Director, Information Security Architect

Director, Information Security Architect

The Information Security Architect (“ISA”) role is responsible for the planning, design, implementation and maintenance of the company’s security infrastructure and operations. This technical leader role, ensuring the confidentiality, integrity, and availability of the company's data and systems as documented in the Information Security Management System (“ISMS”) policy and procedures.

The Information Security Architect is a critical role in safeguarding the company’s information assets, and associated infrastructure and applications from cyberattacks. The ISA is responsible for designing and implementing security technologies and procedures to ensure a robust security posture that protects the confidentiality, integrity and availability of the company’s data and systems.

Key functions and responsibilities of the ISA role are:

• Collaborate with the company’s IT and Site Reliability Engineering (“SRE”) teams to ensure security controls integrate and operate seamlessly with current corporate and AWS cloud infrastructure and systems.
• Analyze business information security, privacy and compliance posture to identify and remediate security vulnerabilities and threats.
• Collaborate with the company’s IT and SRE teams to conduct security assessments and penetration tests to identify and remediate infrastructure and applications vulnerabilities.
• Oversee the implementation and configuration of security technical solutions and operational processes.
• Working with the company’s Chief Information Security Office (“CISO”), develop and operationalize security policies and procedures.

Responsibilities and Duties

• Security Architecture Design: The ISA working with IT, SRE and R&D teams toconduct Security Technical Reviews (“STR”) to interpret security vulnerabilities analysis into actionable remediation plans. This involves designing and implementing secure network architectures, cloud service and deployment architectures, applications security functional requirements, identity and access management architectures, and associated access controls to mitigate security threats.
• Threat Analysis: The ISA working with the company’s Managed Security Service Provider (“MSSP”) to monitor, analyze and manage security vulnerabilities and emerging security threats.
• Security Operational Readiness: The ISA working with the MSSP’s security operations team, IT and SRE teams to document and implement managed defense response procedures (“runbooks”) to streamline security operations event triage, notification and escalation processes.
• Managing the company’s security Risk Registers: The ISA working with IT and SRE teams to proactively manage the company’s corporate and product infrastructure and applications security risk register. This includes:
• Maintaining a comprehensive and accurate inventory of the company’s hardware, software, applications and information assets.
• Through continuous monitoring of infrastructure and applications threats and vulnerabilities, identify, analyze, assess and develop risk mitigation responses and strategies.
• On a monthly basis, documenting and communicating the company’s infrastructure and applications security risks, identifying risk impact and likelihood, developing risk mitigation plans and assigning risk mitigation technical owners.
• Schedule monthly reviews with the company’s Quality Management, IT and SRE leaders to organization to ensure transparency of identified security risks.

Qualifications

• Required Certifications: CISSP or CISA certified
• Deep knowledge of IT and cloud infrastructure, platform and security systems, including network, IDS/IPS and Web Applications Firewalls.
• Deep knowledge of operating systems, applications and database security methods.
• Strong understanding of the ISO27001:2022 information security managementframework and associated organizational and technical controls.

Preferred Skills / Experiences:

• Hands-on experience working with MSSPs.
• Hands-on experience configuring and managing a Rapid7 SIEM.
• Working knowledge of security testing tools BurpSuite, SonarQube, Nessus, Prowler and AWS ECR.
• Working knowledge of threat detection platforms CrowdStrike, AWS SecurityHub, GuardDuty and Inspector.
• Excellent analytical and problem-solving skills.
• Effective communication and interpersonal skills.