Head of Security Architecture
About the Security Architecture Team
The Security Architecture team are responsible for facilitating the secure delivery of APIs, platforms and services. The role of the team is to make Information Security relevant, simple and transformational, and support our colleagues in achieving their goals, but in a secure manner.
As Head of Security Architecture, you will be responsible for building and evolving the security capability that ensures our applications and infrastructure are securely developed and a positive security culture is embedded into the working practices of our application development teams.
The team deliver security services globally to maintain and continuously improve the security posture in an ever-evolving cyber security landscape using state-of-the-art tools and in-house proprietary techniques.
- Provide leadership and oversight by setting the direction, strategy, deliverables, and operating model of Application Security within the Information and Cyber Security function.
- Manage, oversee and lead a team of high technical security specialists (approximately 10) in multiple countries that deliver application security services to technology and business teams across our organisation.
- Drive the uplift in security capability to ensure an appropriate tool-set, technologies and processes are in place to achieve an effective application security service supporting the team's operational objectives.
- Defines and maintains the Application Security service and products strategy based on the evaluation of internal and external threat trends, business needs, regulatory and corporate drivers.
- Performs thorough assessment and analysis on new and existing changes to the Application Security service capability and its end-to-end components, ensuring fit for purpose solutions and appropriate service components are implemented.
- Act as the thought leader for Application Security and ensure the service stays ahead of competitive and industry trends.
- Embed Secure SDLC across global application teams through advocacy, training and team-based coaching engagements.
- Embed the use of automated testing tools and processes, standardised frameworks and standards to enhance the agility and effectiveness of application security services
- Proactively engage with stakeholders to obtain buy-in for the service and manage the escalations and expectations accordingly.
- In-depth, hands-on working knowledge in application development with experience of application security, cryptography, identity and access management technologies and operational experience in a global organisation.
- A strong knowledge of Information Security principles and management
- Hands on experience of application security and Secure Development Lifecycles and their application in an agile environment.
- Use of AST tools.
- Experience in cloud security.
- Good understanding of DevOps with experience of Terraform, Ansible and/or Kubernetes
- Strong knowledge of web application security.
- Strong knowledge of OWASP, CVE, CWE and SANS CWE Top 10 Vulnerabilities, proactive controls and mitigation methods.
- Excellent organisational and leadership skills (successfully lead and managed end-to-end technology services and or technology operations) with ability to manage multiple deadlines and effectively prioritise.
- Experience of developing a people strategy, influencing stakeholders and decision makers, and executing decisions efficiently and consistently in the modern workplace.
- Ability to lead and control programme and/or project management in the context of a significant amount of change.
- Excellent communication skills - oral, written and presentation; technical reporting writing across various types of target audiences.
- Security certifications are a plus.
Key Skills and Experience
This role would suit someone with an application security / development background with experience in Security Architecture, to include:
- Ability to demonstrate advanced understanding in the field of Information and Cyber Security in terms of both concepts and technology
- Experience working with Cloud solutions like AWS and Azure
- Knowledge and experience of working with OWASP
- Experience of security governance and compliance (e.g. GDPR, PCI-DSS, ISO27001)
- Strong understanding of the penetration testing lifecycle (scope, conduct, analysis, client delivery)
- An excellent level of attention to detail and a strong sense of ownership
- Ability to articulate complex technical or sensitive issues to a wide audience is essential
- Ability to work both individually with minimal supervision in addition to working as a part of larger teams on projects of varying complexity