|The successful candidate will demonstrate our Corporate Guiding Values of Integrity, Consumer Advocacy, Teamwork, Development, Quality and Performance in all areas of their work. The Information Security Engineer is responsible for safeguarding computer networks and systems. This includes designing, engineering, and maintaining information security technology tools and platforms, planning and carrying out security measures and activities, monitoring and protecting sensitive data and systems from infiltration and cyber-attacks, keeping abreast of the security landscape and relative security stance, and executing defensive strategies. |
The Information Security Engineer is a technical role within the Information Technology Security team, focused on identifying, designing, implementing, and operating key technologies across the security space. These technologies include vulnerability scanning, mail security, intrusion detection and prevention systems, data loss protection, endpoint protection, identity and access management, identity governance and administration, mobile device management, SIEM platforms, multifactor authentication, and more.
The Information Security Engineer reports to the Chief Information Security Officer and implements and executes the information security plans for the organization. The engineer will work closely with the infrastructure, architecture, application development, product management, business teams and external 3rd parties to execute technology tasks, and partner with the project management groups to ensure alignment to security principles, policies, and best practices.
- Work with the CISO to develop, publish and maintain information security plans, policies and procedures
- Mentor others across the organization by leading and influencing technical decisions, processes, and best practices with an ability to explain technical concepts in written and verbal forms
- Advise in, and participate in, the design of secure products and architectures
- Perform architecture security reviews, security focused code reviews, and security testing
- Work closely with development, quality assurance, and product, and other teams to design and implement security-related systems and functionality, including writing secure code as necessary, and verification of threat models, risk and security posture
- Monitor software usage and perform forensics to verify that the software is performing to the required security standards
- Perform constant monitoring and awareness of key developments in the area of web and client application security in order to provide direction of security trends, and anticipate emerging standards and best practices
- Communicate to senior management by demonstrating strong skills in presenting technical concepts in business terms
- Partners with architecture for design and review of projects with respect to adherence to security policies, standards, and best practices
- Tests for vulnerabilities by conducting periodic scans of networks, executing penetration testing, and other offensive strategies
- Monitors networks and systems for security breaches or intrusions; manages and improves the SIEM platform
- Leads incident response to investigate breaches and minimize impact; leads technical forensic investigation into how the breach happened, articulate extent of the exposure, and how to prevent it from happening
- Prepares reports of security performance, activities, incident findings, and other security related outputs and presents to management
- Liaise with Internal Audit to support internal and external audits
QUALIFICATIONS AND EDUCATION REQUIREMENTS
- Bachelor's Degree or global equivalent in Computer Science, Computer Engineering, Information Systems, or related field with 5 years relevant experience; or 10 years equivalent work experience. Master's degree or global equivalent a plus. May hold one or more industry certifications.
- Advanced knowledge and experience in antivirus software, intrusion detection and prevention, incident response, next-generation firewalls, SIEM tools, security principles, malware analysis and network architectures
- Working knowledge of securing and administering network devices and operating systems
- Working Knowledge of vulnerability testing and penetration testing methodologies and practices
- Experience reading and understanding impact of malicious code and mobile attacks
- Strong knowledge of TCP/IP, the OSI model, DNS, HTTP, VPN, routing & switching, and load balancer technologies for virtual and physical networks
- Strong knowledge of threats to include common attack vectors, methodologies and payloads/exploits
- Ability to design, implement and administrate security solutions, e.g., firewalls, proxies, WAFs, DLP, IDS/IPS, malware detection, packet capture and analysis tools, etc.
- Operational experience for secure configuration management across multiple platforms, including virtual and cloud-based environments
- Knowledge of Information Security program development, and roadmap design aligned to security policies, procedures, and standards.
- Knowledge of forensic practices
- Able to effectively give, receive, and respond to feedback
- Excellent oral and written communication skills with the ability to communicate security concepts to a technical and non-technical audience including senior management
- Demonstrated ability to establish relationships and build rapport to influence colleagues at all levels, uncover issues, and identify needs
- Experience in using risk assessment methods and tools
- Information security industry recognized certification(s) highly recommended – GSEC, CISSP, CEH, GCIH
- Experience with scripting languages, databases and SQL, and development languages
- Experience with scripting such as Shell, Perl, Python, Ruby, or PHP
- Experience working with PCI DSS, ISO 27001, Informative References within the United States Cybersecurity Framework, and NIST800-53.
- Working knowledge of ITIL and/or COBIT 5
- Experience evaluating physical security
- Experience working in a hybrid on- and off-shore model
The job description is not designed to cover or contain a comprehensive listing of required duties or responsibilities. Other duties, responsibilities and activities may change or be assigned at any time with or without notice.