Security Tester – Vulnerability Analysis
Jersey City (Hudson County) IT development
Job description
This job role is responsible for operating as part of a global/local team within the Cybersecurity organisation, to analyse and execute activities around Cybersecurity process, controls, standards and regulatory requirements.
The role will carry out some or all of the following activities:
· Ensure adherence to the three lines of defense organisational model with clear lines of responsibility, accountability and segregation of duties.
· Ensure compliance with internal audit and external regulators that any organisational changes are fit for purpose and meet their expectations
· Analyse and execute activities to ensure compliance with HSBC Cybersecurity policies and standards.
· Contribute to process, procedures and tool identification/development that will strength the bank's response to threats and incidents
· Assess new technology products and projects utilising security technologies pertinent to the department
· Act as a role model to more junior members of the team
· Engagement with other Cybersecurity teams, senior management and members of the Business when confronted with potential security issues
· Expand their skills, knowledge and experience to enhance the overall capability of the function
The Security Testing candidate will assist in the identification, risk analysis and remediation tracking of infrastructure vulnerabilities identified by HSBC's enterprise scanning and testing service. They will assist in analysis of new vulnerabilities being reported by vendors to assess the risk to HSBC.
The candidate will help improve the service and help roll out coverage to new deployment areas like AWS, Azure and other cloud providers as needed.
Impact on the Business
· Protect the Bank. Protect the bank via proactive regulatory risk reduction actions. Ensure regulatory reporting is consistent across regions / businesses and centrally track reporting through governance committess, maintain a rolling agenda for review.
· Risk vs. Reward Decision Making. Make informed and educated risk decision making. Make appropriate commercial / financial institution risk vs reward security decisions.
· Driving sustainable growth . Develop the compliance awareness, engage with colleagues across the functions and businesses departments to deliver sustainable risk and compliance solutions. Lead and facilitate change through effective communication, preparation and implementation.
· Achieving excellence . Drive business performance, compliance and security.
· Risk Reduction . Work with key stakeholders (IT and business) to proactively drive the reduction in IT Security risks and to improve the security risk posture of HSBC within the business risk appetite.
· Awareness. Improve awareness of IT Security risks / threats across IT and the business.
Customers / Stakeholders
· Customer focus. Lead a customer- led and direct the wider reporting function, both on-shore and off-shore. Engage with relevant programmes and initiatives that impact upon governance, compliance and risk reporting. Deliver fair outcomes for our customers and ensure own conduct maintains the orderly and transparent operation of financial markets.
· Strengthening stakeholder relationships. Engage with senior stakeholders across all three lines of defence to recognise management and governance reporting requirements within major businesses and entities and at Group level. Provide support to the LISOs and BIROs with regards to engagement with external stakeholders and regulators, through provision of data as regards support the risk posture to the control enviornment.
· Understanding markets and customers. Understand the financial services industry security and threat landscape. Analyse, interpret and communicate developments in the customer's and business segment's local marketplace.
Leadership & Teamwork
· Develop and communicate a clear vision for the regional teams that is aligned to the overall HSBC vision, values and goals, and inspires and engages people to create an inclusive, high performing, customer-centered culture.
· Lead, develop and motivate the leadership team to attract, retain and develop the capacity, capability and talent to provide for succession and ensure delivery of business objectives
· Set expectations, share best practice and manage, monitor, coach and develop leaders and others to ensure that they maximise their performance, meet the required standards, and continuously develop their capabilities and experience.
· Lead and encourage constructive cross-country and cross-business teamwork by demonstrating collaboration and matrix management in action and taking prompt action to address any activities and behaviours that are not consistent with HSBC's diversity policy and/or the best interests of the business and its customers.
Operational Effectiveness & Control
· Lead the continuing development, implementation and improvement of the processes, structures, capabilities, capacity and infrastructure needed to deliver agreed plans and targets. Collaborate with colleagues to maximise end to end integration, effectiveness and efficiency.
· Establish and maintain a robust and efficient control environment across IT Security to ensure good operational, financial and project management and compliance with HSBC policy and procedures, together with early identification and effective resolution or escalation of issues that arise.
· Lead the development, implementation and maintenance of a global management information, analysis and reporting framework for the Assessment teams activities that supports and informs timely and effective business management and decision making at all levels.
Management of Risk
· The jobholder will ensure the fair treatment (service excellence) of our customers is at the heart of everything we do, both personally and as an organisation.
· The jobholder will also continually reassess the IT Security and operational risks associated with the role and inherent in the business, taking account of changing economic or market conditions, legal and regulatory requirements, operating procedures and practices, management restructurings, and the impact of new technology.
· This will be achieved by ensuring all actions take account of the likelihood of operational risk occurring. Also by addressing any areas of concern in conjunction with entity management and/or the appropriate department.
Observation of Internal Controls
· Maintains HSBC internal control standards, including timely implementation of internal and external audit points together with any issues raised by external regulators.
· The jobholder will also adhere to and be able to demonstrate adherence to internal controls. This will be achieved by adherence to all relevant procedures, keeping appropriate records and, where appropriate, by driving the timely implementation of internal and external audit points, including issues raised by external regulators, and internally identified IT security risks.
· The jobholder will implement the group compliance policy by containing compliance risk in liaison with Global Head of Compliance, Global Compliance Officer, Area Compliance Officer or Local Compliance Officer. The term ‘compliance' embraces all relevant financial services laws, rules and codes with which the business has to comply.
· This will be achieved by adhering to all relevant processes/procedures and by liaising with compliance department about new business initiatives at the earliest opportunity. Also and when applicable, by ensuring adequate resources.
Desired profile
Qualifications :
· At least 2 years of prior demonstrable hands-on experience in supporting infrastructure Cyber Security requirements or implementation.
· Good understanding of platform-specific security risks and common vulnerabilities.
· Experience performing infrastructure security testing using automated tools as well as manual tools.
· Experience performing risk analysis of security vulnerabilities to customize risk ratings for HSBC business lines.
· Familiarity with industry risk scoring systems like CVSS.
Other requirements
· Strong, demonstrable aptitude for and interest in the field of information security
· Experience using infrastructure vulnerability scanning tools (NMAP, Tenable Nessus, IBM QVM, Qualys, etc.)
· Knowledge about common infrastructure vulnerabilities and remediation
· Strong written communication
· Should be able to clearly articulate the risk of the defect to the stakeholders when required.
· Ability to adapt and apply information to new scenarios and technologies
· Prior infrastructure security hardening and compliance monitoring experience
· Prior experience with security testing large enterprise applications is a plus.
This position requires an individual with:
· A Bachelor's degree in computer science, engineering or related fields, or equivalent demonstrated work experience
· The preceding 1-2 years of experience focused on delivering security services or solutions of increasing complexity
· OR
· The preceding year of experience focused on delivering security services, with 1-2 years prior experience in securing enterprise infrastructure.
Position Skill Sets:
· Shared Information Security skills – Full and broad exposure to information security common body of knowledge. After 3-4 years of dedicated security work, the tester can sit for an industry standard security certification (examples: CISSP, GIAC, etc).
· Technical Security skills – Solid infrastructure security domain knowledge of Windows, Unix/Linux, Middleware, Networking, Databases, etc.
· Business and process skills – Broader knowledge of HSBC customer groups and business units, commercial banking and international trade concepts, knowledge of HBSC Cyber Security policies and standards.
EEO/AA/Minorities/Women/Disability/Veterans