- Manages Information Security penetration testing for new and existing business applications, IT infrastructure and/ or Company products, and provides advice and guidance on scope of penetration testing to meet relevant technical security controls (e.g. ISO27001 and/or the PCI security standards)
- Ensures penetration tests meet Information Security requirements
- Ensure that all VM Sec Ops processes are followed and ensure that all Security tools are maintained
- Develop and maintain VM Sec Ops reports and dashboards
- Ability to explain tool sets to auditors and customers alike.
- Expert knowledge of SIEM tools, vulnerability scanners
- Ensures all residual risk is documented for agreement by business service owners.
- May be required to work on other global Cubic sites and data centres
QualificationsEssential:
- Bachelor’s degree in a relevant subject (e.g. Information Security, encryption, computer science, maths, engineering) or equivalent qualifications/experience
- Certification as an Information Security professional (e.g. IISP/CISA/CISM/CISSP/CCSP)
- Master’s degree in a relevant subject (e.g. Information Security, encryption, computer science, maths, engineering)
- Payment Card Industry Security Standards Council certification (ISA/ QSA/ QSA P2PE)
- HMG IA qualifications/ CLAS/ CISPM
- ITIL v4/ Prince2 foundation level/ TOGAF 9 certifications
- Security and IT infrastructure/ networking vendors’ certifications
- Demonstrable experience in managing penetration tests
- Demonstrable experience supporting PCI-DSS certified solutions
- Experience supporting secure development lifecycles (SDL)
- Good understanding of enterprise-scale security management process and infrastructure
- Detailed knowledge of enterprise IT infrastructure and tools (e.g. Microsoft, Cisco, Oracle Solaris, Linux)
- Superior network infrastructure and protocol knowledge
- Knowledge of cryptographic services, current ciphers and key management systems
- Experience of quality management systems and external audit standards e.g. ISO 9001, ISAE3402
- Able to support an "on-call" out-of-business-hours service on a rotating basis with this responsibility spread across team members
- Demonstrable experience supporting architecture/ compliance programs for Information Security, audit, risk and compliance standards and legislation e.g. PCI-P2PE, PCI-POI-PTS, ISO 22301, ISO27005, ISO31000, NIST security and risk frameworks, GDPR
- Experience of application security testing tools and DevOps frameworks, e.g. Sonarqube, JIRA, static & dynamic code analysis/ “fuzzing”
- Ability to provide and report key performance indicator metrics demonstrating product and/or security architecture compliance within DevOps and waterfall project methods, product development
- Coding skills within development tools/ environments; Java, Visual Studio, C#
- Experience of transactional revenue, embedded, smartcards and mobile payment systems
- Knowledge / experience of security architecture of major public cloud services e.g. Microsoft Azure, Amazon Web Services, Google Cloud, Cloud Access Service Brokers e.g. Okta
- In depth understanding of Information Security operations tools, e.g. Tenable.IO, Nessus, Qualys, Splunk, Trend Micro DeepSecurity, Imperva, TripWire, Cisco IPS, McAfee, Barracuda
- Must be able to work effectively and uphold professional standards and confidentiality with Cubic internal and external customers as well as staff at all levels of the organisation. The role will also be required to work with security vendors, Cubic suppliers and customers.
- Must be able to travel globally at reasonable notice and be based internationally for assignments for several weeks’ duration
- Strong communication skills and able to rapidly acquire new knowledge and learn on the job
- Self-motivated, able to work on own initiative