Director of Security

Our mission at Electric Coin Co. is to empower economic freedom, and to that end, we created and launched the Zcash digital currency in 2016. Today — along with other independent teams and developers — we continue to support the Zcash community through product development, awareness and adoption, and cutting-edge research initiatives. Electric Coin Company also engages in a variety of media and social media channels to communicate with a wide audience, educate, maintain transparency, and broadcast our message to the world.

Zcash and ECC have an enviable reputation for security assurance and for the thoroughness of our responses to past security issues. But as Zcash's market cap increases, so do the risks and potential attention from adversaries.

We are seeking a Director of Security to take responsibility for overseeing and improving the following processes within ECC:

• Working with the team leaders and engineers to maintain and further improve the high standards of security and resilience that ECC and Zcash's protocols and software have come to be known for.
• Administering and improving the security incident response process within ECC. You will be responsible for managing effective, quick, and thorough responses to security vulnerabilities discovered in our software, supply chains, and infrastructure, interacting with external security researchers who may have found vulnerabilities and representatives of other projects that may be affected. This includes ensuring that staff are familiar with the security incident response process.
• Communicating security flaws and their mitigations —with precision, timeliness, actionable information, and the appropriate degree of reassurance— to the Zcash and wider cryptocurrency and infosec communities. You will choose whether and how to respond to instances of misinformation about Zcash's security properties.
• Building and maintaining our relationships with other projects that share Zcash technology, to improve on and surpass industry-standard security disclosure processes in the cryptocurrency space.
• Creating and managing relationships with external providers of security assessments. Working with the Director of Research and Assurance, you will find suitable external auditors for implementation and specification audits, schedule audits, provide auditors with the information they need to be most effective, critique and validate their work, and ensure that they are properly incentivized to provide value. You will expand on any themes arising from these assessments, continuously using the feedback to develop and advocate for appropriate security within the company.
• Helping ECC's staff with advice and resources to secure their computing devices, and to respond to physical and virtual threats against their safety and that of their families, their wealth, and their other possessions. This includes responding to attacks against ECC staff for which the security incident response process may not be best suited.
• On-boarding new staff to relevant security procedures, ensuring that they are able to quickly get up-and-running with the permissions they need and the knowledge to use them securely. You will also administer off-boarding processes to mitigate the risk of past employees' and contractors' access being misused.
• Directing the maintenance and acquisition of security-relevant infrastructure, devices, and software. You will be responsible for budgeting our security spend each year, taking into account the product and company roadmaps.
• Documenting and keeping track of security policy; and maintaining procedures to ensure that actual permissions match intended permissions, consistent with the principle of least privilege while also avoiding unnecessary obstacles to getting work done. You will directly assist and support in the secure use of cloud computing solutions in our infrastructure.
• Ensuring compliance with applicable security-related regulatory requirements, such as data protection law.
• Working with the Engineering Team and Q.A. lead on processes, techniques, and training to head off bugs before they happen. Overseeing the development of proactive mitigations and countermeasures to reduce the risks from software, protocol, infrastructure, and supply chain vulnerabilities.
• Collaborating with ECC's Director of Research and Assurance to ensure that we use the most effective, up-to-date techniques to improve the assurance of our cryptographic code and to limit the leakage of information about user activities.
• In collaboration with the Director of Engineering and the Director of Research and Assurance, helping to prioritize security mitigations relative to other activities. This will include refining processes to reduce the resources spent on issues with no impact, or only trivial and well-understood impact.
• Reviewing the backlog of security issues that have been raised to determine whether each was properly resolved, or whether it should be re-prioritized.
• Helping to develop and maintain specifications to enhance, document, and support security analysis of the Zcash protocol, either led by ECC or in collaboration with third-party developers.
• Maintaining awareness of developments in the wider Zcash community, to ensure that ECC's efforts are complementary to, and able to take advantage of those developments.
• Recruiting and onboarding new top-tier talent to security-focused roles.

The Director of Security will work alongside the Director of Research and Assurance and the Director of Engineering. To clarify the boundaries of these roles:

• The Director of Security is primarily responsible for security incident response, and will also act as an internal adversarial party by attempting to discover flaws in Zcash specifications and the software that implements them.
• The Director of Research and Assurance is primarily responsible for ECC's contributions to research, protocol design, specification, and long-term security assurance of the Zcash protocol.
• The Director of Engineering is primarily responsible for development of the Zashi and Zallet wallets and their supporting code in the Zcash core libraries, and also the allocation of ECC engineering resources when needed to improve third-party software such as the Zebrad consensus node and the Zaino chain indexer.

• A commitment to our users' privacy, and to the cypherpunk ethos of empowering freedom and autonomy by making secure, well-designed cryptography more widely accessible.
• ECC development is fully distributed with team members from Europe to the Americas to New Zealand, so you will need to be confident in working internationally across different contexts and time zones. In particular, although no-one can be available all of the time, you will need to take account of the fact that adversaries may time attacks for maximal inconvenience.
• Experience with open-source software development and overseeing the security aspects of implementing protocols to detailed specifications.
• Deep knowledge of cryptography is not required, but is highly desirable. A willingness to learn about cryptographic issues is essential.
• This is a management role, but we would expect a Director of Security to also have hands-on experience with developing secure and reliable code in modern programming languages similar to Rust, Swift, Kotlin, and Go.
• Strong communication and collaboration skills, with the ability to work effectively with cross-functional teams and external partners.
• The ability to work to deadlines and to hold themself accountable for short- and long-term success.
• Excellent leadership skills, with a talent for building consensus and fostering a collaborative environment.
• Ability to make crucial, informed decisions under pressure, upholding the security and privacy interests of Zcash users and ECC staff.

• Blockchain-related experience is strongly favoured. Smart contract experience is beneficial to the extent that it provides perspective on secure design when Zcash interacts with other ecosystems.
• Administering or participating in security response processes.
• Cryptography and protocol design (we will also teach you on the job).
• Security analysis of protocols or algorithms; formal methods; high-assurance software or hardware development.

The recruitment process for this role will involve up to three interviews:

• An initial interview to gauge high-level skills fit, culture fit, and answer any initial questions about ECC or the role.
• A technical interview with Engineering Team members and the Director of Research and Assurance. You will be asked about previous work and what you can bring to the role, and will be expected to analyze and explain how you would have handled a past security issue as Director of Security.
• A final interview with ECC's CEO.

What We Offer

• Flexible, remote-first work culture from anywhere in the world;
• Semi-annual company-wide off-site meetups across the globe;
• Competitive compensation plus ZEC token bonus pool;

• For full-time employees based in the U.S.:

• Full benefits (medical, vision, and dental) with premiums paid 100% by ECC;

• Annual employer HSA contributions;
• Paid Time Off and Vacation policy.

Electric Coin Co. is an equal-opportunity employer. We encourage applications from candidates of all backgrounds, nationalities, and experiences.