Threat and Vulnerability Management Lead
Apply NowSumitomo Mitsui Banking Corporation – SMBC Group
Job details
Department and Role Overview Security and Operations exist to ensure that the Bank’s security risks are managed and aligned to business objectives, enable sustained growth and prevent harm, damage or loss to its people, information or assets. This is a new role within a growing Cyber Resilience Team, presenting an exciting opportunity to shape our approach to testing and remediation of vulnerabilities. This role will act as a key interface between the Security Operations Centre (SOC), EU entities, and the Americas Division, as well as other stakeholders across the business. This role will deliver on testing requirements set out under DORA, as well as other regulatory regimes, in order to ensure that the bank is less vulnerable to attack and able to respond and recover effectively if an attack is successful. Key Job Functions Take the lead in developing, maintaining, and implementing frameworks, policies, and procedures in relation to penetration testing, threat modelling, application security and vulnerability management. These should be consistent with regulatory requirements and industry best practice. Act as a subject matter expert on cyber resilience related matters in relation to issue such as cloud security and third-party risk management. Manage the delivery of penetration testing, vulnerability scanning, and other testing of cyber resilience. This includes managing delivery of such activity through third party vendors and service providers in a manner consistent with regulatory requirements. Lead the delivery of threat led penetration testing activity, including CBEST, through third party vendors in a manner consistent with regulatory requirements, including DORA. Provide oversight, guidance, and robust challenge on remediation of issues identified through testing activity. Maintain effective stakeholder relationships across subject matter experts across the business to ensure effective testing with high levels of assurance. This includes stakeholders within IT Infrastructure, Architecture and Engineering, Security Operations, Cyber Threat Intelligence, Legal, and Data Management. Provide appropriate reporting on metrics and escalation of identified issues to management in a timely manner, clearly communicating progress and risks. Responsibility and Authority Responsible for improving the efficiency, effectiveness and quality of services in relation to cyber resilience testing provided to SMBC within EMEA to ensure regulatory compliance. Delivery of effective penetration testing, through third parties, to meet regulatory requirements and give effective assurance of our resilience. This includes the delivery of threat led penetration testing to meet CBEST and DORA requirements. Oversight of vulnerability scanning activity to ensure effective coverage of networks, assets, and systems to a standard which fulfils regulatory requirements and gives effective assurance of our resilience. Leading cyber resilience activity in relation to threat modelling, application security, third party risk management, and cloud security to ensure that our interests and priorities are represented. This includes designing relevant processes and procedures to manage cyber resilience risks and requirements. Responsible for designing, maintaining, and implementing relevant policies, procedures and frameworks procedures in relation to penetration testing, threat modelling, application security and vulnerability management. These should be consistent with regulatory requirements and industry best practice. Responsible for providing valuable insight into how testing is performing. Maintain records and track key metrics to identify areas for improvement, developing recommendations and ensuring timely escalation of issues. Oversight of remediation activity in relation to testing findings, including from penetration testing and vulnerability scans, including escalation of issues in breach of policies and procedures. This includes providing cyber resilience input into remediation plans and providing challenge where appropriate Responsible for maintaining strong stakeholder engagement in testing regime to ensure effective delivery of testing and remediation of issues identified. This will include regular contact across senior stakeholders in London, across the region and within the US and input into regular, formal governance forums. No direct reports. No budget responsibility. Key Stakeholders Head of Cyber Resilience EMEA CISO Operational Resilience (BSM) IT EMEA entities AD Cyber Resilience Organisation Structure No direct reports Reports to Head of Cyber Resilience EMEA Key Skills & Abilities, Specific Experience and Qualifications Very good knowledge & understanding of relevant frameworks such as NIST, ISO27001, OWASP, Formal security certifications required: CompTIA Security minimum, CISM / CISSP / CRISC beneficial. In addition to this, you should have one or more of Offensive Security Certified Professional (OSCP – PEN200, PEN300, WEB200, WEB300, PEN-210); CREST Certified Tester; CREST Practitioner Security Analyst; Cyber Scheme Test Member; GIAC. Very good knowledge and understanding of regulatory requirements on cyber resilience testing, including under DORA and BoE Operational Resilience, and CBEST Excellent knowledge of penetration testing and vulnerability assessment tools, and of penetration testing frameworks. Degree in computer science or similar, or equivalent work experience. Experience of delivering cyber resilience testing, including penetration testing (infrastructure and application, including web, mobile, desktop applications, wireless network, etc), within a regulated corporate environment, preferably Financial Services. Experience of managing a portfolio of security test projects, liaising closely with stakeholders to ensure delivery against objectives. Excellent stakeholder management, communications (both written and verbal) and influencing skills. This includes the ability to work independently or as part of a team, and a demonstratable ability to communicate complex technical issues to a non-technical audience. Strong analytical and problem-solving skills applied to complex technical problems. Demonstratable ability to approach issues strategically, with an ability to develop pragmatic and compliant solutions to cyber security issues.
Apply Now