Security Tech Lead

Introduction
At IBM, work is more than a job – it’s a calling: To build. To design. To code. To consult. To think along with clients and sell. To make markets. To invent. To collaborate. Not just to do something better, but to attempt things you’ve never thought possible. Are you ready to lead in this new era of technology and solve some of the world’s most challenging problems? If so, lets talk.

Your Role and Responsibilities
The IBM Sustainability Software team is looking for a technical, talented, innovative and enthusiastic Security and Compliance Tech Lead to lead and drive compliance, security awareness, training, applying best practices for secured development. Security is something that every development team needs to incorporate into every phase of their product development life cycle and the Security and Compliance Focal is expected to ensure security is built into the design, planning, implementation, and execution of our products.

The Security and Compliance Tech Lead should continuously consider the attack vectors and security weaknesses within the product offering and provide solutions to remediate those weaknesses. Should be Technical with understanding of Micro-services architecture, SaaS, Cloud Security and Infrastructure; Must collaborate with all stakeholders to drive security solutions; Must possess a growth mindset to keep up with the changing security landscape.

Required Technical and Professional Expertise

• Overall experience 8+ yrs with 5+ yrs of working experience with designing/building SaaS offerings and 3+ yrs as a security technical lead
• Domain expertise in cloud software and infrastructure technologies.
• Very good understanding in penetration testing methodologies and exploits (web apps, containers, APIs, databases, operating systems, cloud technologies, etc).
• Ability to communicate highly technical aspects to Executives, IT staffs, CISO team, auditors.
• Experience with various scripting languages (Shell, Python, Bash, etc.).
• Familiarity with OWASP Top Ten, NIST, CIS and MITRE ATT&CK
• Demonstrated experience in successful driving & execution of compliance programs for common IT security stds/regulations.
• Access Management – understand the concepts of need to know, least privilege, individual accountability, privilege access monitoring, access revalidation, etc.
• Vulnerability Management – be able to regularly scan your systems and remediate any vulnerabilities found within required time frames
• Data Protection – understand the types of data your services deal with and have measures in place to protect that data (e.g. encryption, file permissions, etc.)
• Configuration Management – understand how to securely harden a system or application upon deployment.

Preferred Technical and Professional Expertise

• Certifications / Credentials – CISSP (preferred), CCNP/CCIE (preferred), CCSP, CISA/CRISC/CISM.
• Common Attack Patterns – know what the common attack vectors facing the industry (e.g. CWE 25 or OWASP Top 10), be able to describe an attack with an example, describe what a successful exploitation/impact looks like, and what best practice remediation is.