Lead Information Security Analyst || Governance, Risk & Compliance

sweetgreen is hiring a lead information security analyst to help build our governance, risk and compliance (GRC) function  in order to keep our enterprise safe and enable our organization to scale on reliable, flexible, fast and--most importantly--trustworthy platforms. We’re accepting applications from now until we find the right candidate. 

We are building GRC as a functional competency within the larger cybersecurity program. As a lead information security analyst, you can expect to be focused on building frameworks and processes which allow us to measure compliance against our policies; understand the efficacy of countermeasures and controls; calibrate and articulate risk to the larger organization and; develop feedback loops to ensure continuous improvement in the organization’s security posture. What you build will be used in every part of the organization, from the stores, to the corporate environment (called the Treehouse) and even our digital products.

Top Outcome - Within one year, you will design and operationalize a GRC function through which we can consistently and scalably orchestrate core security processes and procedures appropriate to each business unit within the organization. The effect of this work is that you will have created a risk management framework which enables us to react appropriately to emergent threats, and plan accordingly to effectively mitigate vulnerabilities; you will have generated a comprehensive collection of all known accepted risks and will have the appropriate owners on a path to remediation; you will be able to articulate the effectiveness of established countermeasures and; you will be able to drive policy review and modernization to ensure it continues to reflect sweetgreen’s goals and values. 

Your Impact

• Get to know the business: Through observation, engagement and interviews with stakeholders across the business including IT, engineering, supply-chain and restaurant systems, by day 21 you should have a good understanding of the core systems and platforms that sweetgreen operates upon and be able to articulate & document deficiencies in visibility, detection, alerting and processes which would prevent us from being able to achieve compliance with existing standards, such as PCI-DSS or new standards such as SOC 2. 

• Drive Prioritization and Design Workstreams: Within 45 days, you should have a strong understanding of known deficiencies based upon existing standards as well as sweetgreen security policies. In cooperation with peers in Security as well as stakeholders across the business, you will need to design, document and socialize a risk management framework to prioritize the severity of those deficiencies, assign risk owners and work with those owners to develop a mitigation plan in accordance with an agreed-upon timeline.

• Define the Path to SOC 2 Compliance: By 60 days in seat, you will have presented the risk management framework to the other stakeholders and developed a process to operationalize the framework. From there, using the prioritized list of deficiencies as well as the requirements stipulated in the SOC 2 framework, you should define & document realistic milestones and deliverables, down to the story-level, describing the core actions sweetgreen needs to take to achieve SOC 2 compliance.

• Drive Implementation: No later than day 75, you should be wholly focused on working with stakeholders across the business to eliminate high risk deficiencies and build the processes necessary to achieve compliance confidently and consistently with minimal continuous manual intervention.

• Documentation: In order to ease future teammate onboarding, debugging, and knowledge sharing of complex services while mitigating the risk of tribal knowledge, within 30 days in seat, you’ll contribute to our established information architecture within Confluence and put a plan in place to realize 100% documentation of the functions you own.

• Monitoring Functional Health: By day 90, you will have a plan in place to implement KPIs and metrics to allow us to understand the overall health of the security program as well as track progress of resolutions of identified risks.

A successful candidate will be a seasoned information security analyst with deep familiarity with core security tenets and principles as well as have knowledge of common preventative technologies. You should be have expert-level knowledge of PCI-DSS, SOX-IT, ISO27001, NIST Cybersecurity Framework, CIS Top 20 and SOC2 compliance requirements. Additionally, you should be very comfortable identifying, calibrating and tracking 

what security means at sweetgreen

Fortune favors the bold, and nowhere is that more true than sweetgreen cybersecurity. We want you to help us reimagine what security means by turning old, antiquated traditions on their ears and challenging every assumption.  While our security program is rooted in the principles of the NIST Cybersecurity Framework, we recognize that delivering on those principles doesn’t look the same for everyone. 

We value fire prevention over fire fighting. Yes, you will have some fires to put out, including incident response and remediation, but your focus will be on building foundational processes and frameworks that are fault tolerant and scalable which allow us to orchestrate and govern the core security program.

Though there’s more work to do than people to do it, we always aim to achieve our objectives with people, processes and policies before we apply technology. We choose our tooling very carefully with an eye toward how it may be used to help other parts of the organization achieve their goals. To that end, we lean heavily on FOSS (free and open source software) capabilities to help us deliver on our outcomes. We welcome you to contribute to a FOSS community and, as you discover innovative ways to solve the challenges presented to you and promote sweetgreen’s contributions to the security, risk, compliance  and privacy communities.

We value the ideas and contributions from all of our teammates no matter their background or what part of the business they come from. We want people who are just as anxious to learn and experiment as they are to teach to technical and non-technical audiences. That said, we expect you to passionately defend ideas and principles which promote trust from our customers, our teammates and the communities we serve. 

We’re looking for builders. We’re looking for people who are excited to be on the ground floor, knowing that it will be their designs, their plans and their influence which shape the future of sweetgreen s security posture.  

The sweetlife awaits

As a member of team sweetgreen, you’ll enjoy competitive pay and be eligible for bonuses based upon your performance and experience. You’ll have the opportunity to take advantage of a comprehensive benefits plan, including medical, dental and vision  amongst other benefits. 

sweetgreen truly values feeding the whole person, that includes providing flexible time off in addition to continuous education and training opportunities. We know being successful in this role means keeping up with an ever evolving adversary—we want you to participate in the security community whether that be as a conference attendee or as a speaker. Furthermore, we will work together, along with our business partners on the people team to design a growth and progression plan aligned to your career goals and we will check in often to make sure you have the tools you need to succeed. 

about sweetgreen

sweetgreen is on a mission to build healthier communities by connecting people to real food. We passionately believe that real food should be convenient and accessible to everyone. Every day in each sweetgreen restaurant, our team members make food from scratch, using fresh ingredients and produce delivered that morning. And in our local communities, we’re committed to leaving people better than we found them. We’re in the business of feeding people, and we’re out to change what that means. Our people are our most valuable ingredient - the heart of our company, the face of our brand, and what truly makes the sweetgreen experience special and unique.

Come join the sweetlife!

sweetgreen provides equal opportunities for everyone that works for us and everyone that applies to join our team, without regard to sex or gender, gender identity, gender expression, age, race, religious creed, color, national origin, ancestry, pregnancy, physical or mental disability, medical condition, genetic information, marital status, sexual orientation, any service, past, present, or future, in the uniformed services of the United States (military or veteran status), or any other consideration protected by federal, state, or local law.

sweetgreen participates in the federal government's E-Verify program to determine employment eligibility. To learn more about the E-Verify program, please click here.