Compliance & Security Engineer

Beast Industries is a multifaceted media and entertainment company founded by Jimmy Donaldson, popularly known as MrBeast, the most watched person in the world. Renowned for revolutionizing digital content creation, Beast Industries encompasses a diverse portfolio of ventures that extend far beyond its origins on YouTube. With a mission to entertain, inspire, and create significant social impact, Beast Industries operates across various domains including digital media, philanthropy, consumer products, and innovative business initiatives. At Beast Industries, we believe in the transformative power of digital media and its potential to entertain, educate, and effect positive change. Our commitment to innovation, creativity, and philanthropy drives us to explore new frontiers, create unforgettable experiences, and build a legacy that inspires future generations.

Primary: Bay Area (San Francisco / Peninsula)   |   Secondary: NYC

We're doing an AI-first engineering rebuild for a company that already has an audience of 100M+ people. This is a zero-to-one build with no legacy constraints, which means you get to stand up the security and compliance foundation correctly from the start. The stakes here are concrete: Step handles money and serves minors, Feastables carries consumer and supply-chain data, and the media business ships fast and constantly. You're here to make regulated products shippable without slowing them down.

You'll be a single principal-level IC bridging two disciplines that usually live on separate teams: security engineering (threat modeling, vulnerability management, hardening, incident response) and compliance engineering (control design, audit evidence, framework mapping across SOC 2, PCI DSS, COPPA, and privacy law). That means:

• Own the security architecture and the technical compliance posture across Step, Feastables, and the media org.
• Build one control framework, with each control mapped to the regulation it satisfies (PCI DSS, COPPA, GDPR/CCPA, SOC 2).
• Make compliance continuous by automating evidence collection and control monitoring, not a once-a-year scramble.

• →Set the security standards other engineers build against across cloud infrastructure, applications, and data systems.
• →Lead threat modeling and security reviews for high-risk products, especially Step's payment and account systems and anything touching minors' data.
• →Run the vulnerability management program and drive remediation to closure with the teams that own the systems.
• →Build and own incident response: detection, playbooks, escalation, post-incident review, and breach-notification readiness.
• →Act as technical lead during PCI DSS and SOC 2 audits, and represent Beast with auditors, regulators, and partners.
• →Translate regulatory requirements into engineering work teams can act on, and advise leaders on risk tradeoffs in plain terms.
• →Define secure-by-default patterns and paved paths so most teams meet requirements without one-off review.

• AI-Native: You're already using AI daily and bringing it into security work where it earns its place, from automation to evidence pipelines.
• Security + Compliance Hybrid: Around 15 years of combined security engineering and compliance experience, with proven ownership of PCI DSS and SOC 2 in production, from control design through a successful audit.
• Applied and Hands-On: Strong cloud security (AWS/GCP), application security, threat modeling, and incident response, with the ability to read and reason about code.
• Trusted on Risk: You say no clearly when risk warrants it and explain the tradeoff in terms the business can act on, you treat minors' data and customer money as the highest bar, and you influence through evidence, not title.

Working knowledge of privacy and minor-protection regulation (COPPA, GDPR, CCPA) and how it maps to technical controls. Bonus points for fintech or payments experience (money movement, KYC), security automation and infrastructure-as-code (Terraform, policy-as-code), relevant certifications (CISSP, CCSP, OSCP), and standing up a security or compliance function from an early stage.