Security Engineer IAAS – Elastic Compute

Full Time, Onsite
Dubai
Posted 1 month ago

Job Description

Organization Unit Purpose

The unit’s primary purpose is to Design, Engineer & eventually Embed practical & balanced cyber / information security
principles/patterns/controls into all products and platforms. Conduct security assessments, gap analysis, provide
remediation to the relevant squads / stakeholders.

Job Purpose

Primary/General Job Purpose:

Encourage ‘Shift Left’ Mindset – Proactively embed security requirements, by influencing implementation of
security & privacy patterns from the start of the development cycle

Engineering & Design – Research & propose practical security solutions for security patterns, mutually agreed
with the Group Information Security Office (GISO), that provide a fine balance between user experience,
performance and security

Implement via Influence – Influence stakeholders such as Product Owners, Solution Architects, Developers,
Testers, Engineers & others to include security patterns into features, epics and stories in order to build secure,
innovative & superior digital products for customers and employees

Assessments – Perform security assessment and perform gap analysis to provide appropriate remediations to
the teams for implementing the fixes.

Secondary/Specific Job Purpose:

You will design, engineer and perform security reviews on practical and balanced security controls for the
Infrastructure as a Service (IAAS) tooling/platform domain.

You will require to come up with innovative methods to meet demand from the Technology Platform domain to
ensure security and privacy controls become part of the automated platform that they will build to serve the
entire Group IT.

You will deal with largely cloud native technologies and have including solid hands-on experience building & implementing secure network & storage design for a Software Defined Data Center (SDDC), Container Network & Container Storage Interface (CNI & CSI & 3rd party plug-ins), API – centric network and storage, Zero Trust Networking (ZTN) & SERVICEMESH using KUBERNETES, LIBVIRT & KVM. Strong foundational knowledge and experience with network security concepts, Kubernetes security and container networking security concepts is mandatory.

You will create and/or fine-tune security technologies/tools for either self or squad members (e.g. developers,
DevOps, etc.) in order to resolve security challenges via automation as much as possible

You will influence the implementation of security controls & patterns for the technology platform product using a
mix of your superior technical, security, people, process & persuasion skills while ensuring high customer
service ratings and adequate stakeholder, expectation and perception management.

Job Content

Key Results

Ensure prioritization of information/cyber security activities via stakeholder management

Embed information/cyber security & privacy effectively into business & technology products

Effectively manage potential security risks, challenges and blockers within a team/squad for a product and/or platform

Mature security automation within the organization to raise working efficiency of the squad in order to support the vision of faster
time to market for products/platforms

Assist with enhancing cyber/information security talent within the organization

Assist with enhancing the overall Cyber Security Maturity Score of Emirates NBD

Management Responsibilities

Performance Measures


Customer Satisfaction (CSAT) Rating

Level of adherence (%) to the guard rails/control gates as part of the Security Engagement Model
Number of artefacts correctly documented and stored as required by oversight functions.

Ensure security is embedded in a manner that ensures minimal number of Critical or High residual risks for the product/platform

% of security automation across the required control gates/guard rails in the Security Engagement Model and/or CI-CD pipeline

Number of security education workshops conducted for Squads/Teams

Cyber Security Maturity Score

Quality of slide decks and story telling capability
Feedback from stakeholders when leading/managing a team

Main Tasks

 Work with key stakeholders such as Product Owners & Platform Owners to effectively manage demand via accurate planning

 Use a ‘Data Centric Security Approach’ to accurately ascertain Asset Criticality for business products and/or technology assets by using a defined process
 Conduct Data / Asset Classification & arrive at overall Asset Criticality by liaising with business & technology stakeholders and oversight functions
 Participate in the creation of new security patterns (where non-existent)
 Ensure inclusion of security requirements/patterns and non-negotiables in the High-Level Design (HLD) document
 Attend relevant Agile ceremonies to ensure inclusion & execution of Evil Stories/Misuse Cases as part of secure development
 Participate in Threat Modelling activities with oversight functions like Group Information Security in order to arrive at a defined security assessment plan for the product
 Research and propose practical solutions, either Open-Source or Enterprise OR developed by self (e.g. via scripting) that will help implement the defined security pattern
 Ensure inclusion of relevant regulatory requirements into patterns with the help of the Business Information Security Office (BISO) which is part of the GISO
 Participate in the inclusion and review of contractual clauses that include but are not limited to Data Security & Information Security within Master Service Agreements (MSAs) / Contracts with business partners,3rd parties and vendors.

 Foresee & anticipate security challenges as ‘red flags’ and ‘blockers’ that have the potential of causing delays in product or platform delivery
 Advise stakeholders within squads of inherent and/or residual risks ‘early’ in order to plan remediation of those risks in a manner that does not affect timely delivery

 Bring the right set of technology and/or business stakeholders to the table in order to seek assistance to minimize potential security blockers
 Liaise with oversight functions and squad members during the time of ‘Product Release’ to ensure that all required security & privacy requirements have been embedded into the product and sign offs go smoothly

 Create and/or fine-tune security technologies/tools for either self or squad members (e.g. developers, DevOps, etc.) in order to resolve security challenges via automation as much as possible

 Participate in interviewing and selecting candidates that are a good fit for security architecture/design and/or assessment
 Design/Create Capture-the-Flag (CTF) platforms/tests for assessing the technical competency of candidates being interviewed
 Coach, mentor, educate and guide new joiners on the process and technologies within the organization as part of induction ceremonies
 Educate, counsel, and guide non-security stakeholders like Developers, Testers, Solution Architects, DevOps, Technology/Product Engineers about
security concepts

 Respond to requests from oversight functions and/or regulators for security architecture/design artefacts/data that will eventually contribute to maturity of cyber security posture

 Participate and provide insights or advise on security risks/challenges/solutions, as a subject matter expert, using data, facts, accurate analysis and correlation at forums including but not limited to Program/Project/Approval Boards & Digital Councils
 Assist with conflict management, stakeholder management, expectation management and perception management

Education

Bachelor’s degree in a computer-related field such as computer science, cyber/information security discipline, physics, mathematics or similar

Master’s degree in business administration, information security, human resource management, finance or international business or executive education from reputed institutes like Harvard

 General Information Security: CISSP, CISM/CISA or similar
 Network Security: CCNA, CCNP, CCIE, Certified Kubernetes Security Specialist
 General Cloud Security: CCSK /CCSP or similar
 Specific Cloud Security: AWS/Azure/GCP/Oracle Solution/Security or similar
 Architecture: TOGAF/SABSA or similar
 Privacy: CIPT, CIPP/E
 Agile: Certified Scrum Master (CSM)

Experiences

Must have a minimum 4-9 years of experience in an information security function with good background in information technology, stakeholder management and people management

Minimum 3-5 years’ experience, as a Security Engineer especially in Cloud Native environments

Minimum 3-5 years’ experience as a Network Security Engineer

SKILLS

API security, Platform security, IAST, SAST, DAST, Infrastructure security.

Expertise in Ansible, Terraform, Kubernetes, Docker, Jenkins, Open shift and good knowledge about microservice architecture and pipeline driven security.

Deep foundational knowledge, understanding and application on all aspects of Information Security concepts from broad range of technical and non- technical areas (Technical)
Expert at the technology and frameworks in his/her area of expertise, and coaches other architects on development standards and best practices.
Good understanding of enterprise level target architecture and public and private cloud platforms (IaaS/PaaS)
Good hands on experience solutioning technology architectures that involve perimeter protection, core protection and end-point protection/detection & API /Micro services Security

Experience working in a DevOps environment with knowledge of Continuous Integration, Containers, DAST/SAST tools and building Evil Stories (Technical)
Good knowledge of the concerns and threats that revolve around Cloud Security and how those concerns can be mitigated (Technical)
The Analyst / Engineer has the skill to follow design principles and applies design patterns to enforce maintainable, readable and reusable patterns, in the form of code or otherwise
The Analyst / Engineer can understand and interpret potential issues found in source or compiled code
The Analyst / Engineer has automation skills/capability in the form of scripting or similar
The Analyst / Engineer has the ability to attack application and infrastructure assets, interpret threats and suggest mitigating measures
Ability to interpret Security Requirements mandated by oversight functions and ensure comprehensive coverage of those requirements, via documentation, within high level design and/or during agile ceremonies, via Evil Stories
The Analyst / Engineer can propose options for solutions to the security requirements / patterns that provide a balance of security, user experience & performance
The Analyst / Engineer has the skill to discuss and present solutions to other architecture, security, development and leadership teams.
The Analyst / Engineer can interpret and understand vulnerability assessment reports and calculate inherent and/or residual risks based on the assessment of such reports
Ability to articulate and be a persuasive leader who can serve as an effective member of the senior management team. Good negotiation skills will be desirable
Must have good judgment skills in order to decide on an exception approval
Ability to enforce improvements when necessary using Influence rather than Policing measures
Superior written and verbal communication skills in order to effectively communicate security threats and recommendations to technical or non-technical stakeholders. Knowledge of application of Agile methodologies/principles such as Scrum or Kanban

Behavioral Competencies

  • Influencer/Security Evangelist for the Team/Squad
  • Positive & Constructive Attitude
  • Autonomous worker / Decision Maker
  • Good listener
  • Patient & Calm during stressful situations
  • High energy individual / Motivator
  • Win-Win
  • Hacker/Defense-In-Depth mindset
  • Analytical thinking
  • Team Player/Interpersonal Skills
  • Eye for detail
  • Persistent & Persuasive
  • Organized / Structured
  • Deadline oriented
  • Competent and committed
  • People’s Person; understands stakeholder
  • management
  • Empathetic
  • Passionate about architecting smart solutions
  • Innovator/Out of the box thinker
  • Collaborative Leadership style
  • Confident Presenter

Job Features

Job Category

Security Engineer's

Apply Online

A valid email address is required.
A valid phone number is required.

Leave a Reply

Your email address will not be published.