Apply on Employer Site

Coastal · 1 month ago

Security Risk & Controls Engineer

United States

Full-time

Onsite

Senior Level, Lead/Staff

8+ years exp

Coastal is at the forefront of modern banking, combining strong financial infrastructure with cutting-edge Banking-as-a-Service (BaaS) and fintech enablement strategies. The Security Risk & Controls Engineer will own the day-to-day health of Coastal’s Security Program, defining and maintaining the enterprise control baseline and implementing automated control processes to reduce risk and enable the business.

Financial Services

Responsibilities

Define, document, and maintain the enterprise control library mapped to the CRI Profile and FFIEC IT Examination Handbooks, aligning with GLBA, SOX, and PCI-DSS where applicable

Author and maintain control narratives, RACI, evidence requirements, testing procedures, and control objectives. Manage associated control versioning and approvals

Work with technical control owners to implement processes and automations appropriately aligned to written controls, policies, and standards

Own the Security Program Calendar to ensure cyclical controls occur on schedule (e.g., user access reviews, network security reviews, vulnerability & configuration scanning, DR/BCP tests, incident response tabletop exercises, vendor re-assessments, policy reviews)

Track status, remove blockers, and escalate risk of slippage for proper operation of both cyclical/scheduled and continuously operating controls. Maintain related reporting and KRIs/KPIs (on-time completion, pass rate, repeat findings)

Capture and curate complete, audit-ready evidence with chain of custody using an automation-first approach

Plan and execute Test of Design (TOD) and Test of Operating Effectiveness (TOE): walkthroughs, sampling, re-performance, and result documentation with clear workpapers

Partner with Security Engineering and IT to embed 'policy as code' and guardrails (e.g., identity, configuration, network segmentation, logging/monitoring). Own implementation of policy-as-code and other proactive automations wherever possible

Automate evidence collection and control testing via APIs/queries/scripts (e.g., Azure/Microsoft 365/Entra, Okta, Intune, GitHub, CI/CD, endpoint protection, vulnerability management, ticketing/GRC platforms)

Implement quality checks for completeness, accuracy, and timeliness of evidence

Perform targeted cyber/IT risk assessments (technology changes, third parties, products) and recommend compensating controls with clear residual-risk statements

Log, track, and validate remediation of issues and control gaps. Verify sustainable fixes and prevent recurrences by updating baselines, standards, and automation

Coordinate, prepare, and run responses to Internal Audit activities, regulatory examinations, independent audits, and customer/partner due diligence

Produce concise, defensible narratives, control maps, and evidence packages. Coordinate requests and brief stakeholders

Publish program health dashboards, KRIs/KPIs, and control maturity assessments to Enterprise Risk Management and management and risk committees

Coach control owners on expectations, testing methods, and evidence hygiene

Assist in root-cause analysis for control failures and security events; drive durable corrective actions into standards, IaC/policy-as-code, and Security Program Operations

Maintain clear documentation (runbooks, playbooks, standards, FAQs) and contribute to security awareness content

Qualification

Cybersecurity Risk ManagementControl AutomationFFIEC IT HandbooksGRC PlatformsPythonAzure/Microsoft 365NIST CSFCISSPCommunication SkillsTeam Collaboration

Required

Demonstrated ability to operationalize FFIEC IT Handbooks and the CRI Profile into practical, auditable controls and testing procedures

Hands-on skill implementing proactive controls and automating control testing/evidence collection using APIs, various languages (Python, TypeScript, Bash, and/or PowerShell), and data pipelines/dashboards

Familiarity with Azure/Microsoft 365/Entra, Okta, Windows/Linux, networks, CI/CD, vulnerability management, EDR, logging/SIEM, and data protection

Experience with GRC platforms and workflow/ticketing systems

Strong understanding of FFIEC IT Examination Handbooks, NIST CSF, NIST SP 800-53, GLBA, SOX, and PCI DSS and ability to map and rationalize overlapping requirements

Excellent written/oral communication with proven ability to influence cross-functional teams and present to management and auditors

Bias for automation and measurable outcomes; comfortable in fast-moving, high-accountability settings

8+ years in Cybersecurity Risk, Governance, Compliance, Security Operations, and/or risk engineering

Bachelor's degree in Information Systems, Computer Science, Cybersecurity, or related field; equivalent experience considered

Preferred

Experience in regulated industries, especially financial services, strongly preferred

Certifications preferred: CRISC, CISA, CISSP, CISM, CCSK/CCSP, AZ-500 (or comparable)

Benefits

Medical Coverage: Choose from three competitive medical plans to find the coverage that best fits your needs and lifestyle.

Health Savings Account (HSA): Available with eligible medical plans, offering tax advantages and employer contributions.

Flexible Spending Accounts (FSA): Options for healthcare and dependent care expenses to help you save on out-of-pocket costs.

Dental and Vision Insurance: Plans to keep you and your family smiling and seeing clearly.

Life Insurance: Company-paid basic life insurance with options to purchase additional coverage for yourself and your dependents.

Long-Term (LTD)/Short-Term Disability (STD): Income protection in the event of a long-term illness or injury.

Supplemental Benefits: Including Hospital Indemnity, Accident Insurance, and Critical Illness coverage to provide extra financial support when you need it most.

401(k) Retirement Plan: A competitive retirement savings plan with company matching to help you plan for the future.

Paid Time Off: Generous vacation and sick leave policies to support your time away from work.

Holidays: Enjoy 11 paid holidays throughout the year.