• Support and execute security incident response activities, including triage, investigation support, containment coordination, lessons learned, and corrective action tracking • Develop and maintain incident response playbooks, runbooks, and escalation paths; participate in and help run tabletop exercises • Operate and improve enterprise security controls and tooling (e.g., endpoint protection/EDR, SaaS security controls, email security, access control workflows), ensuring reliable configuration and ongoing effectiveness • Partner with Observability Engineering to ensure security-relevant telemetry is available for investigations and response (without owning SIEM/telemetry platform administration) • Partner with Vulnerability Management to drive remediation execution, validate fixes where appropriate, and reduce repeat findings through hardening and control improvements • Coordinate security investigations with DevOps, IT, and Engineering teams; track actions through to closure and document outcomes • Support access governance and least-privilege initiatives, including periodic access reviews, privileged access workflows, and secure authentication controls • Create and maintain security documentation for processes, controls, and operational procedures to enable consistency across teams and geographies • Assist with security control evidence and operational readiness activities for compliance frameworks (e.g., SOC 2, ISO 27001, FedRAMP/GovRAMP, NIST 800-53) in partnership with Compliance and platform teams • Identify opportunities for automation to improve security operations efficiency (ticketing workflows, control checks, integrations, scripting)

• The Facility Security Officer (FSO) manages, administers and coordinates DoD and/or other agency industrial security programs and other security activities to ensure compliance with government and company security policies and procedures • The FSO will process personnel security clearance investigations and maintain all security documentation, files, clearance, and suitability rosters in accordance with government requirements • Responsibilities include administrating personnel security clearance processes, coordinating initial clearance submissions and periodic reinvestigations of staff, providing guidance and instruction to staff, collection of electronic fingerprinting, and providing follow-up clearance report statuses to managers for specific contracts • Maintain all security documentation and files in accordance with DCSA requirements • Provide Federal Agency or component personnel suitability processing support and coordination • Provide and document new employee security briefings and exit debriefings • Monitor and enforce annual refresher training completion and other annual employee security documentation requirements in the Learning Management System (LMS) • Investigate and report security incidents and Insider Threat reports • Provide security support to Human Resources, Contracts, and Proposal teams • Advise personnel of their reporting requirements • Interpret government policies for the development and implementation of security plans and procedures • Maintain strong working relationships with DCSA and/or other Federal Agency representatives to facilitate accurate information sharing, incident resolution, and Insider Threat response • Participate in the development and execution of security education programs including initial and annual refresher training

• Define and own Shippo’s security strategy, translating business goals, customer trust needs, and regulatory requirements into a clear, prioritized security roadmap. • Plan and execute quarterly security initiatives that deliver meaningful risk reduction and enable business growth. • Continuously assess Shippo’s threat landscape and adjust priorities as the company, product surface area, and customer needs evolve. • Secure Shippo’s cloud and application environments, with deep ownership of AWS security architecture and controls. • Partner with Engineering teams to embed security into the SDLC, including application security reviews, SAST/DAST, dependency management, and secure design practices. • Own security operations, including incident readiness, response, and post-incident learning. • Lead security incidents end-to-end - from investigation and containment to postmortems and long-term remediation. • Conduct security risk assessments across applications, infrastructure, vendors, and processes; clearly communicate findings and recommendations to stakeholders. • Serve as the primary security point of contact for customer and partner security inquiries, audits, and escalations. • Lead, coach, and support a small security team, setting clear expectations, providing actionable feedback, and fostering a culture of learning and ownership.

• Define and execute a multi-year product/security strategy and roadmap • Lead a product security organization including hiring and performance management • Engage directly with customers as security SME during sales cycles • Ensure security is integrated into agile delivery through developer training and automated testing • Evaluate customer agreements for alignment with internal capabilities • Serve as a senior security advisor to engineering leadership