Humbly Confident Security Lead

About Us and Why We’re Hiring

We’re YNAB (“why-nab”), a financial education company with a money management app. We teach four habits that change your relationship with money—so you love how you spend and celebrate how you save. For nearly two decades, people have been using YNAB and then telling their friends what a difference it has made in their lives. Check out our community on Facebook, TikTok, or Reddit (really!), or read some of our app reviews, and you’ll see what we mean. We love building something that has a huge positive impact on people’s lives.

Before we can help them love their spending, people need to trust YNAB with private details of their lives. And to those who work here, YNAB embodies years of relentless effort to craft something uniquely wonderful. Honoring that trust and protecting the company we’re proud of is why this position of Security Lead exists. Our Security Lead is dedicated full-time to safeguarding YNAB, and they have a single primary outcome to achieve: 

Keep YNAB Secure.

You’re the Security Lead we’re looking for if the thought of anchoring our commitment to protecting YNAB and its customers resonates deeply. You navigate security complexities with a blend of technical expertise, empathetic leadership, pragmatic problem-solving, and an eagerness to go hands-on. You take ownership of security, including assessment, strategy, communication, and execution. 

If you’re the one we’re looking for, you have high standards for all aspects of security. You cultivate, evangelize, and teach these standards—and hold the organization accountable for them. But you don’t dictate security by fiat; you nurture the team and work alongside them to surface the decisions and approaches best suited to YNAB. 

Requirements (these are real, actual requirements)

We’re looking for a leader and doer in security, but that doesn’t mean you’ve held a specific title for a particular time. We expect you’ll be most successful in this role if you have at least five years of deep and rich experience in a SaaS environment (whether that be in security, engineering, or management). 

In this role, you’ll have three main responsibilities: 

• Your primary focus will be cybersecurity—protecting our systems and data from digital attacks, theft, damage, and unauthorized access. This requires employing a wide range of techniques, technologies, processes, and practices to safeguard the integrity, confidentiality, and availability of our information and systems from a growing volume and sophistication of cyber threats.
• You’ll partner with Operations on compliance to ensure our security practices, policies, and procedures meet industry standards and regulatory requirements. You’ll take ownership of the relevant technical and security aspects and help with implementation efforts.
• You’ll also be responsible for customer protection, working to help users be more secure by evaluating and improving YNAB measures that allow customers to protect themselves.

That’s a super brief intro to what you’ll be working on. But first, you need to know if you’ll even like working with us. Let’s talk a bit about life at YNAB, and then we’ll go into more detail about what we’re looking for. 

YNAB started in 2004 and we haven’t taken any outside funding—we’re established, profitable, and in this for the long haul. We have one overarching requirement when it comes to joining our team: our original Core Value Manifesto has to really click with you. If you’re nodding emphatically while reading it, you’ll probably really like it here, and we can’t wait to hear from you!

We live our Core Values every day at YNAB, and we mean it when we say we are an equal-opportunity employer. We believe that a diversity of backgrounds, abilities, beliefs, and experiences is critical to our success, and we are passionate about creating a welcoming, supportive, and collaborative environment for all employees. All are encouraged to apply as we continue to grow a smart, hard-working, and diverse team that loves working together to build something that matters.

We also work really hard, together, to make working at YNAB an amazing experience, and we’re (humbly) proud to have received many of Fortune's "great place to work" awards over the last several years. We have a team full of truly exceptional people—the kind you’ll be excited to work with. We’d love to introduce you to a few of them!

Who you’d be working with:

You’ll function most closely with Sebastian, our Head of Technology, Buffy, our Director of Engineering, and Chance, our Head of Operations. 

Sebastian oversees our technical strategy, directs research and development efforts, and leads our engineering organization. He lives in an old farmhouse in Switzerland with his partner Tina, three dogs, and nine cats. They love living in the countryside, where Sebastian continues to convince himself that handyman skills can be learned.

Buffy has been a Buffy since before Buffy the Vampire Slayer, and one of her life regrets is not buying buffy.com while she was in college. She loves a good debugging session. When she’s not cleaning up our infrastructure, she’s probably knitting socks, biking, or otherwise frolicking outdoors with her family. She’s a lifelong New Englander, so be sure to tell her you love vacationing “in Cape Cod” and then please, watch her face very carefully for a reaction.

Chance gets to obsess about building a great company and making sure that people really love their work at YNAB. He cares deeply about YNAB and the people who make it a success. When he’s not championing the YNAB team experience, you’ll find him with his family outside in Southern Utah, usually on a hike, a mountain bike, or the lake. 

Truthfully, you’ll have interactions and influence across much of the organization and probably cross paths with many at YNAB at some point. We can’t even list them all, really. But we can say that we are all excited to get to know you.

How You’ll Work at YNAB

Now that you’ve met some of your potential future teammates, let’s talk more about YNAB as a company. Here’s how we operate:

Responsibility and Empowerment

• YNAB appreciates, respects, and trusts the expertise and judgment of its people. We empower them to do what they think is right. 
• We also work collaboratively. We continuously seek the right amount of structure and unity necessary to maximize productivity. Where it makes sense, we designate someone to make a call. 
• Even though our people are right a lot, it’s okay to make mistakes here. Exploration and calculated risks are vital to velocity and growth. We freely admit when we’re wrong. If something doesn’t go as expected, we learn, bounce back, and make corrections. 
• You won’t be alone; others will be there to help, review, reassure, and back you up. We own our processes and collective outcomes as a team.

Live (Almost) Anywhere You Want

We’ve always been a fully remote team, and have people all over the world. For this role, you’ll need to be located somewhere between the Pacific Time Zone (UTC-8) and the Central European Time Zone (UTC+1). For instance, North America and most of Europe work well. Wherever you are, just make sure you have a reliable internet connection. Like, a really good one. Please.

Work Four Days a Week

We’ve adopted a four-day work week (still 100% paid!) and rarely work more than that. There are occasions and seasons where things get busy and people put some extra time in—but then we encourage them to take some extra time off, too. We work hard and smart and we care deeply about what we do, but we also love our families and about 2,000 other things. We have perspective and, ultimately, we think it makes us—and our work—even better.

Flex Your Work Schedule

We’re fully remote, so a lot of our work is done asynchronously, but we love working together in real time when it makes sense. We try to schedule most meetings between 12-3 pm Eastern time (16:00-19:00 UTC) Monday-Thursday. Outside of your meetings, we trust you to set your own schedule by balancing your team’s needs with your own needs. You don’t need to ask for permission to take off early one afternoon to see the doctor, or be “active” on Slack if you’re working deeply on a project. We look at what you accomplish—not when or how long you're in front of a computer.

Take Vacation (Seriously)

We want you to take vacation. In fact, we have a minimum vacation policy of three weeks per year. Five weeks feels about right (plus two extra weeks for our company-wide December Break). It’s important to get plenty of downtime and to get out and do something. We’ll look forward to seeing pictures of your adventures in our #office-wall Slack channel!

Meet Your Team

Some of our best work (and bonding!) is done in person. You’ll generally have the opportunity to meet with your team once or twice a year, at a small-team work-focused meetup, or at our company retreat. At the YNAB retreat, we love to catch up on spreadsheets and powerpoints in a Best Western conference room. Just kidding. (It’s actually hard to write that sentence, even knowing it’s a joke.) So far, we’ve gone to Costa Rica, a gigantic cabin in the mountains, a beach house in the Outer Banks, a ranch in Montana, Laguna Beach, and most recently, Palm Springs. We work together, play together, and reinforce the bonds we’ve made as a team and company. Every time we meet up, we leave refreshed, motivated, and excited for the year ahead together.

Up Your Game

We’re serious about helping you improve your craft. It’s one of our favorite savings categories, and it’s the most important work of our managers. Think conferences, online courses and subscriptions, dedicated time away from work to learn something new… It's really up to you and your manager. But we love to see our people grow.

Other Benefits

Our team is spread all over the world—mostly in the United States, but also in the UK, Canada, Germany, Brazil, Mexico, and several other countries. Team members who live in the US or UK are set up as employees, and those who live in other countries set themselves up as independent contractors. No matter where you live, you’re eligible for our generous paid family leave, vacation, holidays, and sick time. 

If you’re in the US, we also offer fantastic health, dental, and vision insurance, where we cover 100% of the premium for you and your family. No need to check your vision, you read that right—100%. (Although if you did need to check your vision, NBD, we’ve got you covered!) We also have a Traditional and Roth 401(k) option, where YNAB matches your contributions up to six percent, and matches vest immediately. (Are you a personal finance junkie like our founder Jesse? He set up YNAB’s 401k to have the lowest fee structure possible, where all plan costs are paid by YNAB, not your retirement nest egg. The investment funds available are fantastic, passively-managed, ultra low-cost index funds. You’re not a PF junkie? Trust us, it’s awesome.) If you’re in the UK, we also contribute six percent to your pension.

Competitive Compensation

At YNAB, we’re committed to equitable, market-driven, data-based compensation and we aim to offer a competitive benefits package to our team members. The starting salary for this role will be between $142,000 - $170,000 USD annually (with the top of that range reserved only for the most experienced candidates). If we decide to make you an offer, we’ll determine the most appropriate number based on what we know about your experience and competency for the role, and then we’ll make you our best offer and hope that you accept! If you join our team, you’ll also be eligible for a raise once a year and for our profit-share twice a year. (YNAB wins, you win—that kind of thing.)

A Few Final Tidbits

• Once you start, we DEMAND (in a friendly, ALL CAPS IS YELLING way) that you fill out your “Bucket List” spreadsheet with 50 items. (That’s harder than it sounds!) 
• We love to celebrate with you when you complete something on your bucket list—AND, we love using your bucket list as inspiration for your best birthday present(s) ever. 
• We want you firing on all cylinders, so we’ll set you up with a shiny new computer and replace it every three years.  
• Did we mention that YNAB makes a huge, positive difference in people’s lives? You may not think that matters much, but then a few months down the road, you’ll realize it’s made your job really, really enjoyable. Don’t underestimate this one!

If this sounds like your ideal environment, read on because now we want to talk about you, and how you’ll play a big part in changing people’s lives.

Now back to you, our new Security Lead....

As our Security Lead you know that safeguarding our customers, the company, and the team is critical to our success, and you’re passionate about security outcomes. You have an empathetic and pragmatic approach to driving safety and integrity.

This is a big-picture-but-also-hands-on role. As our Security Lead, you have broad technical skills in security in a SaaS context, are adept at analyzing risk, prioritizing initiatives and issues, and have the drive and experience to personally complete a comprehensive set of security tasks. You are committed to being in the day-to-day work, bold about diving into details, and willing to roll up your sleeves and engage with any security job at hand. You readily act in circumstances of less-than-perfect knowledge and know getting started is often more important than waiting for the ideal process. You also know how to balance pragmatism with process.

The big-picture part of the role comes in the form of a leadership aspect, and as our new Security Lead you have the mindset of owning security at YNAB. You’ll help us figure out what to do to keep YNAB safe and move things forward until we achieve those objectives. You are someone who can inspire with practical and effective communication.

Let’s get down to brass tacks: As we mentioned earlier, your three main responsibilities will be to ensure cybersecurity, assist Operations with compliance, and promote customer protection. Here are some possible examples of what this might look like in practice—but know that you’ll also help us shape this role and determine what’s most important to focus on.

To ensure cybersecurity: 

• Risk Assessment and Mitigation: Regularly conduct risk analyses to identify and prioritize potential security threats and develop strategies to mitigate these risks. Prepare for possible threats that could disrupt operations. 
• Incident Response and Management: Own the response to any security breaches or incidents, including analysis, containment, postmortems, and prevention of future occurrences.
• Collaboration and Communication: Work closely with different teams, including product management, engineering, operations, marketing, and customer support, to ensure a unified approach to security.
• Secure Systems Consultation: Act as a primary internal consultant for designing and implementing secure systems. For example, working with Operations/IT to ensure we have configured our internal business applications correctly and securely or researching and recommending cloud providers for security-sensitive areas like identity management or account provisioning. 
• Security Awareness and Training: Educate and train teammates on security best practices and evaluate and recommend practical internal training materials. 
• Monitoring and Reporting: Continuously monitor the security landscape, analyze security logs, and report on security health and incidents. 
• Intrusion Prevention: Investigate intrusion and account takeover attempts and recommend infrastructure improvements to make subsequent tries easier to identify and block. 
• Security Tooling and Automation: Recommend, implement, and manage security tools and automation to enhance security efficiency and effectiveness. For example, a Security Information and Event Management (SIEM) system that’s appropriate for a fully remote SaaS company. Find the right balance between usefulness and intrusion on employees.
• Continuous Improvement: Regularly review and update security policies and procedures to adapt to new threats and technological advancements. Seek to make them truly useful rather than just checking a box, and find ways to be ever more effective while less intrusive.
• Advocate for Security Initiatives: Champion new security initiatives that align with YNAB’s business objectives, ensuring that security considerations are part of the decision-making processes.
• Triage Security Reports: Monitor and process incoming security messages, for example, from a security email box or our Bug Bounty program. Assess urgency and importance and prioritize responses according to severity.
• Outside Entity Coordination: Respond to security questionnaires from potential vendors. Evaluate and coordinate with external vendors for things such as performing penetration testing, and help distinguish between marketing fluff and actual value. 

To assist with compliance, in partnership with Operations: 

• Regulatory Compliance Management: Ensure YNAB’s practices align with relevant regulations such as GDPR, CCPA, or other data protection laws applicable to YNAB’s operations. 
• Compliance Framework Implementation: Integrate compliance frameworks like ISO 27001, SOC 2, or other industry-specific standards into YNAB’s security practices—in ways that genuinely make YNAB more secure.
• Policy Development and Review: Create and regularly update internal security policies to comply with changing regulations and best practices and make policies YNAB-useful rather than boilerplate.
• Compliance Audits and Assessments: Conduct assessments to identify areas of non-compliance and rectify them in a YNAB-thoughtful way. Go toe-to-toe with external auditors and vendors to explain why we may do things differently at YNAB and why that’s sufficient.
• Vendor and Third-Party Management: Evaluate and ensure that third-party vendors and service providers adhere to necessary compliance standards.

To promote customer protection: 

• Promote Secure Customer Behavior: Help improve our systems that assist customers in avoiding bad or breached passwords, encourage the use of two-factor authentication, and resist phishing schemes and self-XSS attempts. 
• Data Protection and Privacy Responses: Help respond to GDPR/CCPA requests and field internal and external questions regarding the treatment of sensitive data. 
• External Policies: Keep our public-facing security and privacy policies and information up to date, meaningful, and helpful to customers. 

That’s a whopping twenty bullets! Want fewer words? You’re amazingly genuine and genuinely amazing, and with your direct help and leadership, our product, organization, and customers will stay safe. 

How to Apply

• Apply here by Sunday, March 17th @ 11:59pm PST. 
• Here’s an overview of the application process:
  • We anticipate the application may take you 90 minutes or more to complete. We'll do our best to make the process enjoyable (as much as filling out a job application can be 😉).
  • We’ll ask you 29 questions (including 9 that are optional, and many multiple-choice), across these general areas:
    • Your contact information and location
    • A simple summary of your education and work history
    • Your familiarity with various security topics and technologies
    • Responses to a short questionnaire so we can get to know you better
  • We mean what we say. There are no trick questions, you can take everything at face value, and if we say something is optional (even your resume is optional!), we mean that you truly won’t be penalized for leaving it blank.
  • There’s no need to finish it in one session. You can always start your application, and then click the “Save application for later” link at the bottom to—you guessed it—finish it up later. (Before the application deadline, please!)
  • A real person will review your application, and we'll get back to you regardless of the outcome. 

A few final notes:

• Here is an overview and rough timeline for our full hiring process. It’s rigorous, but we also hear that it’s fun (truly!). We enjoy getting to know you throughout, and we make sure you have plenty of chances to get to know us, too. 
• Our goal is to make our hiring process as accessible as possible. If we can help you with an accessibility need, email us at accommodations@ynab.com and indicate in the subject line that you’re applying for the Security Lead job. (Please note that we can only respond to messages related to accommodations at this email.)

We’re excited to hear from you!

P.S. If you’re not interested in this position right now, but know someone who might be, we’d appreciate you passing this along!