PURPOSE
The Senior Security Engineer plays an integral part in the development of strategic policy and technology plans. This role serves as an expert advisor to senior management in the development, implementation, and maintenance of a robust application security program to ensure best practice control objectives are achieved for system integrity, availability, confidentiality, accountability, and assurance. The Senior Security Engineer’s mission is to provide oversight of application security, IT risk management, and audit/regulatory compliance to safeguard information assets, meet company goals, and conduct business in a secure manner.
ESSENTIAL DUTIES & RESPONSIBILITIES
- Develop, implement, and monitor a strategic, comprehensive application security program to ensure that the integrity, confidentiality, and availability of information is owned, controlled, or processed by the organization.
- Design, develop, and implement security solutions, with an emphasis on web applications.
- Develop and maintain secure coding practices for our applications and ensure source code testing best practices and remediation.
- Work with development teams to integrate security measures into the software development lifecycle.
- Develop, maintain, and publish up-to-date information security policies, standards, and guidelines. Oversee the approval, training, and dissemination of security policies and practices.
- Create and manage information security and risk management awareness training programs for all employees, contractors and approved system users.
- Provide regular reporting on the status of the application security program to Management as part of a strategic risk management program.
- Create a framework for roles and responsibilities regarding information ownership, classification, accountability and protection.
- Provide strategic risk guidance for IT projects, including the evaluation and recommendation of technical controls.
- Define and facilitate the application security risk assessment process, including the reporting and oversight of treatment efforts to address findings.
- Manage security incidents and events to protect corporate IT assets, including intellectual property, sensitive data, and the company's reputation.
- Monitor the external threat environment for emerging threats and advise Management on the appropriate courses of action.
- Facilitate a metrics and reporting framework to measure the efficiency and effectiveness of the program, facilitate appropriate resource allocation, and increase the maturity of the security.
- Experience with static, dynamic, and open-source application security tools.
- Experience performing thorough threat modeling of web applications.
- The ability to effectively partner and communicate with Engineering and Product teams.
- The ability to quickly adapt and context switch between different environments that are using a variety of tech stacks.
- Excellent written and verbal communication skills, interpersonal and collaborative skills, and the ability to communicate security and risk-related concepts to technical and nontechnical audiences. Strong documentation skills.
- Proven track record and experience in developing information security policies and procedures, as well as successfully executing programs that meet the objectives of excellence in a dynamic environment.
- Poise and ability to act calmly and competently in high-pressure, high-stress situations.
- Must be a critical thinker, with strong problem-solving skills.
- Knowledge of common information security management frameworks, such as ISO/IEC 27001, ITIL, COBIT and NIST CSF.
- Professional security management certification, such as a Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Cloud Security Professional (CCSP), Certified Ethical Hacker (CEH) or other similar credentials, is required.
- Exhibit excellent analytical skills, the ability to manage multiple projects under strict timelines, as well as the ability to work well in a demanding, dynamic environment and meet overall objectives.
- Ability to lead and motivate cross-functional, interdisciplinary teams to achieve tactical and strategic goals.
- High level of personal integrity, as well as the ability to professionally handle confidential matters, and show an appropriate level of judgment and maturity.
- High degree of initiative, dependability, and ability to work with little supervision.
- Bachelor’s degree in information security, Computer Science, Management Information Systems, or related field required.
- Minimum of 5 to10 years of experience in a combination of application security, risk management, and IT jobs. Employment history must demonstrate increasing levels of responsibility.
- Prior experience securing large-scale web applications, including performing security code reviews, vulnerability assessments, and manual testing for logic flaws.
Work Environment: Job is typically performed in a general office environment or remote.
Physical Requirements
NP Not Present
O Occasional (Up to 25% of time)
F Frequent (26%-74% of time)
C Constant (75% or more of time)