Principal Engineer, Security
Klaviyo · Boston, MA · 2 wk ago
Information TechnologyFull-time
What You'll Do
- Define and own Klaviyo's infrastructure security architecture: IAM frameworks, service-to-service auth, secrets management, network segmentation, and production access controls, designed to scale with our multi-tenant, multi-region footprint.
- Build and maintain security guardrails as IaC modules; codify controls into golden paths that teams inherit automatically so security improves with velocity, not against it.
- Own the vulnerability management program: SLO-backed triage and remediation, trend tracking, and systemic fixes, turn recurring vulnerability classes into solved engineering problems.
- Define the security SLO and compliance framework for production infrastructure; run readiness reviews, communicate posture clearly to engineering and exec stakeholders.
- Author security ADRs and RFCs; partner with the Core Infrastructure PE to embed security controls in CI/CD pipelines, paved roads, and the observability stack.
- Lead threat modeling and security design reviews for high-risk architectural changes, accelerate delivery by making reviews lightweight and high-signal.
- Partner with SRE, AppSec, and FinOps on cross-cutting initiatives: zero-trust progress, GDPR/compliance guardrails, and audit readiness for SOC 2/ISO 27001.
- Write high-impact code, automation, and tooling; mentor Staff and Senior security engineers across teams through design pairing, code review, and example.
- Transform workflows by putting AI at the center, building smarter systems and ways of working from the ground up.
Who You Are
- Experience: 10+ years in infrastructure or platform security engineering, with a track record of shipping security improvements that measurably reduced risk or improved compliance posture at scale.
- Technical depth: Deep in cloud infrastructure security (AWS/GCP IAM, service mesh mTLS, secrets management, network defenses); you architect and ship production controls, not just audit them.
- SLO and compliance rigor: You define security SLOs, track MTTR for vulnerabilities, and communicate risk posture clearly; you translate security work into business language that non-security stakeholders act on.
- Developer-centric mindset: You build tools and guardrails that other engineers adopt because they make their work easier—not because they're required to.
- Cross-org influence: You align teams through threat models, security reviews, and IaC guardrails; you earn credibility via code, design quality, and clear reasoning, not title.
- Operational excellence: You've been on-call for security incidents. You write runbooks, lead readiness reviews, and treat recurring vulnerabilities as systemic engineering problems.
- Communication: You write crisp ADRs and RFCs, run effective security design reviews, and translate risk exposure into decisions business stakeholders can act on.
- AI tools and automation: You've brought AI into security engineering, automated threat detection, intelligent vulnerability triage, AI-assisted compliance checks, or security copilots—with explicit guardrails and audit trails.
- You've already experimented with AI in work or personal projects, and you're excited to dive in and learn fast. You're hungry to responsibly explore new AI tools and workflows, finding ways to make your work smarter and more efficient.
Nice to Haves
- Experience with zero-trust architecture and progressive access control in a large multi-tenant SaaS environment.
- Deep familiarity with enterprise compliance frameworks (SOC 2, ISO 27001, GDPR) and the infrastructure controls that underpin them.
- Track record of embedding security tooling into CI/CD and IaC pipelines adopted org-wide.
- Experience securing AI/ML systems: model access controls, data privacy guardrails, and agentic system security boundaries.