
• Strong programming skills in at least one language (e.g., Go, Python, Java)
• Experience with policy as code frameworks (e.g. Open Policy Agent, HashiCorp Sentinel)
• Proficiency in writing and maintaining infrastructure as code (e.g., Terraform, CloudFormation)
• Solid understanding of cloud security principles and best practices
• Strong knowledge of at least one major cloud platform (AWS, Azure, or GCP) and its security features
• Extensive experience with Linux and Windows operating systems
• In-depth understanding of TCP/IP networking protocols and concepts
• Experience with container technologies and orchestration (e.g., Docker, Kubernetes)
• Familiarity with common compliance standards (e.g., CIS, SOC 2, ISO 27001, HIPAA)
• Experience with version control systems (preferably Git)
• Excellent problem-solving and analytical skills
• Strong written and communication skills with proven fluency in English
• Ability to articulate complex security and IT concepts to both technical and non-technical audiences

PREFERRED QUALIFICATIONS

• Master’s degree in Cybersecurity or related field
• Relevant security certifications (e.g., OSCP, CISSP, CCSP, CSPM)
• Cloud-specific certifications (e.g., AWS Certified Security - Specialty, Azure Security Engineer, Google Professional Cloud Security Engineer)
• Experience with multiple cloud platforms (AWS, Azure, GCP)
• Familiarity with cloud-native security tools and services
• Experience with SIEM tools and log analysis in diverse IT environments
• Knowledge of compliance frameworks for both cloud and on-premises infrastructures
• Familiarity with threat modeling and risk assessment methodologies for various IT architectures
• Knowledge of cryptography principles and implementations across different platforms
• Experience with security automation and orchestration tools in heterogeneous environments
• Contributions to open-source security projects or tools
• Previous experience participating in or leading RFC processes for complex security architectures

We’re seeking a skilled Security Policy Engineer to join our dynamic team. In this role, you’ll be responsible for translating complex security requirements into code, implementing and maintaining security policies across our infrastructure, and collaborating with various teams to ensure our systems meet the highest security standards. You’ll play a crucial role in our “policy as code” approach, helping to automate and scale our security practices.

• Translate security requirements and compliance standards into executable code and policies
• Develop, implement, and maintain security policies using policy as code frameworks (MQL)
• Collaborate with security, development, and operations teams to integrate security policies into CI/CD pipelines
• Design and implement automated security checks and controls across cloud environments (AWS, Azure, GCP), Kubernetes and operating systems
• Contribute to the development of internal security tools and libraries
• Participate actively in our RFC (Request for Comments) process for security architecture and policy decisions
• Conduct security assessments and audits to ensure compliance with internal policies and external regulations
• Optimize existing security policies for performance and scalability
• Stay up-to-date with emerging security threats, compliance requirements, and best practices in policy as code
• Troubleshoot and resolve security policy implementation issues
• Provide guidance and training to other teams on security policy implementation and best practices
• Contribute to the continuous improvement of our security posture and processes