• Technical: First and foremost, strong grasp of computer science and deep technical understanding of Cloud Security and Network Infrastructure.
• Communicative: Candidate needs to have good communication skills and must be able to drive security awareness, training and best practices within teams.
• Collaborative: Candidate needs to be able to collaborate with architects, developers, and non-technical stakeholders to drive security solutions across the organization.
• Respected: Candidate should have a good track record as a security professional in the industry. They will be expected to establish trust and respect with the network service development teams.
• Growth Mindset: The world of security is highly dynamic, and IBM is a company that thrives on innovation and maturation, our Security and Compliance Focal must possess a growth mindset to keep up with the ever-changing security landscape and seek opportunities to increase their breadth and depth of security topics. Must be able to recognize opportunities to automate to drive efficiency.
Your Role and Responsibilities
As a Security & Compliance Engineer, you will work as part of a team responsible for deploying, supporting and reporting on security solutions designed to achieve corporate and regulatory compliance across multiple IBM Security products. This includes experience working in a compliance role in a IaaS/PaaS/SaaS organization & deep knowledge of security auditing and compliance tools such as Nessus, BigFix, etc.
Security & Compliance Engineer would assist in security audits performed by third parties and would require a working knowledge of ISO27001 standards. They would help design and work within security architecture of DevOps life cycle to operations and management teams. They would also need to troubleshoot and resolve issues in Dev, Test and Production environments. They are also required to engage other business units to drive deployment and maintenance initiatives. They would also collaborate with other teams to identify areas of need or improvement opportunities and utilise scripting tools to streamline deployment, configuration and compliance activities.
Expertise:
- System Administration – have an in-depth knowledge of administrative commands to manage operating systems and applications in a secure manner (e.g. knowing what commands to run to check on patch status and apply new patches)
- Access Management – understand the concepts of need to know, least privilege, individual accountability, privilege access monitoring, access revalidations, etc. and ensure your service implements them. Know to avoid the use of shared IDs, excessive privileges, weak passwords, etc.
- Patch Management – know how to keep your systems up to date with patches as required to ensure that your service is always running on supported operating systems
- Vulnerability Management – be able to regularly scan your systems and remediate any vulnerabilities found within required time frames
- Inventory Management – ensure that the list of assets under your control are properly registered in their system of record
- Data Protection – understand the types of data your services deal with and have measures in place to protect that data (e.g. encryption in transit and at rest, locked down file permissions, etc.)
- Configuration Management – understand how to securely harden a system or application upon deployment
- Health Checking – know how to check that a system/application is configured correctly on an ongoing regular basis and remediate any issues within required time frames
- Logging & Monitoring – ensure there is a process in place to store key logs with data integrity in place to protect those logs and have a process in place to independently monitor those logs for any unusual activity
- Change Management – understand and follow the discipline of change management to ensure that changes to systems, applications and environments are properly planned and vetted to avoid disruption to their service
- Business Continuity – understand what business continuity requirements are necessary in your organization and actively participate in ongoing business continuity planning
- Risk Management – understand where there are gaps in compliance or areas of risk that need to be analyzed and addressed either by remediation activities or formal Risk Evaluations to ensure mitigation, executive awareness, and approval
- Audits – be prepared to support audits by providing evidence or being interviewed as required
- Common Attack Patterns – know what the common attack vectors facing the industry (e.g. CWE 25 or OWASP Top 10), be able to describe an attack, give a generic example of the payload, describe what a successful exploitation/impact looks like, and what best practice remediation is
- Certifications / Credentials – CISSP (preferred), CCNP/CCIE (preferred), CCSP, CISA/CRISC/CISM.
Required Technical and Professional Expertise
- Overall experience should be 6 to 8 years in the industry and minimum 3 to 5 years as security focal/lead.
- Demonstrated experience in successful driving and execution of compliance programs for common IT security standards/regulations: SOC1/2/3, ISO27K, HIPAA, PCI, FBA (formerly FFIEC), FedRAMP, GDPR, etc.
- Strong familiarity with OWASP Top Ten, NIST, CIS and MITRE ATTACK.
- Must be able to recognize opportunities to automate to drive efficiency.
- Expert knowledge and understanding of offensive cybersecurity operations and defensive integrations, including enumeration and exploitation of various cloud-based technologies and development of secure applications.
Preferred Technical and Professional Expertise