Senior Manager of Security Architecture and Operations, Information Security

Toronto, ON, Canada

Posted Wednesday, March 6, 2024 at 5:00 AM | Expires Sunday, April 7, 2024 at 3:59 AM

We are hiring a Senior Manager of Security Architecture and Operations in our Information Security department

The Role:

A strategic and integral member of the Information Security Team, reporting to the AVP, Information Security is responsible for ensuring the security, integrity, and availability of First National information assets. The candidate will contribute to the management and continuous improvement of multiple security programs. The position entails the development, implementation, and maintenance of the security controls, through people, processes, and technology, across the organization.

This role requires the following skills:

• Knowledgeable about architecture & design principles, network security, application security, vulnerability management, and incident management principles.
• Assess the threat landscape and work internally to protect the organization from risk.
• Must be highly technical and possess at least 10 years' experience in security operations and system design across on-premise infrastructure, cloud infrastructure, applications, and user endpoints infrastructure.
• Effective and dynamic communicator.

Reporting To:

Full-Time/Part- Time:

Full-time

Posting Date:

March 6, 2024

Closing Date:

April 6, 2024

Hours of Work:

8:30 a.m. – 5:00 p.m.

Grade:

Office Location:

17.4

Downtown Toronto

Great location Steps away from the main public transit station

What we offer:

Highly competitive compensation package which includes, base salary, bonus, benefits, and career advancement opportunities

*Eligibility for benefits is dependent on the terms of employment

What you will do:

• Maintain secure, resilient enterprise-grade processes in tandem with various IT stakeholders, such as, Information Security, IT Infrastructure and Operations, Application Development, etc.
• Maintain oversight of security systems and security configuration administration to adequately respond to risk to enterprise systems and accounts, both on-premise and the cloud.
• Actively monitor, assess, and recommend tactical and strategic initiatives based on new and emerging threats.
• Prepare periodic reports to Information Security and IT Leadership to showcase the current security posture of our Information Security Program
• Protect systems in compliance with Information security policies and standards such as ISO 27001 and SOC2.
• Manage a team of Information Security professionals across multiple programs.
• Influence internal and external partners to ensure they build solutions consistent with the organization's planned policies, programs, architectural recommendations, and Information Security standards, including within the cloud.
• Attend regular technical project and implementation meetings and serve as the security ambassador to help guide secure application and infrastructure configurations, for on-premise and cloud systems.
• Manage the day-to-day activities of threat and vulnerability management, recommend treatment plans, and communicate information about risks.
• Support in the documentation of risks and mitigating controls, including policy/procedure updates.

Security Operations and Incident Management Program

• Lead the implementation, configuration, and daily operation of Information Security technologies that are implemented in First National’s environments.
• Act as a key figure in incident response to track occurrence and resolution, with strict documentation and reporting as well as engagement within the department; and within the organization, from a technical standpoint.
• Orchestrate the incident response process within the department, and work with key stakeholders within the department to respond, resolve and recover from the incident.
• Manage third-party security partners, ensure objectives are met, and work in partnership to continuously improve security operations processes.
• Act as an active participant within Incident Tabletop exercises
• Streamline, mature and automate (where applicable), the Incident Response playbooks and processes within the organization.

Vulnerability Management Program

• Analyze threat and vulnerability feeds data for applicability to the environment and perform compensating controls analysis and validate efficacy of existing controls and provide recommendations.
• Lead the team to perform security research, analysis, assessments and support with penetration testing and remediation actions. This includes:
• The external and internal coordination of periodic penetration testing and remediation tracking
• Conduct application and network vulnerability assessments to evaluate attack vectors, identify vulnerabilities, and develop remediation plans.
• Work with IT stakeholders to guide and assist them during the remediation process.
• Develop and mature the Offensive Security Program that entails, web application penetration testing, red/purple teaming, etc.

Application Security Program

• Ensure coverage and remediate of secure code review with Application Development stakeholders (including SAST & DAST)
• Work with the Application Development leadership and delivery teams to integrate security controls within the development pipeline ensuring an efficient development process with early security control gates.
• Working with IT groups to define, develop, socialize, and execute long-term application security roadmap.
• Assisting in the evaluation, selection, onboarding, and management of AppSec vendors and tools.
• Perform periodic threat modelling and maintain the model for currency and tracking of any risk remediation activities.
• Assess information technology control elements to mitigate IT security risks regarding the confidentiality, integrity and availability of information and assets.

Audit and Compliance Management

• Support the Information Security Department to provide adequate evidence to support the audit and provide responses for remediations.
• Provide guidance and supervision on Information Security compliance to ensure Security controls are functioning appropriately within the organization.
• Advise on development and implementation of Information Security metrics, measurement criteria and reporting to ensure compliance and continuous improvement.
• Perform periodic compliance reporting to provide assurance of coverage and effectiveness of controls, such as, but not limited to
• Secure configuration audits to complement the on-going Infrastructure and Application Vulnerability Management program.
• Certificate scanning and work with the internal stakeholders to address any issues.
• Review and tracking of firewall rule base review.
• Configurations of Web Application Firewalls (WAF)

The Requirements Needed:

• A total of 10 years of experience, with a minimum of 7 years of prior information security management work experience in a medium or large size organization is required.
• 3+ years of experience with Microsoft Azure platform capabilities, best practices with architectures, and security toolsets.
• 3+ years Security System administration and engineering experience in on-premise and/or cloud infrastructure.
• 2+ years of SOC experience or responding to traditional or cloud based cyber security investigations.
• Candidates with certifications such as CISSP, CCSP, OSCP, GPEN, or CISM, are preferred.
• Experience with MS Sentinel, and Microsoft suite of security products, such as, but not limited to, Defender for Endpoint, Defender for Identity, Defender for cloud, etc.
• Experience in incident response and forensics a strong asset.
• Familiarity with the MITRE ATT&CK framework.
• Fundamental network security understanding.
• Track record of planning and executing complex work efforts.
• Strong interpersonal communication, analysis, and writing skills.
• Ability to align management and leadership strategies when working on projects.
• Ability to work effectively with business unit and IT department managers, including Application Development, Infrastructure, Operations, Network, Technical Support, and others.
• Superior verbal and written communication skills.
• Must be a team player.

The team you will join:

Founded in 1988, First National is one of Canada’s largest non-bank lenders. We provide residential mortgages exclusively through our mortgage broker channel and service commercial clients through our national origination team of empowered advisors.

At First National, It’s in our Nature is our rallying cry. It underlies our values, beliefs, and how we show up for each other, our clients, our partners and the community. Our nature defines who we are and guides every decision we make.

First National is proud to be an equal opportunity employer and is committed to diversity and inclusion regardless of race, color, religion, national origin, age, gender identity, physical or mental disability, sexual orientation or any other category protected by law.

First National supports requests for accommodation from applicants with disabilities; please contact Human Resources at accessibility@firstnational.ca .

We would like to thank all applications for their interest, but only candidates selected for an interview will be contacted.