Lead IT Risk Engineer

Description

Job description
Summary of This Role
Works throughout the software development life cycle and performs in a utility capacity to create, design, code, debug, maintain, test, implement and validate applications with a broad understanding of a variety of languages and architectures. Analyzes existing applications or formulate logic for new applications, procedures, flowcharting, coding and debugging programs. Maintains and utilizes application and programming documents in the development of code. Recommends changes in development, maintenance and system standards. Creates appropriate deliverables and develops application implementation plans throughout the life cycle in a flexible development environment.
What Part Will You Play
Responsibilities
Serve as a Subject Matter Expert in the area of code development to address security vulnerabilities identified through various code scanning practices, such as static, dynamic, and open source scanning. Lead the onboarding and implementation of digital and distributed applications onto code scanning tools, such as AppScan, White Hat, Black Duc, SonarQube. Provide engineering and technical assistance to support vulnerability scans, penetration testing, vulnerability analysis, scan analysis, and/or security analysis. Actively collaborate with developers to remediate and close vulnerabilities. Drive remediation activities from identification, remediation plan and closure. Hold owners accountable to delivery of remediation solution within the agreed upon/reasonable SLA. Perform IT risk assessments that address security threats, and other changes to systems and/or applications to ensure appropriate controls are in place. Work with various operational and business teams to drive toward a cohesive view of IT risk and drive remediation items to closure. Maintain accurate reporting of remediation activities to bring appropriate visibility to stakeholders. Establish and maintain IT metrics and reporting. Develop and manage the automation of KRIs and KPI reporting that align with operational/business risk areas and corporate risk. Act as the IT risk management ambassador to internal customers and communicate succinctly to external customers (i.e. Auditors) when necessary. Use defined risk methodologies and best practices to perform IT risk assessments. Responsible for the planning, scoping and execution of these assessments. Develop actionable and agile IT risk compliance programs to support various compliance regulations.
Qualifications
Extensive developer experience in Java, JavaScript. Python also a plus. Ability to assess security risk, controls, and compliance in a variety of situations, architectures, and solutions. Experience with controls definition, development, implementation and assessment. Knowledge of IT security principles (e.g. access control, data protection, security architecture, infrastructure/application security design principles, policies) and privacy (i.e. GDPR) Functional knowledge of applicable security regulatory requirements (SOX, GDPR). Functional knowledge of ISMS governance models (e.g., ISO, NIST), information security roles, IT security controls. Functional knowledge of common security certifications (e.g., ISO 27000 series, SOC1, SOC2, PCI DSS) and ability to remediate findings identified in these reports. Ability to communicate risk methodologies and concepts. Strong understanding of industry frameworks and best practices (ex. NIST, ISO, OWASP, CIS, etc. Strong interpersonal skills and ability to work effectively with diverse and distributed teams. Strong attention to detail, strong organizational skills.
Other
Occasional travel may be required; less than 10%. Must have working knowledge of statistical methods, design history file contents and risk management practices. GRCP. CISM, CISSP, PCIP, ISA, or equivalent certifications preferred.