Security Engineer, Engineering San Francisco, California | Sunnyvale, California Full Time

Uber's Engineering Security team works to ensure the security of information for our full set of users - riders, eaters, drivers and partners. Our ultimate goal is to ensure that every experience with Uber is simple, secure, and safe. We are seeking a talented Senior Security Strategist, GRC to join our Tech Risk and Assurance team within Engineering Security.

The Senior Security Strategist, GRC partners with engineering, security, and cross-functional risk stakeholders to strengthen Uber's cybersecurity posture through scalable cyber risk management, risk governance, and control design programs. This role is responsible for driving and implementing security, compliance, and risk management programs on the ServiceNow eGRC platform at Uber, working with the engineering team to develop and enable technical solutions that satisfy a variety of risk and compliance processes.

This role operates at the intersection of technical security, process design, and risk governance. The successful candidate will translate control gaps, threat and business context, and compliance requirements into practical risk treatment plans that engineering teams can execute, while driving consistent risk analysis, decision-making, and follow-through. The role must be able to deliver work products required by Agile development methodologies for software development delivery as defined.

• Own cyber risk intake, triage, and prioritization, ensuring clear accountability, well-formed risk statements, and timely treatment decisions.
• Develop product strategy and lead project execution for multiple major components of Uber's Risk and Compliance technology solutions.
• Manage different solutions on Uber's internal eGRC platform (ServiceNow) and collaborate with stakeholders to implement their program improvements.
• Partner with engineering teams to define risk treatment plans, identify sustainable fixes, and drive mitigation or remediation to the last mile rather than stopping at documentation.
• Gather business and functional requirements from partner teams and deliver a product/release that meets the needs presented. Develop technical specifications documentation.
• Lead or materially contribute to control design reviews, risk assessments, and risk decisions that require judgment, stakeholder alignment, and tradeoff management.
• Drive and evangelize vision for overall GRC strategy across engineering and security organizations.
• Analyze and fully understand user stories and internal procedures in order to improve system capabilities, automate process workflows, and address scheduling limitations throughout the development and delivery of the eGRC platform.
• Work with developers to implement workflows from customer requirements including workflows, UI actions, client scripts, business rules, etc.
• Load, manipulate, and maintain data between the eGRC platform and other systems as needed.
• Build and maintain risk reporting for leaders and partner teams, including KRIs, exposure trends, risk acceptance aging, decision status, and escalation triggers.
• Design and develop dashboards, home pages, performance analytics data collectors, and reports as needed to support program requirements.
• Improve the efficiency of risk workflows through automation, better tooling, clearer operating models, and reusable knowledge assets.
• Perform system and integration testing with sample and live data.
• Review product performance and provide a continuous improvement path through leveraging industry standard tools and capabilities as well as building new ones.
• Serve as a bridge between cybersecurity, engineering, audit, privacy, and compliance stakeholders so that security risk becomes practical engineering action.
• Mentor analysts and junior security partners on risk analysis, risk statement quality, treatment planning, stakeholder communication, and operational rigor.

• Bachelor's or Master's degree in Computer Science, Computer Engineering, Information Systems, Cybersecurity, Risk Management, or related field, or equivalent practical experience.
• 10+ years of experience in security, cyber risk, GRC, assurance, security operations, or related technical risk roles.
• Security certifications e.g. CISA, CISSP, CISM, or other relevant certifications.
• Demonstrated success managing security risk programs, treatment decisions, and cross-functional execution end to end.
• Strong understanding of security controls, risk treatment, and how to work with engineering on implementation details.
• Experience operating across multiple stakeholders, handling ambiguity, and driving accountability.
• Ability to effectively and autonomously accomplish outcomes across cross-functional teams in ambiguous situations with minimal supervision.
• Excellent written and verbal communication skills, including the ability to present risk, status, and decision points to leadership and technical audiences.

• CRISC, ISO 27001 Lead Auditor, or comparable additional certifications.
• Hands-on experience with ServiceNow eGRC platform, including configuration, workflow development, and integration.
• Experience with other GRC/ERM tooling such as AuditBoard, Archer, OpenPages, or SAP GRC.
• Big 4 accounting firm and/or internet/technology industry experience.
• Process management experience, including process redesign and optimization.
• Proven track record in driving security risk treatment to closure across multiple engineering teams.
• Ability to leverage AI, data analytics, and workflow automation to improve risk program performance and reporting.
• Experience with risk quantification methodologies and risk lifecycle tooling.
• Strong knowledge of control frameworks and standards such as NIST CSF, NIST 800-53, ISO 27001, NIST RMF, SOC 2, and CIS.
• Proficiency in Python, SQL, dashboards, or similar tools for data analysis and reporting.
• Ability to thrive in environments of uncertainty.