Deliver Limited Brands Information Security program by operating processes and delivering technology necessary to protect the confidentiality, integrity, availability and compliance of enterprise information/technology assets. This position has global enterprise-wide security/risk leadership responsibilities for all platforms, systems and devices. Engage with IT leaders, IT engineers and all brands, client functions & third parties while focusing on security testing and engineering activities.
- Security Testing: deliver information security risk assessments, security tests, penetration tests, ethical hacking, code reviews and any associated security defect mitigation. Integrate security testing (steady-state & projects) with all IT teams and standard SDLC processes. Security testing includes but is not limited to architecture review, documentation review, configuration review, vulnerability scans, penetration testing (automated & manual).
- Security Engineering: engineer information security process and technology solutions working with security operations and IT teams to deliver appropriate infrastructure, application, device, network and data security protections
- Threat Analysis: deliver threat and vulnerability management program, rationalize affect to the business/IT environment and advise on risk considerations
- Incident response: technical security expert supporting security events/incidents performing technical analysis
- Risk Advisor: build and maintain strong IT and business relationships to inform and educate as a risk advisor
- Key clients: IT leaders, IT engineers and technicians, business partners as part of projects and assessments
- Technical leadership: Key member of the information security technical working group to identify issues, threats and build solutions to mitigate associated risks
- Balance: Improve speed by continually rationalizing controls to better support business performance, innovation and operations while delivering security responsibilities
- Security Architecture: support application, infrastructure, data security architecture (stores, ecommerce, back-office, devices). Plan and design security and compliance into solutions alongside IT and business leaders in-line with security/compliance risk appetite.
- Information Technology (1999 or earlier); Information/IT Security (2005 or earlier)
- Experience executing security tests, penetration tests and code reviews (diverse platforms, protocols, languages, tools):
- Windows, Linux, Unix, Apache, Tomcat, Oracle 11g+, SAML 2.0, 802.1x
- C#/.NET, Java/Objective-C, T-SQL (Microsoft SQL), Python, PHP
- Web proxy tools: Zap, Burp
- BackTrack, Metaspoit, Wireshart, etc. and Manual testing: CSS, SQLi, OWASP, etc.
- Static & dynamic code analyzers: HPFortify, CheckMarx, etc.
- Experience on computer incident response teams as technical leader of forensic investigations.
- Strong interpersonal skills, demonstrated excellent technical writing skills and project/program management experience
- Operate at the highest level of integrity & confidentiality due to visibility to highly sensitive information
- Experience in the retail industry delivering security for ecommerce, stores, mobile devices, servers, workstations
- Ability to foresee obstacles and opportunities and interpret business impact. Actively challenge status-quo thinking and encourage others to find innovative methods to improve business performance and reduce risk appropriately
- Ability to build consensus and commitment among diverse teams and across functional and organizational boundaries
- Communicate information security actions to technical and non-technical staff from technician to executive leadership
- Ability to effectively manage complex, competing work demands by balancing analysis with the need to make decisions
- IT related 4-year degree preferred. Certifications (e.g. CISSP, GFCA, CCFE, CIPP, EC-Council, GWAPT, CISM)
Knowledge of security and control frameworks (e.g. ISO 2700x, CobIT, NIST, SSAE16, PCI)