Cloud Security Engineer & SCRUM Master

Role purpose

Reporting into the Head of IT Security, this role will encompass defending Travelex against Cyber threats. This has a dependency on optimising our technology to be based on sound Cyber security principles for us to accurately manage and defend any such attack placed upon the organisation.

Cyber Security is seen as a key strategic pillar within the organisation as the methods attackers use evolve Travelex recognises the requirement to remain dynamic in its defence against such threats. A Clod Security Engineer will develop and maintain robust IT Security Cloud practices that support the adoption of security standards and Policies. ensuring our cloud enviroments strictly adhere to our Cloud Centre of Excellence standards, we have the right security technologies for asset, vulneribility and monitoring as well as threat hunting for opportunities for improving the security and optimising the enviroment.

At this level, you will:

• work on projects with high strategic impact, setting a strategy that can be used in the long term and across the breadth of the organisation
• communicate with a broad range of senior stakeholders and be responsible for defining the vision, principles, and strategy for security architects
• recommend security process design across several projects or technologies, up to an organisational or inter-organisational level
• have a deep and evolving level of technical and governance expertise, so you can act as an exemplar
• make and influence important business and architectural decisions
• research, identify, validate, and adopt new methodologies
• be a recognised expert and demonstrate this expertise by solving unprecedented issues and problems
• further the profession, demonstrating and sharing best practice within and outside the organisation

Key accountabilities

Relationship management

• Develops and maintains robust relationships with key business stakeholders to ensure assurance analysis is visible and in line with agreed customer expectations.
• Ensures the smooth integration of new assurance standards.
• Raise awareness and profile of Cyber across the business at all levels.

Experience and personal qualities

Management information

• Writes and speaks fluently on all aspects of work and communicates effectively with all levels of management.
• Produces accurate, timely and relevant MI for the Head of Security Operations, CISO and the team as required.

Communication

• Writes and speaks fluently on all aspects of work and communicates effectively with all levels of management.
• Responsible for pro-active and regular communication with other areas of IT and the business in relation to Assurance analysis.
• Actively communicate and seek feedback from colleagues and customers.
• Play a participative part in Team Briefs.
• Be proactive in the provision of feedback and the delivery of ideas to develop and improve the Assurance service.
• Ensure feedback to line manager outlining general activities of role and ‘how we are doing’.

General

• Undertakes any necessary training associated with the duties of the post and participates in training and development procedures.
• Complies with all Company Health and Safety policies and legislation in the performance of their duties and responsibilities.
• Maintains confidentiality and observes data protection guidelines.
• Carries out any other reasonable duties commensurate with their capability.

Cloud Security:

• AWS Security: Design, implement, and maintain security architectures within AWS environments. Configure IAM roles, policies, and resource-level permissions to enforce the principle of least privilege.
• SaaS Security: Assess and enhance security measures for SaaS applications, implementing identity and access management controls and data protection strategies. Conduct regular security assessments and compliance audits of SaaS providers.
• Web Application Firewalls (WAFs): Deploy and manage WAF solutions to protect applications from common web vulnerabilities. Regularly tune WAF rules to minimize false positives and ensure effective threat mitigation.
• Container Security: Implement security best practices for Docker and containerized applications, including image scanning, vulnerability assessments, and runtime protection. Collaborate with development teams to integrate security into the CI/CD pipeline.
• Virtualization Security: Secure virtualized environments, ensuring that virtual machines and networks are appropriately configured and monitored. Implement security measures for hypervisors and guest operating systems.

Security Technology Reviews & Capability Roadmapping:

• Technology Evaluation: Conduct thorough reviews of existing cloud security technologies and assess their effectiveness in threat detection and prevention. Identify gaps and areas for improvement. Proficient in technologies such as cloudgaurd , inspector, security groups, aws suricata FW, terraform and more.
• Feature Analysis: Analyze new features and technologies relevant to AWS, SaaS, WAFs, and containers to ensure the organization has the right tools available for proactive security measures. Stay informed about emerging trends in cloud security.
• Capability Road mapping: Develop and maintain a strategic roadmap for cloud security capabilities, outlining planned enhancements, new technology acquisitions, and necessary integrations to improve overall security posture.
• Reporting: Prepare and present regular reports on cloud security technology performance, threat landscapes, and capability gaps to senior management, providing actionable recommendations for improvement.

SCRUM Master Responsibilities:

• Agile Facilitation: Facilitate SCRUM ceremonies (daily stand-ups, sprint planning, reviews, and retrospectives) with a focus on optimizing team collaboration and performance.
• Cross-Functional Liaison: Serve as a communication bridge between security, development, and operations teams, ensuring that security considerations are integrated into every phase of cloud project development.
• Impediment Removal: Proactively identify and remove obstacles hindering team progress, fostering an environment of continuous improvement and agility.
• Project Scope Management: Assist in defining project scope, objectives, and deliverables in collaboration with stakeholders, ensuring alignment with security goals.
• Monitoring & Reporting: Track project progress and performance metrics, providing insights to senior management on team productivity and project milestones.

General

• Experience in automation and finding opportunities in processes to use automation
• Analytical with the ability to seek out gaps, risks or circumvention and provide solutions to mitigate.
• Immaculate documentation creation, maintenance and record keeping
• Can work at multiple levels with the ability to integrate IT Security requirements into other business functions.
• Experience and knowledge of multiple security certifications and legislation such as ISO 27001, SOC2, Cyber essentials and Cyber Essentials+, GDPR, FCA, etc.
• Has a wide general knowledge of technical, governance and assurance within IT Security
• Process and data driven with the ability to present findings/opportunities from data and analysis gathered
• Leads the culture change for documentation creation and maintenance
• Ability to work across many technical related projects at once and keep up with BAU activities
• Works with the Cyber reporting team to produce timely, accurate and frequent reports for both IT leadership and Executive leadership.

Desirable

• Strong verbal and written English communication. Ability to communicate effectively at all levels and to influence key stakeholders.
• Professional approach with a confident assertive style and sstrong interpersonal and presentation skills
• Ability to build & maintain strong relationships with peers and colleagues.
• High level of quality focus.
• A “Can Do” attitude
• Financial Services industry experience.
• Familiarity with ITIL concepts as incident, problem and change management
• Certification such as CISSP, CISM, CISMP, GCIH, CEH, CCNA Security, Security+, CHFI, etc.
• Working Knowledge of IT Security Compliance (SOC2, PCI DSS, Data Protection Act, Sarbanes Oxley, ISO, etc)
• Bachelor’s in computer science/IT/Electronics Engineering, M.C.A. or equivalent University degree
• Minimum of 8-10 years of experience in the IT security industry.