Youâll need to be located somewhere between the Pacific Time Zone (UTC-8) and the Central European Time Zone (UTC+1)
About Us and Why Weâre Hiring
Weâre YNAB (âwhy-nabâ), a financial education company with a money management app. We teach four habits that change your relationship with moneyâso you love how you spend and celebrate how you save. For nearly two decades, people have been using YNAB and then telling their friends what a difference it has made in their lives. Check out our community on Facebook, TikTok, or Reddit (really!), or read some of our app reviews, and youâll see what we mean. We love building something that has a huge positive impact on peopleâs lives.
Before we can help them love their spending, people need to trust YNAB with private details of their lives. And to those who work here, YNAB embodies years of relentless effort to craft something uniquely wonderful. Honoring that trust and protecting the company weâre proud of is why this position of Security Lead exists. Our Security Lead is dedicated full-time to safeguarding YNAB, and they have a single primary outcome to achieve:
Keep YNAB Secure.
Youâre the Security Lead weâre looking for if the thought of anchoring our commitment to protecting YNAB and its customers resonates deeply. You navigate security complexities with a blend of technical expertise, empathetic leadership, pragmatic problem-solving, and an eagerness to go hands-on. You take ownership of security, including assessment, strategy, communication, and execution.
If youâre the one weâre looking for, you have high standards for all aspects of security. You cultivate, evangelize, and teach these standardsâand hold the organization accountable for them. But you donât dictate security by fiat; you nurture the team and work alongside them to surface the decisions and approaches best suited to YNAB.
Requirements (these are real, actual requirements)
Weâre looking for a leader and doer in security, but that doesnât mean youâve held a specific title for a particular time. We expect youâll be most successful in this role if you have at least five years of deep and rich experience in a SaaS environment (whether that be in security, engineering, or management).
In this role, youâll have three main responsibilities:
Your primary focus will be cybersecurityâprotecting our systems and data from digital attacks, theft, damage, and unauthorized access. This requires employing a wide range of techniques, technologies, processes, and practices to safeguard the integrity, confidentiality, and availability of our information and systems from a growing volume and sophistication of cyber threats.
Youâll partner with Operations on compliance to ensure our security practices, policies, and procedures meet industry standards and regulatory requirements. Youâll take ownership of the relevant technical and security aspects and help with implementation efforts.
Youâll also be responsible for customer protection, working to help users be more secure by evaluating and improving YNAB measures that allow customers to protect themselves.
Thatâs a super brief intro to what youâll be working on. But first, you need to know if youâll even like working with us. Letâs talk a bit about life at YNAB, and then weâll go into more detail about what weâre looking for.
YNAB started in 2004 and we havenât taken any outside fundingâweâre established, profitable, and in this for the long haul. We have one overarching requirement when it comes to joining our team: our original Core Value Manifesto has to really click with you. If youâre nodding emphatically while reading it, youâll probably really like it here, and we canât wait to hear from you!
We live our Core Values every day at YNAB, and we mean it when we say we are an equal-opportunity employer. We believe that a diversity of backgrounds, abilities, beliefs, and experiences is critical to our success, and we are passionate about creating a welcoming, supportive, and collaborative environment for all employees. All are encouraged to apply as we continue to grow a smart, hard-working, and diverse team that loves working together to build something that matters.
We also work really hard, together, to make working at YNAB an amazing experience, and weâre (humbly) proud to have received many of Fortune's "great place to work" awards over the last several years. We have a team full of truly exceptional peopleâthe kind youâll be excited to work with. Weâd love to introduce you to a few of them!
Who youâd be working with:
Youâll function most closely with Sebastian, our Head of Technology, Buffy, our Director of Engineering, and Chance, our Head of Operations.
Sebastian oversees our technical strategy, directs research and development efforts, and leads our engineering organization. He lives in an old farmhouse in Switzerland with his partner Tina, three dogs, and nine cats. They love living in the countryside, where Sebastian continues to convince himself that handyman skills can be learned.
Buffy has been a Buffy since before Buffy the Vampire Slayer, and one of her life regrets is not buying buffy.com while she was in college. She loves a good debugging session. When sheâs not cleaning up our infrastructure, sheâs probably knitting socks, biking, or otherwise frolicking outdoors with her family. Sheâs a lifelong New Englander, so be sure to tell her you love vacationing âin Cape Codâ and then please, watch her face very carefully for a reaction.
Chance gets to obsess about building a great company and making sure that people really love their work at YNAB. He cares deeply about YNAB and the people who make it a success. When heâs not championing the YNAB team experience, youâll find him with his family outside in Southern Utah, usually on a hike, a mountain bike, or the lake.
Truthfully, youâll have interactions and influence across much of the organization and probably cross paths with many at YNAB at some point. We canât even list them all, really. But we can say that we are all excited to get to know you.
How Youâll Work at YNAB
Now that youâve met some of your potential future teammates, letâs talk more about YNAB as a company. Hereâs how we operate:
Responsibility and Empowerment
YNAB appreciates, respects, and trusts the expertise and judgment of its people. We empower them to do what they think is right.
We also work collaboratively. We continuously seek the right amount of structure and unity necessary to maximize productivity. Where it makes sense, we designate someone to make a call.
Even though our people are right a lot, itâs okay to make mistakes here. Exploration and calculated risks are vital to velocity and growth. We freely admit when weâre wrong. If something doesnât go as expected, we learn, bounce back, and make corrections.
You wonât be alone; others will be there to help, review, reassure, and back you up. We own our processes and collective outcomes as a team.
Live (Almost) Anywhere You Want
Weâve always been a fully remote team, and have people all over the world. For this role, youâll need to be located somewhere between the Pacific Time Zone (UTC-8) and the Central European Time Zone (UTC+1). For instance, North America and most of Europe work well. Wherever you are, just make sure you have a reliable internet connection. Like, a really good one. Please.
Work Four Days a Week
Weâve adopted a four-day work week (still 100% paid!) and rarely work more than that. There are occasions and seasons where things get busy and people put some extra time inâbut then we encourage them to take some extra time off, too. We work hard and smart and we care deeply about what we do, but we also love our families and about 2,000 other things. We have perspective and, ultimately, we think it makes usâand our workâeven better.
Flex Your Work Schedule
Weâre fully remote, so a lot of our work is done asynchronously, but we love working together in real time when it makes sense. We try to schedule most meetings between 12-3 pm Eastern time (16:00-19:00 UTC) Monday-Thursday. Outside of your meetings, we trust you to set your own schedule by balancing your teamâs needs with your own needs. You donât need to ask for permission to take off early one afternoon to see the doctor, or be âactiveâ on Slack if youâre working deeply on a project. We look at what you accomplishânot when or how long you're in front of a computer.
Take Vacation (Seriously)
We want you to take vacation. In fact, we have a minimum vacation policy of three weeks per year. Five weeks feels about right (plus two extra weeks for our company-wide December Break). Itâs important to get plenty of downtime and to get out and do something. Weâll look forward to seeing pictures of your adventures in our #office-wall Slack channel!
Meet Your Team
Some of our best work (and bonding!) is done in person. Youâll generally have the opportunity to meet with your team once or twice a year, at a small-team work-focused meetup, or at our company retreat. At the YNAB retreat, we love to catch up on spreadsheets and powerpoints in a Best Western conference room. Just kidding. (Itâs actually hard to write that sentence, even knowing itâs a joke.) So far, weâve gone to Costa Rica, a gigantic cabin in the mountains, a beach house in the Outer Banks, a ranch in Montana, Laguna Beach, and most recently, Palm Springs. We work together, play together, and reinforce the bonds weâve made as a team and company. Every time we meet up, we leave refreshed, motivated, and excited for the year ahead together.
Up Your Game
Weâre serious about helping you improve your craft. Itâs one of our favorite savings categories, and itâs the most important work of our managers. Think conferences, online courses and subscriptions, dedicated time away from work to learn something new⌠It's really up to you and your manager. But we love to see our people grow.
Other Benefits
Our team is spread all over the worldâmostly in the United States, but also in the UK, Canada, Germany, Brazil, Mexico, and several other countries. Team members who live in the US or UK are set up as employees, and those who live in other countries set themselves up as independent contractors. No matter where you live, youâre eligible for our generous paid family leave, vacation, holidays, and sick time.
If youâre in the US, we also offer fantastic health, dental, and vision insurance, where we cover 100% of the premium for you and your family. No need to check your vision, you read that rightâ100%. (Although if you did need to check your vision, NBD, weâve got you covered!) We also have a Traditional and Roth 401(k) option, where YNAB matches your contributions up to six percent, and matches vest immediately. (Are you a personal finance junkie like our founder Jesse? He set up YNABâs 401k to have the lowest fee structure possible, where all plan costs are paid by YNAB, not your retirement nest egg. The investment funds available are fantastic, passively-managed, ultra low-cost index funds. Youâre not a PF junkie? Trust us, itâs awesome.) If youâre in the UK, we also contribute six percent to your pension.
Competitive Compensation
At YNAB, weâre committed to equitable, market-driven, data-based compensation and we aim to offer a competitive benefits package to our team members. The starting salary for this role will be between $142,000 - $170,000 USD annually (with the top of that range reserved only for the most experienced candidates). If we decide to make you an offer, weâll determine the most appropriate number based on what we know about your experience and competency for the role, and then weâll make you our best offer and hope that you accept! If you join our team, youâll also be eligible for a raise once a year and for our profit-share twice a year. (YNAB wins, you winâthat kind of thing.)
A Few Final Tidbits
Once you start, we DEMAND (in a friendly, ALL CAPS IS YELLING way) that you fill out your âBucket Listâ spreadsheet with 50 items. (Thatâs harder than it sounds!)
We love to celebrate with you when you complete something on your bucket listâAND, we love using your bucket list as inspiration for your best birthday present(s) ever.
We want you firing on all cylinders, so weâll set you up with a shiny new computer and replace it every three years.
Did we mention that YNAB makes a huge, positive difference in peopleâs lives? You may not think that matters much, but then a few months down the road, youâll realize itâs made your job really, really enjoyable. Donât underestimate this one!
If this sounds like your ideal environment, read on because now we want to talk about you, and how youâll play a big part in changing peopleâs lives.
Now back to you, our new Security LeadâŚ.
As our Security Lead you know that safeguarding our customers, the company, and the team is critical to our success, and youâre passionate about security outcomes. You have an empathetic and pragmatic approach to driving safety and integrity.
This is a big-picture-but-also-hands-on role. As our Security Lead, you have broad technical skills in security in a SaaS context, are adept at analyzing risk, prioritizing initiatives and issues, and have the drive and experience to personally complete a comprehensive set of security tasks. You are committed to being in the day-to-day work, bold about diving into details, and willing to roll up your sleeves and engage with any security job at hand. You readily act in circumstances of less-than-perfect knowledge and know getting started is often more important than waiting for the ideal process. You also know how to balance pragmatism with process.
The big-picture part of the role comes in the form of a leadership aspect, and as our new Security Lead you have the mindset of owning security at YNAB. Youâll help us figure out what to do to keep YNAB safe and move things forward until we achieve those objectives. You are someone who can inspire with practical and effective communication.
Letâs get down to brass tacks: As we mentioned earlier, your three main responsibilities will be to ensure cybersecurity, assist Operations with compliance, and promote customer protection. Here are some possible examples of what this might look like in practiceâbut know that youâll also help us shape this role and determine whatâs most important to focus on.
To ensure cybersecurity:
Risk Assessment and Mitigation: Regularly conduct risk analyses to identify and prioritize potential security threats and develop strategies to mitigate these risks. Prepare for possible threats that could disrupt operations.
Incident Response and Management: Own the response to any security breaches or incidents, including analysis, containment, postmortems, and prevention of future occurrences.
Collaboration and Communication: Work closely with different teams, including product management, engineering, operations, marketing, and customer support, to ensure a unified approach to security.
Secure Systems Consultation: Act as a primary internal consultant for designing and implementing secure systems. For example, working with Operations/IT to ensure we have configured our internal business applications correctly and securely or researching and recommending cloud providers for security-sensitive areas like identity management or account provisioning.
Security Awareness and Training: Educate and train teammates on security best practices and evaluate and recommend practical internal training materials.
Monitoring and Reporting: Continuously monitor the security landscape, analyze security logs, and report on security health and incidents.
Intrusion Prevention: Investigate intrusion and account takeover attempts and recommend infrastructure improvements to make subsequent tries easier to identify and block.
Security Tooling and Automation: Recommend, implement, and manage security tools and automation to enhance security efficiency and effectiveness. For example, a Security Information and Event Management (SIEM) system thatâs appropriate for a fully remote SaaS company. Find the right balance between usefulness and intrusion on employees.
Continuous Improvement: Regularly review and update security policies and procedures to adapt to new threats and technological advancements. Seek to make them truly useful rather than just checking a box, and find ways to be ever more effective while less intrusive.
Advocate for Security Initiatives: Champion new security initiatives that align with YNABâs business objectives, ensuring that security considerations are part of the decision-making processes.
Triage Security Reports: Monitor and process incoming security messages, for example, from a security email box or our Bug Bounty program. Assess urgency and importance and prioritize responses according to severity.
Outside Entity Coordination: Respond to security questionnaires from potential vendors. Evaluate and coordinate with external vendors for things such as performing penetration testing, and help distinguish between marketing fluff and actual value.
To assist with compliance, in partnership with Operations:
Regulatory Compliance Management: Ensure YNABâs practices align with relevant regulations such as GDPR, CCPA, or other data protection laws applicable to YNABâs operations.
Compliance Framework Implementation: Integrate compliance frameworks like ISO 27001, SOC 2, or other industry-specific standards into YNABâs security practicesâin ways that genuinely make YNAB more secure.
Policy Development and Review: Create and regularly update internal security policies to comply with changing regulations and best practices and make policies YNAB-useful rather than boilerplate.
Compliance Audits and Assessments: Conduct assessments to identify areas of non-compliance and rectify them in a YNAB-thoughtful way. Go toe-to-toe with external auditors and vendors to explain why we may do things differently at YNAB and why thatâs sufficient.
Vendor and Third-Party Management: Evaluate and ensure that third-party vendors and service providers adhere to necessary compliance standards.
To promote customer protection:
Promote Secure Customer Behavior: Help improve our systems that assist customers in avoiding bad or breached passwords, encourage the use of two-factor authentication, and resist phishing schemes and self-XSS attempts.
Data Protection and Privacy Responses: Help respond to GDPR/CCPA requests and field internal and external questions regarding the treatment of sensitive data.
External Policies: Keep our public-facing security and privacy policies and information up to date, meaningful, and helpful to customers.
Thatâs a whopping twenty bullets! Want fewer words? Youâre amazingly genuine and genuinely amazing, and with your direct help and leadership, our product, organization, and customers will stay safe.
How to Apply
by Sunday, March 17th @ 11:59pm PST.
Hereâs an overview of the application process:
We anticipate the application may take you 90 minutes or more to complete. We'll do our best to make the process enjoyable (as much as filling out a job application can be đ).
Weâll ask you 29 questions (including 9 that are optional, and many multiple-choice), across these general areas:
Your contact information and location
A simple summary of your education and work history
Your familiarity with various security topics and technologies
Responses to a short questionnaire so we can get to know you better
We mean what we say. There are no trick questions, you can take everything at face value, and if we say something is optional (even your resume is optional!), we mean that you truly wonât be penalized for leaving it blank.
Thereâs no need to finish it in one session. You can always start your application, and then click the âSave application for laterâ link at the bottom toâyou guessed itâfinish it up later. (Before the application deadline, please!)
A real person will review your application, and we'll get back to you regardless of the outcome.
A few final notes:
Here is an overview and rough timeline for our full hiring process. Itâs rigorous, but we also hear that itâs fun (truly!). We enjoy getting to know you throughout, and we make sure you have plenty of chances to get to know us, too.
Our goal is to make our hiring process as accessible as possible. If we can help you with an accessibility need, email us at accommodations@ynab.com and indicate in the subject line that youâre applying for the Security Lead job. (Please note that we can only respond to messages related to accommodations at this email.)
Weâre excited to hear from you!
P.S. If youâre not interested in this position right now, but know someone who might be, weâd appreciate you passing this along!