Team Lead, Information Security

Tempe, AZ, United States

About Carvana

If you like disrupting the norm and are looking for a company revolutionizing an industry then you will LOVE what Carvana has done for the car buying experience. Buying a car the old fashioned way sucks and we are working hard to make it NOT suck. At Carvana, our customers can hop online to...

Search and browse our inventory of over 20,000 vehicles that we own and certify.

Narrow down search results using highly intelligent filtering tools/components.

View vehicle details, Carfax reports, and 360 rotating studio images for every vehicle.

Secure financing in minutes using Carvana's in-house service or their own bank.

Interact with GUI components to easily customize loan length, down payment, and monthly payment.

Generate, upload, and eSign all documents online (no ink necessary).

Schedule front door delivery or pick up at one of our vending machines .

Trade-in their existing vehicle or just sell it to Carvana (no purchase necessary).

For more information on Carvana and our mission, sneak a peek at our company introduction video or learn more about what it's like to work here from the people that already do .

About the team and position

We are looking for a proactive and experienced Team Lead, Information Security to manage our Application Security Program within our Information Security Team. In this role, you will be responsible for building and maturing our Application Security Program with a strong focus on initiatives designed to "shift left". This role is crucial in promoting early detection and prevention of security risks in our software development lifecycle.

What you'll be doing Develop, manage and mature our application security program.

Identify and drive prioritization of key initiatives to mature the application security program.

Partner with cross-functional stakeholders to drive prioritization of key security initiatives alongside time-sensitive releases and features.

Implement "shift left" initiatives that include metrics to measure adoption, compliance, etc.

Engineer, design, implement and configure security into the Secure Software Development Lifecycle (SSDLC) to ensure security by design.

Introduce and implement security controls into the CI/CD pipeline and partner with engineering teams to increase adoption of automated security controls in CI/CD pipeline.

Work independently and collaboratively to discover and remediate security risks and vulnerabilities discovered.

Partner with engineering teams to ensure corporate-wide security policies, guidelines and best practices are implemented and promote secure coding practices.

Consult and advise development teams by serving as a Subject Matter Expert in the area of application security.

Evangelize security with our cross-functional stakeholders and engineering teams through a Security Champions Program.

Manage our bug bounty and responsible disclosure programs through the vulnerability management lifecycle.

Grow and manage a team of information security professionals over time.

What you should have 7+ years of experience in Information Security.

2+ years of leadership or experience maturing an enterprise-wide security program.

Deep technical expertise in web security (e.g. OWASP Top 10, CWE Top 25, etc.).

Deep technical proficiency with various build technologies, code repositories, and CI/CD pipeline processes.

Strong technical knowledge on scripting languages (e.g. Python, Javascript, Powershell, etc.).

Strong understanding of "shift left" concepts, DevSecOps principles and secure coding practices.

Exceptional analytical and problem solving skills.

Strong technical acumen, communication and influence skills.

Self-starter that works with minimal guidance and supervision.

Proven experience in recognizing complex problems and developing risk-based solutions to balance security and engineering requirements.

Proven ability to reprioritize or adapt with changes to the business needs and requirements.

Proven ability to drive influence and change with stakeholders with varying opinions on security topics.

It would be great if you also had Information Security Certification.

Multi-Cloud Security Experience.

Consulting Experience.

Security Champions Program Experience.

What we'll offer in return Full-Time Salary Position with a competitive salary.

Medical, Dental, and Vision benefits.

401K with company match.

A multitude of perks including student loan payments, discounts on vehicles, benefits for your pets, and much more.

A great wellness program to keep you healthy and happy both physically and mentally.

Access to training and conference opportunities as well as great on-the-job training.

A company culture of promotions from within, with a start-up atmosphere allowing for varied and rapid career development.

A seat in one of the fastest-growing companies in the country.

Other requirements

To be able to do your job at Carvana, there are some basic requirements we want to share with you. Must be able to read, write, speak, and understand English.

Requires excellent visual acuity and manual dexterity.

Of course, we'll make any reasonable accommodations for those with disabilities to perform the essential functions of their jobs.

Legal stuff

Hiring is contingent on passing a complete background check. This role is not eligible for visa sponsorship.

Carvana is an equal employment opportunity employer. All applicants receive consideration for employment without regard to race, color, religion, gender, sexual orientation, gender identity or expression, marital status, national origin, age, mental or physical disability, protected veteran status, or genetic information, or any other basis protected by applicable law. Carvana also prohibits harassment of applicants or employees based on any of these protected categories.

Please note this job description is not designed to contain a comprehensive listing of activities, duties, or responsibilities that are required of the employee for this job. Duties, responsibilities, and activities may change at any time with or without notice.