Under the direction of the Manager of Information Security and IT Governance, the DevSecOps Engineer will directly engage in delivery of projects with multi-disciplinary teams, implementing automation and security-related tooling, assists with installation and management of the security infrastructure, conduct investigations and incident response. The DevSecOps Engineer will also be responsible for the design and development of innovative security solutions for protecting data deployed in the cloud. This role is a hands-on technical role which also requires direct communications with cross-functional teams including IT, Project Management, Development, and eServices.
The DevSecOps Engineer helps plan and carry out FPCU’s information security strategy. They help develop a set of security standards and best practices for the organization, and recommend security enhancements to management as needed. DevSecOps Security Engineers may be asked to provide content to educate the workforce on information security through training and awareness.
1. Designs, develops, documents, analyzes, tests, integrates, debugs, conducts research and/or discovers and analyzes security flaws or vulnerabilities in software, networks, systems, and applications.
2. Actively participates in identifying, prioritizing, and coordinating the protection of critical cybersecurity infrastructure and key resources.
3. Assesses system security to identify and mitigate risks and vulnerabilities.
4. Supports the configuration and administration of cyber security tools and systems.
5. Tests existing and new technologies for security vulnerabilities.
6. Reviews requested changes for equipment, technology and/or other factors/trends, which are planned for deployment.
7. Be part of a team responsible for design and implementation of infrastructure and security architecture, including security groups, network firewalls, WAF and IDS.
8. Work very closely with the Development, Operations and Networking teams to craft and enforce security policy as relates to DevOps, infrastructure and more.
9. Responds to information systems security incidents and vulnerabilities including investigation of, countermeasures to, and recovery from computer-based attacks, unauthorized access and policy breaches; interacts and coordinates with third-party incident responders including law enforcement.
10. Work with IT and Development to develop secure solutions to reduce attack surface.
11. Analyze and harden existing infrastructure, automation, and deployment processes.
12. Work with development teams, operations, governance, and other stakeholders to draft security standards for cloud services and implement monitoring to adhere to those standards.
13. Integrate security tools in the CI/CD process and work with development teams to mitigate findings.
14. Ensure cyber security best practices are implemented and followed. Maintains compliance with all guidelines and regulations such as FFIEC, NIST, GLBA, and any other relevant regulations.
15. Monitors information systems for security incidents and vulnerabilities; develops monitoring and visibility capabilities; reports on incidents, vulnerabilities, and trends.
16. Ensure EMT/SMT know as much as possible, as quickly as possible about security incidents.
17. Performs other related duties as required.
We share a collaborative obligation to ensure we conduct ourselves in the utmost ethical manner and hold each other accountable to the values and standards of the organization. Every Partner has the responsibility to ask questions, seek guidance, and report concerns and/or violations of company policy or ethical standards. Financial Partners has several processes in place to communicate with leadership and expects that partners will have a commitment to integrity and uncompromising values.
All areas of responsibility are essential to the satisfactory performance of this position by any/all incumbents, with reasonable accommodation, if necessary. Any non-essential functions are assumed to be included in other related duties as assigned.
EDUCATION and/or EXPERIENCE:
Bachelor’s degree in computer science or related field or equivalent technical or professional experience related to Information Security is required. Other requirements are:
- 6+ years of experience related to Cyber Security Engineering
- 5+ years of experience in a DevOps and/or a DevSecOps environment
- At least five (5) years’ experience with hands-on technical experience
- 3+ years of hands-on experience in Cloud Security, preferably in the delivery of large-scale, multi-tenant enterprise Cloud Platforms
- Working knowledge of architecture and design of solutions using cloud-based technologies or experience with Microsoft Azure, AWS, GPS or other cloud technologies
- Proficient with a variety of software development languages, tools and techniques
- Proficient with a variety of DevOps tools and techniques
- Proficient in scripting and automation tools such as PowerShell, Ansible Playbooks and Python
- Experience with Continuous Integration/Continuous Delivery (CI/CD) concepts and automated tools such as Docker, Jenkins, Rational Team Concert, JIRA, Git, Puppet, and/or Cucumber.
- Solid understanding of cyber security technologies and concepts at both the local and enterprise level
- Experience with networking (TCP/IP, topology, sockets and security), operating systems, (Windows/Linux), and web technologies (Internet security)
- Experience establishing and maintaining good working relationships in all levels of the organization, including customers, organizations, internal management, and support
- Integration, Design, Architecture of AWS or GCP services into other Security Platforms (IAM, SAML, OAuth, Okta, Ping Identity)
- Knowledge of software development and systems development lifecycle practices, preferably in an agile development environment
- Experience in software security testing, methodologies, and frameworks
- Hands on experience in security systems, including firewalls, intrusion detection systems, anti-virus software, authentication systems, log management, content filtering, etc.
- Familiarity with web related technologies (Web applications, Web Services, Service Oriented Architectures) and of network/web related protocols
- Problem solving skills and ability to work under pressure
- Strong analytical skills
- Flexibility to adjust to multiple demands, shifting priorities, ambiguity, and rapid change
- Ability to research, analyze and resolve complex problems with minimal supervision and escalate issues as appropriate
- Must have a valid CA driver’s license
- Any combination of education, training and/or experience that fulfills the requirements of the position will be considered.
CERTIFICATES, LICENSES, REGISTRATIONS:
- Hold or be actively pursuing security-related professional certifications within the GIAC family of certifications or CISSP, CISM or CISA
- Information Systems Security Engineering Professional (ISSEP) or Information System Security Architect Professional (ISSAP)
- Certified Ethical Hacker (CEH)
- SANS/GIAC Reverse Engineering Malware (GREM)
- Certifications related to Agile development and Scaled Agile Framework (SAFe) such as Scrum Master, SAFe Agilist (SA), SAFe Practitioner (SP) or SAFe Program Consultant (SPC)
- Any Security or technical certifications and/or technical training in security software, servers, local and wide area networks, and/or communications are highly desirable.