CBS Security Consultant - SDLC

CBS Security Consultant - SDLC

Location: Wrocław - 2 days in office / 3 days remote

Let us introduce you the job offer by EY GDS Poland – a member of the global integrated service delivery center network by EY.

As an Information Security Consultant, the individual will be responsible for providing security guidance to projects and operations teams responsible for delivering, respectively maintaining, IT cloud-based solutions. The Consultant will support the entire system development lifecycle (SDLC) of business IT solutions with information security expertise and guidance. This includes performing a risk assessment of the solution and the underpinning cloud infrastructure in order to derive adequate risk treatment options, driving the security assurance activities with cloud vendors, specifying and prioritizing security requirements, directing the design of security controls, supervising the security attestation activities and effectively articulating all related findings, issues, recommendations to team members and management, assessing the security impact of change requests and providing the operations teams with related recommendations and decisions.

The successful candidate should have solid background in web services architecture and design, networking principles supporting hybrid cloud models, experience in applications development processes and methodologies (experience in agile application development and DevOps operations mode is strongly preferred), as well as oversight knowledge of infrastructure and hosting technologies leveraging virtualization and containerization. The successful candidate should have broad consulting or security assurance experience across all Information Security knowledge areas relevant to modern cloud-based architectures.

EY Technology:

Technology has always been at the heart of what we do and deliver at EY. We need technology to keep an organization the size of ours working efficiently. We have 250,000 people in more than 140 countries, all of whom rely on secure technology to be able to do their job every single day.  Everything from the laptops we use, to the ability to work remotely on our mobile devices and connecting our people and our clients, to enabling hundreds of internal tools and external solutions delivered to our clients.  Technology solutions are integrated in the client services we deliver and is key to us being more innovative as an organization.

EY Technology supports our technology needs through three business units:

Client Technology (CT) - focuses on developing new technology services for our clients. It enables EY to identify new technology-based opportunities faster, and pursue those opportunities more rapidly.

Enterprise Workplace Technology (EWT) – EWT supports our Core Business Services functions and will deliver fit-for-purpose technology infrastructure at the cheapest possible cost for quality services. EWT will also support our internal technology needs by focusing on a better user experience.

Information Security (Info Sec) - Info Sec prevents, detects, responds and mitigates cyber-risk, protecting EY and client data, and our information management systems.

The opportunity

The Security Consultant reports to Deputy CISO of Enterprise Workplace Technology in a hands-on role, focused on the secure design, architecture and development for applications, which processes sensitive data and constitutes core as well as critical business services.  The Security Consultant works directly with Architects, Developers, IAM engineers, Project Managers and other resources; through collaboration and mentoring, they help teams to deliver secure business solutions.

The Security Consultant’s role is a technical position which will support the global strategies and architecture vision as it relates to the development of secure design, build, deployment and operation of business applications and related infrastructure.

Your key responsibilities

This position is an individual contributor capable of supporting multiple project teams in the design, implementation and validation of security controls across applications and services (incl. underpinning infrastructure and cloud hosting platform), as well as providing the operations teams with consultancy, reviews and decisions upon deployment of changes to existent operational services. The core responsibilities are as listed in the following.

• Directing and managing solution-specific information security assurance efforts with 3rd parties and vendors, like backend reviews, controls verification and validation, etc., oriented on standards and frameworks like ISO, COBIT, NIST, TSC, etc.
• Risk assessments (threats, vulnerabilities) of cloud services and applications
• Risk assessments of cloud hosting infrastructure underpinning the services and applications
• Security assessment of architecture and networking supporting the services and applications
• Derivation of risk treatment options from risk assessments and effectively facilitating the implementation of the optimal security-usability trade-off in interactions with project teams and management
• Identifying, specifying and prioritizing security requirements in new applications and services deployment, as well as specifying and facilitating security changes in DevOps operations mode of existent applications
• Directing the design of security controls to satisfy the approved security requirements
• Supervising and managing various types of security attestation activities (scans, pentests, audits), including the definition of scope, pass criteria, contribution to test scenarios, articulating and formalizing findings and decisions
• Assessing the security posture impact of change requests and providing the operations teams with related recommendations and decisions
• Effectively communicating the findings, recommendations and decisions from all above activities, by adapting the form and depth of statements adequately to audiences and stakeholders
• Translating technical security terms and concepts into business risk terminology to facilitate making objective and security-aware risk decisions by management
• Providing knowledge sharing and technical assistance to other team members
• Acting as an agile team member according to established agile development best practices and guidelines

Skills and attributes for success

The position requires knowledge of various IT system architectures and technologies like cloud, virtualization, containerization, mobile, as well as expertise and experience in security subject matter areas such as IAM, network and perimeter security, web applications security, user account management, privileged access, auditing & logging, and others as outlined in ISO 27001, OWASP, NIST and related guidelines and standards. The consultant filling the position should also have experience in conduction of 3rd party security assessments, in particular within the scope of SOC1, SOC2 reports, and in vendor risk management.

A successful candidate should have significant security working experience and knowledge in the design, implementation and operation of security controls in any two or more of the following areas:

• Agile & DevOps Methodologies – Experience as a contributing member of a balanced team within an Agile development or DevOps environment.
• Application Security - Experience with the design of security controls for multi-tier business solutions including the design of application-level access and entitlement management, data tenancy and isolation, encryption, and logging. Working familiarity with REST API and micro services architecture.
• Cloud Security –Technical understanding of virtualization, cloud infrastructure, and public cloud offerings and experience designing security configuration and controls within cloud based solutions in Microsoft Azure and Azure PAAS services
• Infrastructure Security – Experience with the integration of common infrastructure security technologies and solutions into business solution architectures including the integration of identity & access management, intrusion detection and prevention, security monitoring, and data encryption solutions.
• Identity and Access Management - Active Directory based Identity and Access Management and Authorization design experience and integration with IDaaS and Federation technologies.

To qualify for the role you must have

A BSc or MSc degree in Computer Science, Information Technology or a related discipline, or equivalent work experience, with preference towards advanced degrees.

Seven or more years of experience in Information Technology disciplines. Five or more years of experience in Information Security subject matter area with demonstrated experience in the following:

• Experience providing and validating security requirements related to applications and information system design and implementation
• Experience providing and validating security requirements related to cloud services and underlying networking and architectures
• Experience conducting risk assessments, vulnerability assessments, vendor and third party risk assessments and recommending risk remediation strategies
• Experience in the use of tools and methods to identify security exposures and business risks
• Knowledge of common information security standards, such as: ISO, NIST, COBIT
• Familiarity with information system attack methods and vulnerabilities and threat modelling
• Working experience with web technologies and programming languages
• Working experience with more than one of these technologies and products - Java, .NET, NodeJS, Angular, Power Apps, Kubernetes

Ideally, you’ll also have

• A vendor-neutral security certification of DoD IAT Level II-III or DoD IAM Level II-III is strongly preferred (SSCP, Security+, CEH, CISSP, CISM)
• A vendor-specific cloud security certification would be an additional asset (Microsoft AZ-500, AWS Security Specialty, …)
• Proven experience as a standing member of an agile development team (in any agile role) or as DevOps operations mode contributor would be an additional asset,
• Proven experience with either of the Adobe cloud products would be an additional assets.

What we look for

• Ability to team well with others to facilitate and enhance the understanding & compliance to security policies
• Ability to work effectively with customers, management, staff members, vendors, and consultants and articulate findings and recommendations
• Strong English communication and writing skills are required
• Strong judgment and analytical ability
• Excellent interpersonal, communication, organizational, and project management skills
• Flexibility to adjust to multiple demands, shifting priorities, ambiguity, and rapid change

What we offer

EY Global Delivery Services (GDS) is a dynamic and truly global delivery network. We work across nine locations –  Argentina, Hungary, India, the Philippines, Poland, Sri Lanka, Mexico, Spain and the United Kingdom – and with teams from all EY service lines, geographies and sectors, playing a vital role in the delivery of the EY growth strategy. From accountants to coders to advisory consultants, we offer a wide variety of fulfilling career opportunities that span all business disciplines. In GDS, you will collaborate with EY teams on exciting projects and work with well-known brands from across the globe. We’ll introduce you to an ever-expanding ecosystem of people, learning, skills and insights that will stay with you throughout your career.

• Continuous learning: You’ll develop the mindset and skills to navigate whatever comes next.
• Success as defined by you: We’ll provide the tools and flexibility, so you can make a meaningful impact, your way.
• Transformative leadership: We’ll give you the insights, coaching and confidence to be the leader the world needs.
• Diverse and inclusive culture: You’ll be embraced for who you are and empowered to use your voice to help others find theirs.

About EY

EY | Building a better working world

EY exists to build a better working world, helping to create long-term value for clients, people and society and build trust in the capital markets.

Enabled by data and technology, diverse EY teams in over 150 countries provide trust through assurance and help clients grow, transform and operate.

Working across assurance, consulting, law, strategy, tax and transactions, EY teams ask better questions to find new answers for the complex issues facing our world today.

If you can demonstrate that you meet the criteria above, please contact us as soon as possible.

The exceptional EY experience. It’s yours to build.

In compliance with the requirements of the Whistleblower Protection Act, our company has established the Procedure for reporting breaches of law and undertaking appropriate follow-up actions. Any misconduct should be reported through the EY Ethics Hotline.