IBM Cloud Object Storage Security Compliance Lead

Introduction
Software Developers at IBM are the backbone of our strategic initiatives to design code test and provide industry-leading solutions that make the world run today – planes and trains take off on time bank transactions complete in the blink of an eye and the world remains safe because of the work our software developers do. Whether you are working on projects internally or for a client software development is critical to the success of IBM and our clients worldwide. At IBM you will use the best in class software development tools techniques and approaches and work with leading minds in the industry to build solutions you can be proud of.

Your Role and Responsibilities
The IBM Cloud Object Storage (COS) group is looking for a technical talented innovative and enthusiastic Security and Compliance professional to lead and drive compliance security awareness training applying best practices for secured development across our growing portfolio of next generation COS components/services for IBM Cloud.

Security is something that every development team needs to incorporate into every phase of their product development life cycle and the Security and Compliance Focal is expected to ensure security is built into the design planning implementation and execution of our network services.

Responsibilities:
The Security and Compliance Lead should continuously consider the attack vectors and security weaknesses within their service or product offering and provide solutions to remediate those weaknesses. Communicates and articulates to leadership team about the security posture of represented COS components/services. This overarching responsibility drives the requirement for the Security and Compliance Lead to be proficient in the Required Skills section below.

• Technical: First and foremost strong grasp of computer science and deep technical understanding of Cloud Security and Infrastructure.
• Collaborative: Must collaborate with architects developers and non-technical stakeholders to drive security solutions across the organization.
• Respected: Proven track record as a security professional in the industry. You will be expected to establish trust and respect with the COS service development teams.
• Growth Mindset: The world of security is highly dynamic and IBM is a company that thrives on innovation and maturation our Security and Compliance Lead must possess a growth mindset to keep up with the ever-changing security landscape and seek opportunities to increase their breadth and depth of security topics.

Minimum Professional and Technical Expertise:

• 5+ years of demonstrated experience in successful driving and execution of compliance programs for common IT security standards/regulations: SOC1/2/3 ISO27K HIPAA PCI FBA (formerly FFIEC) FedRAMP GDPR etc.

• 5+ years of working experience with designing/building cloud software and infrastructure.
• Expert knowledge of all layers of the OSI model most importantly the network (layer 3) and application (layer 7).
• Domain expertise in cloud software and infrastructure technologies.
• Strong knowledge and understanding in penetration testing methodologies and exploits (web applications containers APIs network devices databases operating systems and various cloud technologies).

• Strong knowledge and understanding of offensive cybersecurity operations and defensive integrations including enumeration and exploitation of various cloud-based technologies and development of secure applications.
• Strong ability to communicate highly technical aspects to Executives IT staffs CISO team auditors respectively.
• Strong experience with various scripting languages (Python Ruby Bash etc.).
• Familiarity with serverless services containerization and other cloud technologies.
• Strong familiarity with OWASP Top Ten NIST CIS and MITRE ATT&CK
• 5+ years of demonstrating experience in system or application administration role(s).

Required Technical and Professional Expertise

• System Administration – have an in-depth knowledge of administrative commands to manage operating systems and applications in a secure manner (e.g. knowing what commands to run to check on patch status and apply new patches)
• Access Management – understand the concepts of need to know least privilege individual accountability privilege access monitoring access revalidations etc. and ensure your service implements them. Know to avoid the use of shared IDs excessive privileges weak passwords etc.
• Patch Management – know how to keep your systems up to date with patches as required to ensure that your service is always running on supported operating systems
• Vulnerability Management – be able to regularly scan your systems and remediate any vulnerabilities found within required time frames
• Inventory Management – ensure that the list of assets under your control are properly registered in their system of record
• Data Protection – understand the types of data your services deal with and have measures in place to protect that data (e.g. encryption in transit and at rest locked down file permissions etc.) Configuration Management – understand how to securely harden a system or application upon deployment
• Health Checking – know how to check that a system/application is configured correctly on an ongoing regular basis and remediate any issues within required time frames
• Logging & Monitoring – ensure there is a process in place to store key logs with data integrity in place to protect those logs and have a process in place to independently monitor those logs for any unusual activity
• Change Management – understand and follow the discipline of change management to ensure that changes to systems applications and environments are properly planned and vetted to avoid disruption to their service
• Business Continuity – understand what business continuity requirements are necessary in your organization and actively participate in ongoing business continuity planning
• Risk Management – understand where there are gaps in compliance or areas of risk that need to be analyzed and addressed either by remediation activities or formal Risk Evaluations to ensure mitigation executive awareness and approval
• Audits – be prepared to support audits by providing evidence or being interviewed as required
• Common Attack Patterns – know what the common attack vectors facing the industry (e.g. CWE 25 or OWASP Top 10) be able to describe an attack give a generic example of the payload describe what a successful exploitation/impact looks like and what best practice remediation is
• Common IT Compliance / Regulatory Standards – expert knowledge and understanding of SOC1/2/3 ISO27K HIPAA PCI FBA (formerly FFIEC) FedRAMP GDPR.
• Certifications / Credentials – CISSP (preferred) CCNP/CCIE (preferred) CCSP CISA/CRISC/CISM.

Preferred Technical and Professional Expertise

• 7+ years of demonstrated experience in successful driving and execution of compliance programs for common IT security standards/regulations: SOC1/2/3 ISO27K HIPAA PCI FBA (formerly FFIEC) FedRAMP GDPR etc.

• 7+ years of working experience with designing/building cloud software and infrastructure.
• Expert knowledge of all layers of the OSI model most importantly the network (layer 3) and application (layer 7).
• Domain expertise in cloud software and infrastructure technologies.
• Expert knowledge and understanding in penetration testing methodologies and exploits (web applications containers APIs network devices databases operating systems and various cloud technologies).

• Expert knowledge and understanding of offensive cybersecurity operations and defensive integrations including enumeration and exploitation of various cloud-based technologies and development of secure applications.
• Expert ability to communicate highly technical aspects to Executives IT staffs CISO team auditors respectively.
• Expert experience with various scripting languages (Python Ruby Bash etc.).
• Deep understanding and implementation with serverless services containerization and other cloud technologies.
• Domain expertise with OWASP Top Ten NIST CIS and MITRE ATT&CK.
• 7+ years of demonstrating experience in system or application administration role(s).