Product/Platform Security Lead – ITD
Work for the IMF. Work for the World.
Under the general supervision of the Chief Information Security Officer, this role will develop, mature, and drive Product/Platform Security.
The role will support efforts to conceptualize and develop security solutions to address security challenges working with ITD stakeholders, cybersecurity solution providers, and cybersecurity governance risk and compliance teams, and other stakeholders.
Major Duties and Responsibilities
1. Establish, execute, and manage a formal vulnerability management (infrastructure, application, database) and penetration testing program.
2. Establish software security design standards – building in security best practices at the beginning of the software development life cycle.
Provide web and cloud security guidelines and solutions on authentication, authorization, session management, data protection (encryption)/key management, etc.
3. Assist the cybersecurity Governance Risk & Compliance team in the review and update of cyber security policies, standards, and security baselines.
4. Work with IT and internal and external business partners to ensure that security is factored in the evaluation, selection, installation and configuration process of products and platforms, including applications, mobile systems, database, and infrastructure which is on-premises or in the cloud. Partner with our development and operation teams (and business stakeholders) to set the course for secure development practices for existing and future products and platforms.
5. Drive threat modeling for products and platforms.
6. Collaborate with engineering teams to enable preventive solutions to solve product and platform security issues at their core.
7. Analyze and make recommendations to improve network, system, and application security architectures.
8. Build and leverage effective relationships across within ITD, as well as external teams in various lines-of-business, ensuring clear lines of communication and a comprehensive approach to cyber topics.
- Advanced degree in information security, computer science, engineering, mathematics, or related field of study plus a minimum of 8 years of progressive and related information security work experience, or
- Bachelor’s degree in information security, computer science, engineering, mathematics, or related field of study and minimum 14 years of progressive and related information security work experience
- Candidate must possess at least 2 of the certifications below. Having more than 2 is a plus— CISSP, CISM, CCSP, CISA, CEH, AWS Security Certification, GIAC certifications or equivalent.
- Pragmatic security specialist with an inherent ability to balance security demands with business reality.
- Spoken and written communications that are compelling, convincing, and reassuring, and skills to articulate complex technical ideas to non-technical stakeholders.
- Experience with assessment of a comprehensive and broad set of security technologies and processes, secure software development (Application Security), data protection, cryptography, key management, identity and access management, cloud API integration, network security, logging and monitoring within SaaS, IaaS, PaaS, and other cloud environments.
- Experience working with cybersecurity capabilities within cloud infrastructure and services such as Amazon Web Services (AWS), Microsoft Azure, and/or Google Cloud Platform.
- An understanding of web service frameworks, mobile application architectures, and service architectures (such as event-driven, service-oriented, or serverless architectures)
- Experience with Docker and micro-services architecture.
- Technical skills and experience in cybersecurity engineering to contribute to and refine our cybersecurity engineering roadmap.
- Strong understanding of application security leading practices including OWASP and CWE.
- Extensive experience in secure code reviews, business logic assessment, and application security testing.
- Experience with physical, infrastructure, or hardware security
- Knowledge of/experience with infrastructure, application, and security automation.
- Working experience with application security tools such as BurpSuite Pro, SAST, DAST, Nmap, Metasploit, and Kali Linux, Fortify, AppScan, Veracode, WhiteHat, etc., is also preferred.
- Experience working with Agile development/Scrum methodologies, and incorporation of security requirements into SDLC (CI/CD) with product owners/managers.
ITDAI SG Information Technology Department Immediate Office Information Security Group
The IMF is committed to achieving a diverse staff, including gender, nationality, culture, and educational background.
The IMF works to foster global monetary cooperation, secure financial stability, facilitate international trade, promote high employment and sustainable economic growth, and reduce poverty. Our work on the macroeconomic benefits of challenges such as empowering women, modernizing the global trading system, wage inequity, and climate change, provides new ideas to safeguard the stability of the international monetary and financial system and addresses the world’s most pressing macroeconomic and financial issues . Our 2, 800 dedicated employees are leaders in their fields and collaborate to address the needs of our members and make a meaningful, positive difference to lives across the globe.
- Office IMF Washington