The mission of the Security Architecture team is to provide security design, security consulting and security assessments of technology systems and processes to identify business risks and recommend remedial action based on established security standards or security best practices.
To be successful as a Security Architecture the candidate must have broad technology experience coupled with strong communication, influencing and time management skills.
A Security Architecture has the following responsibilities:
1. Co-design security architecture of various IT solutions along with domain architects and designers
2. Drive SecArch deep dives with the requestor of the assessment
3. Conduct assessment and provide technology risk/requirements to the requestor. Areas covered:
a. AAA – Authentication, Authorization, Auditing
b. Application Security – Session Security, Vulnerability/Pen Testing items, Input Validation
c. Secure data transport and storage
4. Periodically review security reference architecture (security blueprints) and conduct updates/enhancements
5. Participate in various Operational and Technology Risk governance processes
6. Assist in identifying new areas and opportunities of technology investment for the firm
Skills and Experience
1. Excellent communication skills: written, oral, presentation, listening
2. Ability to influence through factual reasoning
3. Time management: ability to handle multiple concurrent assessments, plan based deliverable management, strong follow up and tracking
4. Strong focus on delivery when presented with short timelines and increased involvement from senior management
5. Ability to adjust communication of technology risks vs business risks based on the audience
Security Architecture Skills
1. Required – Hands-on Security Design experience in one or two of the following domains: Compute, Storage, Network, End User Technology, Enterprise Security Platform, Mobile, Cloud infrastructure.
2. Required – In depth knowledge of application, network and platform security vulnerabilities. Ability to explain these vulnerabilities to developers
3. Required – Experience in conducting Information Security, IT Security, Audit assessments. Presenting the outcomes of the assessment and obtaining buy-in.
4. Required – Strong focus on reviewing technical designs and functional requirements to identify areas of Security weakness.
5. Required – The candidate must have working experience in the following application/network security domains:
a. Authentication: SAML, SiteMinder, Kerberos, OpenID
b. Entitlements and identity management
c. Data protection, data leakage prevention and secure data transfer and storage
d. App Security - validation checking, software attack methodologies
e. Cryptography – encryption and hashing
6. Required - The candidate must have working knowledge of the primary operating systems (Unix, Windows, z/OS, Mac OS), the configuration and management of that platform at an enterprise scale, the security risks to that platform, and how to mitigate those risks.
7. Required - The candidate must have hands-on experience in designing one of the following technologies:
a. Enterprise Compute: Hypervisor, VMware, OS Hardening, Storage, Database
b. End User Technology: Active Directory, SCCM, Windows Clustering, Instant Messaging
c. Enterprise Security Platform: HSM, PKI, Web Proxy, Endpoint Security, DLP, SIEM, Cyber Analytics
d. Networking: Switches, routers, firewalls, proxies, VPN, and load-balancers
8. Desired - experience in testing tools, at least one of Veracode, Fortify, OunceLabs, AppScan, WebInspect, Burp
9. Desired – previous background in programming, design and application architecture.
10. Desired – CISSP or other industry qualification
11. Desired – experience working with global organizations. Previous experience in Financial Services is preferred
12. Bachelor’s Degree with minimum 8 years relevant work experience in high-paced, enterprise environment