Manager-App Sec VAPT

Job Description

Job Purpose (Job Summary): Invesco Global Security is looking to hire an Assistant Manager to oversee Secure Software Development, perform vulnerability assessments and penetration tests against risk-prioritized infrastructure and applications, and provide remediation recommendations. As a Manager, the role will inspire through performance leadership, build effective teams, promote diversity, and foster organizational talent. This position will need to closely work with Business, Technology, and Security teams to deliver of high quality, value added vulnerability reports for a portfolio of network and application assets, which meet the requirements of the Boards of Invesco and, their affiliates and of Invesco s respective auditors and regulators, globally.Key Responsibilities / Duties:

• Manage analysts responsible for the Application Security, Vulnerability Assessment and Penetration Testing capabilities across the Invesco application and infrastructure portfolio.
• Develop action plans, create schedules, assist with managing budgets, resourcing and produce status reports.
• Provide leadership and management, including hiring, training staff development and performance management of App Sec and VA/PT team members.
• Communicate security risks and solutions to business and IT executives.
• Provide application security advisory, solution architecture, and consulting to internal projects of varying size. Assist business and application development teams to develop secure solution in support of business requirements.
• Develop business acumen to support Secure Software Development Life Cycle (SDLC) for the business unit specific applications and deliver risk assessments with business contextual risk.
• Assist in development and execution of secure software development and vulnerability management strategy, tools and technology strategy, future state, standards, audits, and governance.
• Assist with driving organization wide application security and vulnerability management strategies.
• Participate in application security and vulnerability management projects. Track deliverables and provide periodic updates to the leadership team. Escalate security and projects risk timely.
• Perform and oversee risk assessments, penetration testing, red team assessments and vulnerability assessments on various types of technologies and implementations using automated (commercial, open source) tools and manual techniques.
• Coordinate internal and third-party vulnerability assessments and pen testing. Provide results to the appropriate technical teams and management
• Chair vulnerability remediation and prioritization meetings with technology and business stakeholders. Analyze and communicate business risk related to technical vulnerability discoveries
• Produce high-quality papers, presentations, recommendations, and findings for Senior Level Management and Enterprise Technology Leaders
• Improve and manage vulnerability triaging, escalation, and management workflows through innovation and continuous improvement.
• Manage the creation and dissemination of relevant metrics to various organizational teams. Report and Escalate risk and key metrics. Effectively communicate security risk identified from assessments or monitoring to ensure appropriate implementation of security controls.
• Respond appropriately to cyber risk incident, the related investigations, managing situations with discretion, sensitivity, and objectivity, and with due consideration of chain-of-custody
• Provide mentorship and direction to less experienced security engineers.
• Keep current with industry best practices.
• Other duties as assigned.

Work Experience:

• 8+ years of combined IT and security work experience including infrastructure, systems, vulnerability testing, audit, or secure application software development
• At least 2 years of experience managing resources
• At least 3 years of experience with Application Security, including familiarity with tool sets supporting Application Security and Vulnerability Management (dynamic, static, and pen test)
• Cloud DevSecOps or pen testing experience preferred
• Experience with common information security management frameworks, such as International Organization for Standardization (ISO) 2700x, ITIL and National Institute of Standards and Technology (NIST) frameworks.
• Working in large / global corporate environments involving multiple businesses.
• Experience managing projects
• Financial services highly desired.

Technical Skills Required:

• Advanced understanding of security controls, Secure SDLC, and common threats and vulnerabilities
• Expert knowledge of application security and/or penetration testing frameworks
• Knowledge of security industry best practices (e.g. SANS, NIST, CIS)
• Solid understanding of secure coding practices (OWASP, SANS) and common penetration testing methodologies (e.g. OSSTMM, OWASP)
• Common attack techniques for web, mobile and API and application testing tools
• Common application testing tools including, but not limited to Burp, SQL Map etc
• Ability to write scripts/tools to assist in testing preferred
• Understanding of encryption technologies and common network protocols
• Ability to review and analyze security vulnerability data to identify applicability and false positives
• Sound understanding of security principles, such as infrastructure security, identity and access management, vulnerability management, and secure coding.
• A keen analytical mind for problem solving, abstract thought, and offensive security tactics.

Other Skills Required:

• Proven ability to effectively sell ideas and build consensus at all levels within the organization.
• Track record of success in planning and implementing large projects. Strong crisis management skills.
• Entrepreneurial spirit; hands-on and quick decision-maker.
• Strong analytical skills with ability to define, collect, analyze data, establish facts, draw valid conclusions, and make fact-based decisions.
• Good conceptual thinking and communication skills the ability to conceptualize complex business and technical requirements into comprehensible models and templates.
• Good communicator (written and verbal) and listener.
• Must be a team player and motivated self-starter with ability to work independently and remotely with limited supervision.
• Possesses diplomacy and cooperative style necessary to interface effectively with all personalities and across functional disciplines.
• Maintain strict confidentiality of all security issues including legal investigations, Compliance, and HR data requests

Formal Education:

• A Bachelors or Masters degree in Computer Science, Information Systems or other related field; or equivalent work experience.

License / Registration / Certification:

• Security Certification CISSP or CISM required.
• DevSecOps, CCSP, OCSP, GPEN, or GWAPT certificates are desired.

,

Keyskills :
problem solvinginformation security managementrecord of successtesting toolssecure codingred teambusiness acumensecurity risksecure sdlcsoftware development life cyclelife cyclestatements of work sow