SpaceX was founded under the belief that a future where humanity is out exploring the stars is fundamentally more exciting than one where we are not. Today SpaceX is actively developing the technologies to make this possible, with the ultimate goal of enabling human life on Mars.
SpaceX is supported by a multifaceted and globally distributed network of suppliers, integrators, and service providers who are subject to a variety of risks. These risks may affect the confidentiality, integrity, or availability of SpaceX systems and include insertion of counterfeits, unauthorized production, tampering, theft, and insertion of malicious software and hardware, as well as poor manufacturing and development practices in our supply chain. Without effective security processes and practices throughout the life cycle of a system, intentional and unintentional vulnerabilities can be placed into systems. The systems may then be exploited by attackers who insert malicious content, capture data, or create vulnerabilities, resulting in untrustworthy products or services, unanticipated failure rates, or compromise of critical missions and information.
SpaceX is seeking a supply chain information security assurance analyst to drive and manage the SpaceX Supply Chain Information Security Assurance program. The program focuses on the following continuous and iterative steps:
- Frame risk – establish the context for risk-based decisions and the current state of the information system or supply chain infrastructure.
- Assess risk – review and interpret criticality, threat, vulnerability, likelihood, impact, and related information.
- Respond to risk once determined – select, tailor, and implement mitigation controls.
- Monitor risk on an ongoing basis, including changes to an information system or supply chain infrastructure, using effective organizational communications and a feedback loop for continuous improvement.
- Monitor, evaluate and interpret – the evolving landscape of Governance, Risk and Compliance for information technology and information security
This person will own the Supply Chain Information Security Assurance Program to ensure SpaceX delivers on customer requirements, reduces risk and ensures mission success. We are a fast paced, multi-tasking, highly dynamic work environment with high degrees of autonomy and accountability.
- Own overall Supply Chain Vulnerability Management program and processes.
- Visit supplier sites to conduct assessments, audits, and program deployments as needed. Travel needs are dependent on status and phases of projects. Initial phases will require extensive travel.
- Assess, manage, and report on overall cybersecurity posture of our supply base, to include their security policies, procedures, and standards followed.
- Act as primary interface between SpaceX and suppliers in the event of a supplier security breach.
- Assist SpaceX security operations team in assessing risk to SpaceX and track supplier remediation efforts.
- Stay abreast of emerging cybersecurity trends and communicate risks to supply base.
- Communicate cybersecurity risk and awareness training to supply base.
- Identify and incorporate new regulatory and contractual requirements into our supplier management processes and related Information Security infrastructure.
- Represent the SpaceX Information Security program across our supply base stakeholders.
- Bachelor’s degree in information technology, information security/assurance, computer science, or similar technical field of study.
- Minimum 3 years of experience running and operating a security program based on ISO-27001, NIST 800-53, NIST 800-171 or similar framework.
- Experience leading a Third-Party Risk Management program (i.e. GRC).
PREFERRED SKILLS AND EXPERIENCE:
- Experience performing supply chain risk assessments to identify and articulate cybersecurity risks at suppliers
- Understand where DoD has been with DICAP, RMF as well as emerging frameworks like the Cybersecurity Maturity Model Certification (CMMC) and its impact on SpaceX supply chain and vendor relations.
- Understanding of cybersecurity controls to include access control, identification and authorization, incident response, and other preventative and detective measures.
- Experience in working with supplier IT and information security teams to assess, measure, and improve their information security controls to meet internal standards
- Hands-on experience in defining, selecting, deploying, and supporting information security tools and technologies
- Demonstrated technical project management skills
- Demonstrated capabilities to organize and track your own work, and the work of others
- Leveraging data collection tools and metrics to assure world class performance
- CISSP, CISA, or equivalent certification
- Experience working with internal or external organizations to conduct and manage audits
- Continued track record of getting things done quickly with high quality
- Experience managing large scale Vulnerability Management and Configuration Hardening processes
- Exceptional written and verbal communication skills
- Exceptional organizational skills
Understanding of the following:
- Other PII-related regulations
- To conform to U.S. Government space technology export regulations, including the International Traffic in Arms Regulations (ITAR) you must be a U.S. citizen, lawful permanent resident of the U.S., protected individual as defined by 8 U.S.C. 1324b(a)(3), or eligible to obtain the required authorizations from the U.S. Department of State.
SpaceX is an Equal Opportunity Employer; employment with SpaceX is governed on the basis of merit, competence and qualifications and will not be influenced in any manner by race, color, religion, gender, national origin/ethnicity, veteran status, disability status, age, sexual orientation, gender identity, marital status, mental or physical disability or any other legally protected status.
Applicants wishing to view a copy of SpaceX’s Affirmative Action Plan for veterans and individuals with disabilities, or applicants requiring reasonable accommodation to the application/interview process should notify the Human Resources Department at (310) 363-6000.