Imagine...working for a company that knows that its people are the key to its success in the marketplace. A company in which achieving extraordinary results and having a stimulating work experience are part of the same process.
We cultivate and embrace a diverse employee population. We recognize that people with diverse backgrounds, experiences and perspectives fuel our growth and enrich our global culture.
We are looking for an individual who enjoys working in a fast-paced, team oriented environment, likes to be challenged, and values the opportunity to make a difference.
The Senior Security Specialist - Information Risk - Assurance will support the Information Risk Management program within the Information Technology - Security Department for Campbell's. The Risk Management program will align to the strategy of the Company while addressing the evolution of changes to the global risk landscape and evolving technologies.
- In this role, you will be responsible for managing the Information Risk - Assurance function within Campbell's Information Technology – Security Department. This responsibility will include management of the process for identification, assessment, and remediation of vulnerabilities, threats, and configuration issues within systems and applications in the office and manufacturing environment.
- As the Senior Security Specialist, you will be responsible for communicating to key stakeholders throughout the organization to ensure an understanding of the current state of Information Assurance objects and that identified issues are resolved in a timely manner. This lead role is a critical function to the overall information security program.
- In this role you will report directly to the head of Information Risk Management.
Essential responsibilities will include but not be limited to:
- Build upon the application security and vulnerability mgt program using risk management project methodology to validate that applications and systems are implemented according to specified design and industry known standards as established by OWASP, Center for Internet Security (CIS), Microsoft, others. (35%)
- Manage the threat and vulnerability management program to assess risks and effectiveness of systems currently not within scope such as: ERP, API's, Network Infrastructure, Manufacturing Open Source, and security technologies. (20%)
- In partnership with department peers, establish and provide KPI's to technical teams, senior leadership, and third-party organizations to analyze and report on effectiveness of vulnerability/application security program and identify opportunities for improvement. (10%)
- Track and report remediation efforts and exceptions (5%)
- Advise and support the Head of Information Risk Management, Compliance, and Assurance in technical security matters related to vulnerabilities and best path forward (5%).
- Within context of the existing risk management framework, expand and manage the DevSecOps program within the Company for use by internal developers and third parties to ensure that security processes are effectively implemented during design, development, and throughout the system lifecycle. (5%)
- Establish testing processes for automated testing including dynamic and static analysis of code in support of secure coding practices across the Company. (5%)
- Conduct red-teaming exercises of 3rd party Security Operations Center to verify that detection and response capabilities are effective. This may also include overseeing penetration testing on internal and external applications. (5%)
- Correctly balances security risk and business impact. Interfaces with third parties, business analysts, internal and external IT Audit groups.
- Understand emerging leading practice for applications including industrial control systems.
- Proficiencies in finding defects (before attackers) and effectively communicating how to resolve.
- Ability to effectively communicate risk including corrective action plans / recommendations to non-technical audiences.
- Ability to create effective reports and presentations to communicate technical concepts to both technical and non-technical audiences.
We are looking for the following abilities and skills:
- Minimum education required: Bachelors of Science Degree
- Preferred certifications: CISSP, CISA, CRISC
- Years of relevant experience: 7 + Years.
- Proven experience in managing an outsourced third-party provider of threat management services.
- Proven history of designing and implementing process and technology for identifying vulnerabilities.
- A broad cyber-security skillset, able to assimilate and consider issues from the technical, and business perspective, supported by a pragmatic attitude to the implementation of security across multiple business units.
- Strong understanding of systems, applications architecture within office and emerging better practice within IoT (Internet of Things) / ICS (Internet Connection Sharing) environments.
- Strong understanding of Secure Development Practices and development related systems such as Jenkins, Jira and container technology.
- Knowledge of common security vulnerabilities such as OWASP Top 10, SANS Top 25.
- Experience in security testing web applications, mobile applications a significant plus.
- Experience with cloud security solutions such as Amazon Web Services (AWS), Microsoft Azure and/or VMware vCloud and/or Docker.
- Familiarity with scripts in languages such as Python, BASH, or PowerShell.
- Technical expertise with Information Assurance tools including but not limited to: Tenable, Qualys, Acunetix, Checkmarx preferred.
- Understands emerging better practice for applications including industrial control systems.
- Demonstrated ability to learn on the job and explore new technologies with little supervision to identify new and emerging security threats.
- Strong technical, communication and interpersonal skills.
- Demonstrated ability to function in a global environment.
- Ability to perform in a challenging, fast-paced technical and business environment.
- Office environment with up to 10-15% travel