Head of Security Operations for INFRA
Employee | Tech | Professional | Netherlands | North Holland | 2019-07-12 | REQ-10020154
Head of Security Operations for INFRA
The mission of Infra is to be
“an infrastructure service provider that delivers reliable and cost-competitive infrastructure services to ING and enables consumers to work in an agile and DevOps way.”
Based on this mission, Infra has defined clear concepts for a Service model, Way of Working and operational management:
o Fully functional and standardized service portfolio, perfectly aligned with external markets and to the needs of the consumers, integrated with IPC
o Application-squads of consumers are responsible for managing their entire lifecycle of their own instances
· Way of Working
o End-to-end multidisciplinary DevOps-squads who are responsible for the entire service
o Automated self-service-process for implementing, maintaining and decommissioning of services / instances
· Operational management
o Proactive management of performance indicators to enhance KPI’s derived from the INFRA mission
o Continuous Improvement practices are integrated into day-to-day operations
Profile Local Head of Security INFRA
Your new challenge!
You are an energetic and proactive security professional with a passion for IT-infrastructure and a positive, can-do mentality. You are a natural teamplayer who forms relationships based on social skills rather than hierarchical structure. Close cooperation with and between multidisciplinary squads and consumers is your greatest achievement. Translating complex security-related programs and projects into epics and user stories, divide them among squads and manage all that, is a challenge to you.
You have a broad array of both technical and orange code competences with which you feel comfortable with all INFRA products and services and know your way around the INFRA squads. You continuously strive to develop both yourself and your colleagues in the security mindset.
What do you need to do (Capabilities)
You partner with Business leaders to develop a cohesive Information Security Strategy, and a roadmap (schedule, cost, effort, benefit model) for strategy implementation and you’re responsible for delivering security awareness throughout INFRA. You develop a framework for Information security (Together with CISO Office) and translate this framework into objectives, epics and user stories, whilst balancing the interests of all stakeholders and focusing on the consumers' interests.
Your main focus will be on:
1. Delivering a full information security framework for the entire domain
a) Develop a comprehensive information security strategy – which includes mandatory security standards - together with all relevant stakeholders (e.g. CISO, other Business lines, consumers, INFRA Squads, external contractors)
b) Translate, integrate and support the IS Strategy into epics and user stories for INFRA squads
c) Monitors and checks execution in terms of vision and policy. Analyses findings. Draws up reports.
d) Advises the business and proactively acts as a business partner.
e) Guide the global information security community in the entire domain.
2. Getting security done in cooperation between squads, stakeholders and consumers
a) Work together with the Product owners to translate epics into concrete user stories
b) Monitor & align between squads by participating in the INFRA marketplace & scrum of scrums
c) Close cooperation with all relevant stakeholders to solve impediments and push for optimal integration
d) Managing third party contractors and internal suppliers to enforce strong security principles in their way of working
e) Proactive alignment with all relevant stakeholders to enforce security principles in the development roadmap and innovation initiatives including the Quarterly Business Review
3. Risk Management & Compliance
a. Manages process and technology risks and ensures compliance with Information security framework.
b. Actively raises awareness among staff.
c. Functional steering: Set objectives for IS staff across the entire domain
d. Functional steering: (Re)define implement (standard) security controls together with Asset/product owners and ISP
e. Makes planning and development agreements, coaches and assesses employees.
f. Motivates and inspires employees.
g. Ensures teams and project teams are adequately staffed in terms of both quality and quantity.
h. Creates the required environment and enables employees to do their jobs well, both now and in the future.
i. Supports employees, creates a climate of learning and growing and evaluates results and existing knowledge.
a) Manages process and technology risks and ensures compliance with Information security framework.
b) Provide leadership and management of the Information Security Team, and 3rd parties providing IS Security services
c) Oversee / manage response to major threats
d) Collaborate with Data Protection Officer to protect data subject to data privacy regulations (including GDPR)
e) Liason between ISP - as a security control centre - and the INFRA squads
f) Support Information Security Related audits
g) Collaborate across peers on IS Leadership team to influence IS Strategic direction, and to shape solution delivery to protect ING data, systems, and intellectual property
h) Oversee the security operations of existing and new services delivered by INFRA
i) Contributes to the development of ING BANK information security control frameworks and reference architectures based on (internal and external) threats identified in the INFRA domain
j) Coordinate and monitor the penetration testing, vulnerability scanning, code reviews, data leakage, and ethical hacks in the INFRA domain and define lessons learned based on these activities.
k) Act as point of escalation for Information security issues and take ownership of IS related issues.
l) Orchestrate, manage, signoff and monitor Security Controls for INFRA (e.g. OSG’s, SEM & TSCM installations, DR reports, External connections, Domain segmentation, etc)
You recognize yourself in the following profile (Competences)
You have knowledge of all INFRA stacks, ecosystems and their consumers. With your Security expertise, you can contribute to the security practices of the DevOps Squads.
Competences - Skills
1. Broad knowledge of INFRA technology & consumer needs
a. Good understanding of the entire domain’s stacks, service catalogue, technologies, their shortcomings and ecosystems
b. In depth knowledge and understanding of the interdependencies within the organisation, who does what, including how the consumer teams use INFRA services
c. Practical knowledge of all INFRA services (e.g. Windows, Oracle, Cloud, Networking & Firewall, Unix, Tibco, CyberSecurity)
d. You have at least two of the following additional degrees and is willing to gain the others:
· Certified Chief Information Security Officer (C|CISO)
· Certified Information Security Manager (CISM)
· Certified It Systems Auditor (CISA)
· Certified Information Systems Security Professional (CISSP)
2. Strong communication and collaboration skills
a. Strong focus on co-creation, facilitate workshops, presentations, constructive feedbackloops and prototyping
b. Ability to explain the value of all security related features to both the consumers as to the DevOps engineers
c. Enhance and improve the ongoing user awareness on Information Security
d. Active member of the Extended CISO MT
e. Managerial expertise, including the skills to motivate and convince without enforcing your will and without hierarchical power
f. Stakeholder management skills to engage in close cooperation with consumers and other stakeholders.
g. Be an ambassador for INFRA services to consumers
3. Practical knowledge of Agile- en DevOps-practices
a. Understand the Scrum-methodology (e.g. backlog and sprint planning, reviewing and marketplace)
b. Extensive knowledge of the DevOps way of working (e.g. continuous delivery, cross functional teams and the development of cross-skilled squad members)
Competences - Behaviour
1. Open personality and willing to engage in new way of working and new technologies
a. Intrinsically motivated to take responsibility
· Strong team player that takes responsibility
· Independent & autonomous in delivering results
· Result driven, motivated to deliver value and adapts to the situation
b. Driven, proactive, selfstarter and organised with the skill to present what needs to happen
c. Positive mindset and a natural behaviour to look for solutions, instead of problems
2. Curiosity to always look for innovation/automation possibilities
a. Passion for Information security & risk trends within the INFRA domain
b. Gathers, updates and spreads knowledge about developments and challenges regarding Information security and embeds lessons learned.
c. Strong interest for deep diving into new developments that might be of relevance for INFRA
c. Delivers a swift security & risk overview – including mitigating actions - of new developments to be able to make an informed decision when implementing/choose a new technology
Your education and background
Professional and intellectual IT-experience on at least a Master’s level
You are familiar with non-financial risk models, IT security architectures and their relationships.
Track record with creating security and/or Risk awareness
Track record on delivering Security capabilities to consumers and/or DevOps teams
You have at least 5 years of experience in a Sr. Management role
You have at least 5 years of experience in the Risk and/or Security area.
Ability to successfully manage and execute multiple, large scale projects using established project management tools and processes.
Experience in working with high performing Agile teams
Fluent command English (both written and oral)