Security & Compliance Project Manager

Introduction
At IBM work is more than a job – it’s a calling: To build. To design. To code. To consult. To think along with clients and sell. To make markets. To invent. To collaborate. Not just to do something better but to attempt things you’ve never thought possible. Are you ready to lead in this new era of technology and solve some of the world’s most challenging problems? If so lets talk.

Your Role and Responsibilities

• You will be part of a strong agile and culture-driven development team responsible for building the Supply Chain Product for tomorrow.
• Organizationexcellent communication skills security related experience (preferred)
• The ‘Security & Compliance Project Manager’ should continuously consider the attack vectors and security weaknesses within their area or product offering and provide solutions to remediate those weaknesses. The person should be able to articulate and communicate to leadership team about the security posture of represented products/services. This overarching responsibility drives the requirement for the person to be proficient in the required skills listed below.
• Well Organized : Ability to work independently across multiple component teams synthesize data into clear presentations to be shared with all stake holders
• Collaborative: Must collaborate with architects developers and non-technical stakeholders to drive security solutions.
• Respected: Proven track record in similar roles in industry. You will be expected to establish trust and respect with the development teams.
• Technical: Good grasp of computer science and technical understanding of micro-services architecture SaaS Cloud Security and Infrastructure.
• Growth Mindset: The world of security is highly dynamic and IBM is a company that thrives on innovation. Our Security and Compliance professional must possess a growth mindset to keep up with the ever-changing security landscape and seek opportunities to increase their breadth and depth of security topics.”

Required Technical and Professional Expertise

• Total experience of 12+ years.
• 5+ years of working experience with software product development (preferably SaaS) organizations.
• 3+ years of working experience in a leadership or PM position having worked acorss multiple teams geographies and preferably in compliance related roles.
• Domain expertise in cloud software and infrastructure technologies.
• Very good knowledge and understanding in penetration testing methodologies and exploits (web applications containers APIs network devices databases operating systems and various cloud technologies).
• Ability to communicate highly technical aspects to Executives IT staffs CISO team auditors respectively.
• Demonstrated experience in successful driving and execution of compliance programs for common IT security standards/regulations: SOC1/2/3 ISO27K HIPAA PCI FBA (formerly FFIEC) FedRAMP GDPR etc.
• Experience with and understanding of –
• Access Management – understand the concepts of need to know least privilege individual accountability privilege access monitoring access revalidation etc. and ensure your service implements them. Know to avoid the use of shared IDs excessive privileges weak passwords etc.
• Vulnerability Management – be able to regularly scan your systems and remediate any vulnerabilities found within required time frames
• Data Protection – understand the types of data your services deal with and have measures in place to protect that data (e.g. encryption in transit and at rest locked down file permissions etc.)
• Configuration Management – understand how to securely harden a system or application upon deployment
• Health Checking – know how to check that a system/application is configured correctly on an ongoing regular basis and remediate any issues within required time frames
• Logging & Monitoring – ensure there is a process in place to store key logs with data integrity in place to protect those logs and have a process in place to independently monitor those logs for any unusual activity
• Change Management – understand and follow the discipline of change management to ensure that changes to systems applications and environments are properly planned and vetted to avoid disruption to their service
• Business Continuity – understand what business continuity requirements are necessary in your organization and actively participate in ongoing business continuity planning
• Risk Management – understand where there are gaps in compliance or areas of risk that need to be analyzed and addressed either by remediation activities or formal Risk Evaluations to ensure mitigation executive awareness and approval
• Audits – be prepared to support audits by providing evidence or being interviewed as required
• Common Attack Patterns – know what the common attack vectors facing the industry (e.g. CWE 25 or OWASP Top 10) be able to describe an attack give a generic example of the payload”

Preferred Technical and Professional Expertise

• Good To Have – Certifications / Credentials – CISSP (preferred) CCNP/CCIE (preferred) CCSP CISA/CRISC/CISM.”