Director / Principal Security Architect - System and Application Security
The Principal Security Architect – System and Application Security (SAS) will be responsible for:
- System and Application Security Strategy: Develop AIG global SAS security strategy, identify gaps between current state and target state architecture, and build execution roadmap. Align SAS project execution to the strategy. Develop SAS investment plan. Serve as the accountable leader from Information Security Office on SAS and work with the rest of AIG stakeholders on managing SAS securityinvestment projects.
- System and Application Security Architecture: Develop SAS security capabilities that include application securityarchitecture patterns, DevOp security (e.g., Docker, Chef, …), patching and hardening, application security testing, and shared infrastructuresecurity (e.g., Active Directory, SSO, AutoSys). Build a cohesive architecture to realize global SAS capabilities. Drive the architecture for all SAS security project execution. Provide rationalization for SAS toolset. Serve as the SAS security design authority.
- SAS Product Management and Technology Evaluation: Serve as a SAS technologist to lead SAS security technology evaluation and POCs. Survey and evaluate leading edge technologies that align with target state architecture. Develop product management roadmap.
In this capacity, the person will work closely with AIG’s global SAS stakeholders, Effectiveness Assessment team and security monitoring team to deploy the right capabilities and evaluate the capability effectiveness (e.g., are DevOp security controls identified and implemented? How can we verify them automatically?). The person will use the capability effectiveness assessment to revise SAS strategy, architecture, technology evaluation and drive future SAS securityinvestment.
The Principal Security Architect – SAS Security main job responsibilities:
- Act as security design authority for all projects within Information Security Office’s SAS portfolio. Engage from the idealization through the system development lifecycle in project execution.
- Develop AIG SAS security strategy, architecture and execution roadmap (short term and long term)
- Develop AIG global DevOp security capabilities and solutions. Define DevOp security controls and automates these controls.
- Develop application security patterns and measure the effectiveness of pattern adoption. Review large scale application security projects (e.g., blockchain).
- Perform SAS security capability “effectiveness” assessment, identify capability gaps and propose enterprise solutions (could be new solution or re-architecting or re-configuring existing solutions)
- Function as a principal SAS security technologist to perform technology evaluation, define use cases, architect POC environment, lead POC execution and conduct trade-off analysis
- Drive SAS security solution design for in eight areas of the securityarchitecture framework (credential management, access provisioning, authentication and authorization, data security, application security, infrastructuresecurity, security monitoring and operations security)
- Deliver securityarchitecture diagram and securityarchitecture specification per securityarchitecture engagement.
- Review enterprise critical project securityarchitecture and assist SAS security solution integration for enterprise projects as needed.
- Develop / Harvest securityarchitecture patterns from architecture engagements and build enterprise securityarchitecture pattern repository.
- Communicate security strategy and drive the standardization and consistent definition and application of security principles to all stakeholders.
- 10 years’ experience in an information technology role with increasing responsibility in information securityarchitecture focusing on system and application security.
- Expert solution knowledge and implementation experience in building security in a global DevOp and cloud based environment. Experience with major container based technologies (e.g., Docker).
- Expert solution knowledge and implementation experience enterprise vulnerability management capabilities, and application security (e.g., OWASP top 10) solutions.
- Experience in security operation center execution. Understand how SAS supportscyber incident responses. Provide system and application security context during cyber incident responses.
- Familiar with how cyberattacks are carried technically and can build architecture constructs to prevent them and enable incident response. Understands that architecting a good solution and architecting the right solution may not be the same thing – there are times when adding an application or functionality is not in the best interests of the organization.
- Ability to research, analyze and resolve complex problems with minimal supervision and escalate issues as appropriate
- Excellent written, verbal communication and presentation skills
- Must be a strong team player
- Trusted Advisor – the person needs to possess the personality and behaviors (diplomatic, tenacious and tactful) to rapidly establish themselves as trusted advisors to the business and as interpreters for the development of IT security solutions.
- Practical Futurist – need to have shown that they can be ready for ‘unpredictable’ risks and opportunities, developing architectures that are resilient enough to keep up with the evolution of the enterprise and cyberthreatlandscape.
- Commercial acumen – needs to be familiar with ‘Do more for less’, be able to identify and work with stakeholders to collect, aggregate and evaluate requirements in light of current and future technology resources and budgets.
- Bachelor’s degree in information technology or computer science strongly preferred. Master degreepreferred.