Principal VAPT

Job Description

Direct Reports: No Revised: October 2020 Job Purpose (Job Summary): Invesco Global Security is looking to hire a Principal - Vulnerability Assessment and Penetration Testing to join an exciting team. This individual will oversee and perform vulnerability assessments and penetration tests against risk-prioritized infrastructure and applications and provide remediation recommendations. The team is looking for an experienced tester with a willingness to share knowledge and work with the team to secure Invesco s applications and systems. Key Responsibilities / Duties:

• Perform and oversee penetration testing and vulnerability assessment on various types of technologies and implementations using automated (commercial, open source) tools and manual techniques. This may include
  • Network infrastructure and wireless networks
  • Servers, platforms, containers, hosting infrastructure and services
  • Client applications (web, mobile, thick-client, etc.)
  • Application technologies (APIs, middleware, database, enterprise service bus, etc.)
  • Cloud security controls and applications
  • High value assets and critical infrastructure
• Manage continuous security control testing and validation through automation using industry standard frameworks. Execute ongoing assessment of Invesco perimeter assets to identify exposures and weaknesses.
• Independently execute red team assessments to identify security exposures and to evaluate effectiveness of security controls and response.
• Plan, notify, identify and exploit technical vulnerabilities in systems through penetration testing, assess business risks of the technical vulnerabilities and communicate to relevant staff.
• Coordinate internal and third-party vulnerability assessments and pen testing. Provide results to the appropriate technical teams and management
• Chair vulnerability remediation and prioritization meetings with technology and business stakeholders. Analyze and communicate business risk related to technical vulnerability discoveries
• Produce high-quality papers, presentations, recommendations, and findings for Senior Level Management and Enterprise Technology Leaders
• Improve and manage vulnerability triaging, escalation, and management workflows through innovation and continuous improvement.
• Build and enhance penetration testing and vulnerability assessment capabilities.
• Enhance contextual risk reporting based on vulnerability and asset data. Manage cybersecurity risk by analyzing the current threats and vulnerability landscape. Develop business acumen to support, assess, and deliver vulnerability risk assessments with business contextual risk.
• Provide internal remediation support through the design, implementation and integration of network infrastructure and information security controls
• Act as a security expert in application development, database design, network and platform (operating system) efforts, helping project teams comply with enterprise and IT security policies, industry regulations, and best practices.
• Assist in development and execution of vulnerability management strategy, tools and technology strategy, future state, standards, audits, and governance.
• Lead vulnerability management projects. Track deliverables and provide periodic updates to the leadership team. Escalate security and projects risk timely.
• Develop and communicate KRIs (Key Risk Indicators). Report and Escalate risk and key metrics. Effectively communicate security risk identified from assessments or monitoring to ensure appropriate implementation of security controls.
• Respond appropriately to cyber risk incident, the related investigations, managing situations with discretion, sensitivity, and objectivity, and with due consideration of chain-of-custody
• Provide mentorship and direction to less experienced security engineers.
• Keep current with industry best practices.
• Other duties as assigned.

Work Experience:

• 6+ years of combined IT and security work experience including infrastructure, systems, vulnerability testing, audit, or secure application software development
• At least 3 years of Pen Testing experience
• At least 3 years of Vulnerability Management experience
• Cloud pen testing experience preferred
• Experience with common information security management frameworks, such as International Organization for Standardization (ISO) 2700x, ITIL and National Institute of Standards and Technology (NIST) frameworks.
• Working in large / global corporate environments involving multiple businesses.
• Experience managing projects
• Financial services highly desired.

Technical Skills Required:

• Advanced understanding of security controls and common threats and vulnerabilities
• Expert knowledge of penetration testing frameworks
• Knowledge of security industry best practices (e.g. SANS, NIST, CIS)
• Solid understanding of common penetration testing methodologies (e.g. OSSTMM, OWASP)
• Common attack techniques for web, mobile and API and application testing tools
• Common application testing tools including, but not limited to Burp, SQL Map etc
• Pen testing in DevSecOps environments
• Ability to write scripts/tools to assist in testing
• Understanding of encryption technologies and common network protocols
• Ability to review and analyze security vulnerability data to identify applicability and false positives
• Patch management technologies and processes
• Wireless protocols and services
• Sound understanding of security principles, such as infrastructure security, identity and access management, vulnerability management, and secure coding.
• A keen analytical mind for problem solving, abstract thought, and offensive security tactics.

Other Skills Required:

• Strong interpersonal skills (written and oral communication) and ability to articulate complex issues to executives and customers
• Proven ability to effectively communicate ideas and build consensus at all levels within the organization
• Track record of success in planning and implementing large projects.
• Ability to communicate technical information clearly and concisely, commensurate with the audience
• Strong analytical skills with ability to define, collect, analyze data, establish facts, draw valid conclusions, and make fact-based decisions.
• Conceptual thinking and communication skills the ability to conceptualize complex business and technical requirements into comprehensible models and templates.
• Good communicator (written and verbal) and listener.
• Must be a team player and motivated self-starter with ability to work independently and remotely with limited supervision.
• Possesses diplomacy and cooperative style necessary to interface effectively with all personalities and across functional disciplines.
• Maintain strict confidentiality of all security issues including legal investigations, Compliance, and HR data requests

Formal Education:

• A Bachelors or Masters degree in Computer Science, Information Systems or other related field; or equivalent work experience.

License / Registration / Certification:

• Security Certification - OCSP, GPEN, GWAPT, CISSP required.
• DevSecOps, CCSP certificates are desired .

Working Conditions:

• Normal office environment with little exposure to noise, dust and temperatures
• The ability to lift, carry or otherwise move objects of up to 10 pounds is also necessary.
• Normally works a regular schedule of hours, however hours may vary depending upon the project or assignment.
• Hours may include evenings and/or weekends and may include 24 hour a day on call support by pager and/or cell phone.
• Willingness to travel both domestically and internationally. Frequency and duration to be determined by manager.

,

Keyskills :
security riskred teaminformation security managementrecord of successtesting toolsit security policiesstrong interpersonal skillsstrong analytical skillsit securityproject teamsstatements of work sow