Do you work well between a ROC and a hard place?

You think so, huh? Well...

  • Do you have the enthusiasm to tear apart firewall rulesets, application code or server configurations?
  • What about the patience to explain to management why they should care about securing each of those?
  • Can you think expansively enough about the big information security picture for an entire organization?
  • How about focus like a laser on a single troublesome issue?

Locations: Brookfield, WI; San Francisco, CA; Telecommute

About the Position

Leave behind what you think you know about PCI assessors; we’re not checklist auditors wearing blinders. We’re hackers and developers and sysadmins; we’re security professionals first, compliance assessors second, and we have a lot of experience doing this.

As a Qualified Security Assessor (QSA), you’ll be:

  • Helping clients meet their compliance obligations by evaluating their business, technology and operations against security standards like the PCI DSS or HIPAA.
  • Sharing your expertise to help make top-level decisions on topics like strategy and scope as well as deep and highly technical projects like web application architecture and security.
  • Providing clear, organized findings and recommendations to clients and tracking progress towards resolution and compliance.
  • Producing detailed, high-quality reports for clients and industry third parties like payment card brands and the PCI Security Standards Council.
  • Learning from our close-knit group as well as contributing your thoughts, tools, industry news or lessons learned.
  • Making this all look easy by juggling several concurrent projects at any given point in time.

As a Payment Application Qualified Security Assessor (PA-QSA), you’ll be:

  • Helping software developer clients implement practices to produce secure applications and find and crush security vulnerabilities before the bad guys can take advantage of them.
  • Picking apart payment software with packet sniffers, debuggers, process monitoring utilities and maybe even a few tools you write yourself.
  • Testing applications for security vulnerabilities while providing clear, coherent explanations of your findings and recommendations to fix the issues.

Ideally, you’ll:

  • Have previous experience consulting, either within your place of employment or for outside clients.
  • Truly comprehend information security principles and apply them practically.
  • Feel at home installing and operating a variety of UNIX or Linux systems. Familiarity with OS/400 or its ilk is a plus.
  • Understand code or script. Ruby and Python are nice, but it’s more about concept than actual language.
  • Comfortably present security concepts or findings to both highly technical and entirely non-technical audiences.
  • Have paid enough attention in English class to write clearly and well. If you slept through classes, but figured it out later, that’s okay too. But we’re serious about writing well.

You’ll get a gold star if you:

  • Have payment card (PCI DSS, PA-DSS, P2PE, PFI), financial (GLBA, SOX, SSAE 16) or health care (HIPAA/HITECH) experience.
  • Understand database security or cryptography really well.
  • Know about forensic analysis or incident response.
  • Are professionally, or willing to get, certified (while certifications don't indicate competence, they do reflect professionalism and a minimum knowledge level) in any of the following:
    • Security and IT certifications (e.g., CISSP, GIAC, CISA, etc.)
    • Technical certifications (e.g., MCSE, CCNA, etc.)
    • Related industry certifications (e.g., QSA, PA-QSA, ISA, PCIP)
  • Speak a language besides English fluently (you still need English, though). Bonus points if you have a valid US passport and know as many IATA airport codes as you do technology acronyms.
  • Participate in relevant professional organizations like OWASP, InfraGard, ISACA or the like.

Please don’t apply if you:

  • Are a blowhard.
  • Hate PCI.
  • Think it’s okay to illegally access other people’s computer, networks or user accounts.

How to Apply

Curious? Drop us a note at with:

  • A taste of your personality.
  • A copy of your résumé.
  • A reason to ask you to work with us.