Director, Attack Surface Management (Information Security)

Company Introduction 

We exist to wow our customers. We know we’re doing the right thing when we hear our customers say, “How did we ever live without Coupang?” Born out of an obsession to make shopping, eating, and living easier than ever, we’re collectively disrupting the multi-billion dollar e-commerce industry from the ground up. We are one of the fastest-growing ecommerce companies that established an unparalleled reputation for being a dominant and reliable force in South Korean commerce.

We are proud to have the best of both worlds — a startup culture with the resources of a large global public company. This fuels us to continue our growth and launch new services at the speed we have been since our inception. We are all entrepreneurial surrounded by opportunities to drive new initiatives and innovations. At our core, we are bold and ambitious people that like to get our hands dirty and make a hands-on impact. At Coupang, you will see yourself, your colleagues, your team, and the company grow every day. 

Our mission to build the future of commerce is real. We push the boundaries of what’s possible to solve problems and break traditional tradeoffs. Join Coupang now to create an epic experience in this always-on, high-tech, and hyper-connected world.

Job Overview

Our Why:  We exist to protect a way of life that many people have come to rely on.  We protect the small business that relies on Coupang to be able to open their doors every day.  The customer trust in protecting their PII fiercely.  Also, our fellow employees and their data as they come to work every day being proud to work for Coupang.

We exist to be thought leaders and help the industry and government partners.  To come to work focused on outcomes and not egos, and to head home at the end of a day with a sense of pride with what we accomplished together as a team.  Our why drives everything that we do. 

As our Director over Attack Surface Management, you will be responsible for building a new program that combines our existing control assessment functions with a proactive approach to Attack Surface Management leveraging modern toolsets around data identification, system scanning, cloud management, and internal automation across all possible systems from endpoint to cloud. 

This is a new function being created to address the unique challenges of the eCommerce space of a global company.  You will need a proven track record of building successful programs, inspiring and developing teams, with the ability to work across levels and organizations with autonomy.   

You will be a technical subject matter expert that has expert working knowledge in IR, investigation and hunt techniques, root-cause security issues, quickly assessing the potential threats, and educating other members of the broader team. 

Key Responsibilities

Responsibilities will include, but not be limited to, the following: 

• Ability to consume large datasets to ensure that risks are identified in a timely manner.
• Visualize process architecture and make accurate decisions in rapidly evolving situations.
• Acquire and manage the necessary resources, including leadership support, financial resources, and key security personnel, to support ASM program goals and objectives.
• Design and documentation of processes.
• Act as the SME on the ASM program for the Proactive Security
• Identify opportunities for improvement to the organizations ASM program both in terms of process and tools used.
• Ensures the development of the ASM Team in terms of capabilities and maturity.
• Manages the ASM interface into enterprise or cyber security initiatives ensuring quality of service to stakeholders.
• Engage with stakeholders within different parts of the business to communicate technical topics to non-technical stakeholders.

Qualifications

• Knowledge of computer networking concepts and protocols, and network security methodologies.
• Knowledge of national and international regulatory compliances and frameworks such as NIST Cybersecurity Framework, ISO 27001, EU DPD, HIPAA/HITECH
• Knowledge of cyber threats and vulnerabilities.
• Knowledge of threat vectors and how they would contribute to risk-based decision making in assessing vulnerabilities.
• Knowledge of specific operational impacts of cybersecurity lapses.
• Knowledge of host/network access control mechanisms (e.g., access control list, capabilities lists).
• Knowledge of different classes of attacks (e.g., passive, active, insider, close-in, distribution attacks).
• Knowledge of Vulnerability criticality rating methodologies
• Cyber attackers (e.g., script kiddies, insider threat, non-nation state sponsored, and nation sponsored).
• Cyber-attack stages (e.g., reconnaissance, scanning, enumeration, gaining access, escalation of privileges, maintaining access, network exploitation, covering tracks).
• Network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth).
• Cloud technologies and platforms.
• Risk-based vulnerability methodologies.
• Business processes in relation to how Cyber Security Operations can impact on these.
• An understanding of how the organizations attack surface influences 3rd party organizational assessments.
• Experience with Vulnerability scanning tools like Qualys, etc
• Experience working in a fast-paced international enterprise
• Masters degree or equivalent practical experience

Preferred Languages and Certifications

• CISSP
• CISM
• CEH
• OSCP
• English, Korean, and Mandarin

Recruitment Process & Others

Recruitment Process  

• Application Review - Phone Interview - Onsite (or Virtual Onsite) Interview – Offer 
• The exact nature of the recruitment process may vary according to the specific job and may be changed due to scheduling or other circumstances. 
• Interview schedules and the results will be informed to the applicant via the e-mail address submitted at the application stage. 

Details to Consider  

• This job posting may be closed prior to the stated end date for application if all openings are filled.    
• Coupang has the right to rescind an offer of employment if a candidate is found to have submitted false information as part of the application process.    
• Coupang does not discriminate against disabled applicants or those with veteran status. We are proud to offer equal opportunities for all applicants. 
• Job titles and responsibilities may be subject to change depending on the candidate’s overall experience, etc. This will be communicated to the candidate at the appropriate time before the offer.

Privacy Notice  

• Your personal information will be collected and managed by Coupang as stated in the Application Privacy Notice located below. 
• https://www.coupang.jobs/en/privacy-policy/

Document Return Policy 

• This notification is given pursuant to Article 11 (6) of the Fair Hiring Procedure Act.  
• A job applicant, who has applied but not been finally selected for a position at Coupang (the “Company”), may request the Company to return his/her hiring documents submitted pursuant to the Fair Hiring Procedure Act.  However, this will not apply where the hiring documents were submitted via the website of the Company or e-mail, or where the job applicant submitted those documents voluntarily without a request from the Company.  In addition, if the hiring documents were destroyed due to a natural disaster or any other reasons not attributable to the Company, such documents will be deemed to have been returned to the job applicant. 
• A job applicant who wishes to request the return of his/her hiring documents pursuant to the main sentence of paragraph 2 above should fill out a “Request for Return of Hiring Documents” [Annex Form No. 3 in the Enforcement Rule of the Fair Hiring Procedure Act] and submit the request to the Company (Coupang Recruiting Team, Tower 730, 570 Songpa-daero, Songpa-gu, Seoul). In such case, within fourteen (14) days from the date of identifying the receipt of the request, the Company will send the hiring documents to the job applicant’s designated address via registered mail.  Please be informed that the job applicant is required to pay the postage on the registered mail. 
• In preparation for a job applicant’s request for the return of hiring documents pursuant to the main sentence of paragraph 2 above, the Company shall retain the original hiring documents submitted by the job applicant for 180 days from the completion of the recruiting process.  If no request is made until the end of this period, all of his/her hiring documents will be destroyed immediately in accordance with the Personal Information Protection Act.