The Proterra Story

Communities are growing and evolving, and with that, our transportation needs are changing. Now more than ever, we need smart solutions that provide safer, more reliable and cleaner transit. Every day, Proterra works to meet those needs, with the world’s best-performing zero-emission buses. Our revolutionary battery-electric buses help fleet operators abandon fossil fuels, improve environmental quality and reduce operating costs. Join the Proterra Revolution**.**

Position Overview

The Sr. Risk and Security Specialist will provide comprehensive support to Proterra’s IT team and serve as the subject matter expert responsible for Proterra’s security risk, privacy, and business continuity programs. You will help us to identify and assess the most critical risks ensuring our top problems are addressed as required. You will be a cross-functional champion for security risk management and support risk owners by guiding them to be cognizant of critical issues and assisting them to define the best risk response strategy. You will own vendor relationships and partner with legal, HR and other departments in terms of 3rd party security risk and privacy. You will own compliance to privacy regulations and also build/monitor continuity plans for our critical systems, environments and products. The ideal candidate will bring exceptional risk management and compliance experience, have a solid understanding of privacy and international compliance laws, have excellent communication skills, and the ability to plan and innovate on solutions to solve complex problems. This position will report to the and collaborate with other IT team members located at our headquarters in Burlingame, CA and manufacturing facility in Greenville, SC and Los Angeles, CA.

About the Role – You Will:

• Evaluates the organization for potential security risks, opportunities for improvement, and proposes solutions for minimizing and mitigating the risks identified.
• Designs and coordinates enterprise-wide privacy risk assessments to identify key privacy risks and prioritize compliance monitoring efforts for the Privacy Compliance function and areas of focus across the enterprise.
• Identifies opportunities to improve risk posture, developing solutions for remediating or mitigating risks and assessing the residual risk.
• Leads examinations and monitoring activities over a spectrum of IT Security / Cybersecurity topics to determine the effectiveness of Proterra’s IT risk management program and validate remediation efforts of identified issues.
• Works with management in the development and implementation of appropriate internal controls and measurements to reasonably ensure that the activities of the organization comply with the law, regulation, and rules.
• Develops and coordinates security and vendor risk management frameworks, policies and processes within a broader enterprise, operational and IT risk management model
• Engage leadership team, employees, and volunteers in a culture of security and safety.
• Owns security risk register and related functions.
• Coordinates the identification and ranking of security risks and vendor risks
• Coordinates the classification and tiering of vendors by risks and risk impacts
• Tracks identified risks and risk events.
• Performs compliance audits to determine whether established protocols are being followed and where they can be improved.
• Communicates identified risk requirements and violations to internal stakeholders (and end users within the business) and responsible vendors while supporting the response to and the addressing of these issues.
• Builds communication and escalation plans around security risk management and vendor risk management activities within the enterprise.
• Ensures the organization maintains appropriate IT Security, administrative, technical, and physical safeguards to protect information and work in collaboration with head of security or designee.
• Understands and applies relevant regulatory and legal compliance requirements
• Manages vendor risks as defined in vendor contracts and in accordance with existing risk management programs and policies.
• Develops, monitors and possibly executes vendor remediation actions, mitigation and contingency plans when risks or events are identified.
• Partners with sourcing and vendor relationship/contract management functions where they are not part of this group to manage vendor behavior
• Collaborates, as appropriate, with information security, finance, compliance and/or disaster recovery and business continuity management and other risk functions to maintain an enterprise risk management program.
• Reviews contracts for appropriate security language and coordinates with legal for correct contract language being managed for all vendors..
• Collects and reviews SOC1 & SOC2 for appropriate security controls and Proterra vendor security questionnaire
• Works with regulatory officers and auditors as necessary.
• Examines subrecipient single audit reports, financial statements, and other financial documentation. Evaluates subrecipient findings and corrective action plan, assigns subrecipient financial risk assessment level, maintains subrecipient risk assessment database and completes and sends management decision letters.
• Performs focused information risk assessments of existing or new services and technologies, along with business counterparts.
• Determine compliance metrics/KPI and establish and maintain systems for tracking compliance practices and develop dashboards / reports on risk and privacy
• Builds dashboards and reports on Security Risk.
• Develop training and materials to educate research community about compliance policies and protocols.
• Create compliance resource library for staff members to reference when they have questions
• Communicates risk assessment findings to team owners and custodians of information risk “business partners,” or information governance teams and information security teams.
• Provides consultative advice to information governance or security teams that enables them to suggest informed risk management decisions.
• Identifies and facilitates implementation of appropriate controls to effectively manage information risks as needed.
• Maintains strong working relationships with individuals and groups involved in managing information risks across the organization.
• Assists in responding to audits, penetration tests and vulnerability assessments
• Researches, designs, and implements cyber security solutions for organization systems and products that comply with all applicable security policies and standards
• Works with IT and internal and external business partners to ensure that security is factored in the evaluation, selection, installation and configuration process of hardware and software
• Assists in the review and update of cyber security policies, architectures and standards
• Participates in the planning and design of enterprise security architecture where appropriate.
• Recommends additional security solutions or enhancements to existing security solutions to improve overall enterprise security.
• Creates and owns business continuity/disaster recovery plans, to include conducting disaster recovery tests, publishing test results and making changes necessary to address deficiencies.
• Other duties as assigned by management.

About Our Group

• As strategic partners, the Information Technology team strives to ensure that our values, culture and engagement always allow us to do great things for our company.
• We strive to provide the highest-level service and support to our clients daily.
• We work collaboratively to build strong relationships with our clients, partners, and own team.
• We treat each other with respect, and always try to have a little fun every day!
• You will report to the and collaborate with other IT team members located at our headquarters in Burlingame, CA and manufacturing facility in Greenville, SC and Los Angeles, CA.

About You

• Highest ethical standards and values. Ability to maintain strict confidentiality, establish trust and credibility, and act with complete integrity.
• Can interface with, and gain the respect of, stakeholders at all levels and roles in the company.
• Is a confident with strong interpersonal skills.
• Self-motivated and possessing a high sense of urgency and personal integrity.
• Self-starter with the ability to adapt interpersonal styles and techniques to influence at all levels of the organization.
• Ability to identify and assess the severity and potential impact of risks. Communicate risk assessment findings to risk owners outside the cybersecurity program in a way that consistently drives objective, fact-based decisions about risk that optimize the trade-off between risk mitigation and business performance.
• Customer-focused attitude, with high level of professionalism and discretion.
• Detail-oriented, resourceful and diligent.
• Strong time management and organizational skills.
• Sound judgment and team problem-solving skills.
• Excellent English written and verbal communication skills.

Your Experience Includes

• 10+ years of work experience in information security, especially in an information risk analysis role
• 6+ years of experience with regulatory compliance and information security management frameworks (e.g., International Organization for Standardization [IS0] 27000, COBIT, National Institute of Standards and Technology [NIST] 800)
• One or more of the following certifications: Certified Information Systems Security Professional (CISSP); Certified Information Security Manager (CISM); Certified Information Systems Auditor (CISA)

Location: Remote, USA
**Travel: **0 - 25%

_Proterra is an Equal Employment Opportunity Employer, providing equal employment opportunities to all Employees and applicants for employment without regard to race, color, creed, religion, sex, sexual orientation, gender identity, national origin, disability, age, genetic information, veteran status, pregnancy, childbirth, or related medical conditions, including, but not limited to, lactation or any other characteristic protected by applicable federal, state, or local law or ordinance. Proterra participates in the Electronic Employment Verification Program (E-Verify). _

Equal Opportunity Employer/Protected Veterans/Individuals with Disabilities
The contractor will not discharge or in any other manner discriminate against employees or applicants because they have inquired about, discussed, or disclosed their own pay or the pay of another employee or applicant. However, employees who have access to the compensation information of other employees or applicants as a part of their essential job functions cannot disclose the pay of other employees or applicants to individuals who do not otherwise have access to compensation information, unless the disclosure is (a) in response to a formal complaint or charge, (b) in furtherance of an investigation, proceeding, hearing, or action, including an investigation conducted by the employer, or (c) consistent with the contractor’s legal duty to furnish information. 41 CFR 60-1.35(c)