Security Engineer (Contract)

Why We Exist and What We Do:

At Dr. Squatch (www.drsquatch.com), we’re raising the bar on men’s personal care with our line of natural, high-performance products. We’re on a high-growth, fast-moving ride, continually introducing new product categories, launching into retailers nationwide, and growing internationally. We have been recognized and certified by Great Place to Work® multiple times, and we achieved status as a certified B Corp in 2023. We are looking for passionate, talented people who want to join us in our mission to inspire and educate men to be happier and healthier!

About the Role:

We're looking for a Security & Privacy Engineer to support our efforts on a contractual basis to support the eCommerce team in securing our Shopify storefronts, maintaining our consent management solution, and standardizing and automating enterprise permissions at scale.  websites. 

This contract is ideal for someone who thrives at applying consistent permission structures to inconsistent SaaS applications to improve and standardize security across the company.

This role will be accountable to the Associate Director, Cybersecurity & Privacy.

Ideally, this contractor should be in the Los Angeles Metropolitan area.

The contractor term is anticipated to be up to 30 hours per week for approximately 12 weeks.

What You'll Do:

Identity & Access Management Responsibilities

You'll automate our identity and access management processes across cloud environments, SaaS platforms, and our enterprise stack. In-scope applications include Okta, NetSuite, Shopify, Looker, Snowflake, GitHub, and our social media websites.

• Platform Reviews
• Review the in-scope applications for permissions creep, stale accounts, and violations of our security policies.
• Partner with the business teams to understand how to apply least-privilege and Role-Based Access Control on each application. 
• Adjust permissions accordingly.
• Automations
• Assess the existing applications, users, and permissions identify opportunities for automation and standardization. 
• Automate and standardize the identity and access management processes across the company. 
• Provide knowledge transfer to internal IT/security teams as needed.

Security Responsibilities

You’ll be an embedded resource for our eCommerce and Data team and review our Shopify and GitHub environments to identify vulnerabilities and remediate the findings. 

• Security Scorecard Remediations - You’ll identify, classify, and remediate the high-risk findings in Security Scorecard to increase our website’s security posture.
• Akikido Remediations - You’ll deploy Akikido, train the teams on how to use it, and remediate the high-risk findings.

Privacy Responsibilities

You’ll partner with our eCommerce and Legal teams to ensure our existing Consent Management solution is harmonized with our Shopify storefronts.

Timeline

• Week 1: Dr. Squatch intro and Transcend/Shopify architecture review 
• Week 2-5: Transcend x Shopify Deep Dive and Alignment
• Week 6: Security Scorecard report review, and Github/Shopify assessment
• Week 7: Akikido deployment and training 
• Week 7-9: Security Scorecard high-risk remediations 
• Week 10: Review in-scope applications to identify and design automation opportunities
• Week 10-12: Implement automation strategies to better standardize and manage user permissions across all in-scope systems

The extension will be mutually agreed upon and confirmed in two-week increments. The confirmation extension should be completed no later than two weeks before the anticipated end date. We estimate that this project should take 20-30 hours per week.

Deliverables

1. Security Scorecard before and after report demonstrating risk reduction
2. Akikido/Github before and after report demonstrating risk reduction
3. Shopify Consent Management documentation
4. Automated provisioning/deprovisioning scripts or documentation
5. Knowledge transfer sessions and training materials

Ideal Contractor Skills & Experience

• DTC experience, specifically in securing Shopify-centric environments 
• Experience in a Consent Management platform or Shopify Privacy API
• Deep experience with IAM tools, preferably Okta
• Scripting and automation skills
• Excellent communication and documentation skills

#LI-BD1 #LI-CONTRACT

Who We Are:

Our core values come naturally and make us a better, more whole, and unique team. We are Bold & Innovative - we are creative, rethink how things are done, and find a way. We Play to Win - we have high standards, we encourage ownership of work, we are scrappy, we act with urgency, and we invest in the outcome of our work. We are Team Squatch - we are humble, help others outside our own wheelhouse, stay positive, have fun, and have approachable and transparent leadership.

We offer a competitive salary in a growth-focused & collaborative team environment. Benefits include medical, dental, vision, 401k with Squatch match, and PTO. We also have great perks like healthy snacks, frequent company events, and of course, free products!

For Applicants with Disabilities. Reasonable accommodation will be made so that qualified applicants with disabilities may participate in the application process. If you need any accommodations during the hiring process, please let us know when you submit your application and we'll do our very best to adjust as needed.

For Information regarding Data Privacy, please review https://privacy.drsquatch.com/. 

Unsolicited Resume Policy. Dr. Squatch (“DRSQ”) employs an internal Talent Acquisition department. Exceptionally, DRSQ may choose to supplement that internal team with support from temporary staffing agencies, placement services, and/or recruiting agencies ("Agency"). Agencies are hereby specifically directed NOT to contact DRSQ employees directly in an attempt to present candidates. DRSQ’s Talent Acquisition team is responsible for all candidate presentations to our hiring managers.

To protect the interests of all parties, Dr. Squatch will not accept unsolicited resumes from any source other than directly from a candidate. Any unsolicited resumes sent to DRSQ, including unsolicited resumes sent to a DRSQ email address or mailing address, directly to DRSQ employees, or to DRSQ’s resume database will be considered property of Dr. Squatch.

DRSQ will not pay a placement, service or other fee for any placement resulting from the receipt of an unsolicited resume. This also includes partial resumes, LinkedIn profiles, general candidate profiles, and/or candidate details or information. DRSQ will consider any candidate for whom an Agency has submitted an unsolicited resume to have been referred by the Agency free of any charges or fees.

DRSQ’s Talent Acquisition team must provide advance written approval to an Agency to submit resumes and/or profiles for a specific job-opening, and the approval must be in conjunction with a valid fully executed staffing, placement or other service agreement. DRSQ will not pay a fee to any Agency that does not have a fully executed agreement in place prior to submission, receipt and placement of candidates.