Staff Analyst, Technical Security Risk

About the job
We are seeking a Technical Security Risk Lead to drive security risk assessments, collaborate with engineering teams, and enhance our technical risk posture. This role is ideal for someone with security engineering expertise who can evaluate risks in cloud environments, infrastructure, applications, and security controls. Rather than focusing on enterprise risk frameworks, this role emphasizes technical security risk management to protect Twilio’s systems and data.

Responsibilities

In this role, you’ll:

• Lead technical security risk assessments across infrastructure, cloud, and applications, applying a risk-based approach to prioritize findings and drive actionable mitigation strategies aligned with business objectives.
• Partner with R&D to assess risks in architecture, infrastructure, and SDLC, providing security guidance in Agile and DevSecOps to ensure security by design and compliance.
• Evaluate and implement automated security tools to identify and mitigate risks at scale and drive meaningful mitigation.
• Develop and refine threat modeling frameworks, leveraging industry standards like STRIDE, PASTA, and MITRE ATT&CK to strengthen risk management and align with our risk landscape.
• Assess the effectiveness of security controls and recommend improvements based on penetration testing, vulnerability scans, and attack surface management, collaborating cross-functionally to ensure actionable and sustainable remediation.
• Use data analytics and risk modeling to assess security risks, translating insights into business terms to guide executive decision-making.
• Define and prioritize risk treatment plans, working with stakeholders to implement mitigating controls and risk reduction strategies while maintaining a clear risk register to ensure timely mitigation and escalation of high-impact risks.
• Develop reports and presentations that translate technical risks into actionable insights for leadership, and communicate effectively with both technical teams and non-technical executives to simplify complex risk scenarios.
• Partner with internal teams to align on security best practices and mitigate identified risks while acting as a security advocate to ensure security is an enabler, not a blocker.

Qualifications 

Not all applicants will have skills that match a job description exactly. Twilio values diverse experiences in other industries, and we encourage everyone who meets the required qualifications to apply. While having “desired” qualifications make for a strong candidate, we encourage applicants with alternative experiences to also apply. If your career is just starting or hasn’t followed a traditional path, don’t let that stop you from considering Twilio. We are always looking for people who will bring something new to the table!

Required:

• 5+ years of experience in security engineering, security architecture, or technical security risk assessment.
• Strong understanding of network security, cloud security (AWS, GCP, Azure), identity & access management (IAM), and secure coding practices.
• Experience with threat modeling, security control evaluations, security risk quantification, and conducting risk assessments to identify, prioritize, and implement effective risk treatment strategies
• Proficiency in security risk frameworks, security automation and tooling
• Hands-on experience implementing security frameworks like MITRE ATT&CK, NIST 800, CIS Benchmarks.
• Ability to work cross-functionally with engineering, security, and compliance teams to improve risk posture.
• Excellent verbal and written communication skills, with the ability to translate technical risks into business impact.

Desired:

• Bachelor’s degree in Cybersecurity, Computer Science, or a related field.
• Industry certifications such as CISSP, GCP, AWS, CRISC, CCSP.
• Previous experience conducting technical risk reviews for software products and cloud environments.