This job has expired, please see additional jobs below
Manager of Application Security Assessors
Chicago Mercantile Exchange
Chicago, IL, United States
Job Details - this job has expired, please see similar jobs below
CME Group: Where Futures Are Made
CME Group (www.cmegroup.com) is the world’s leading and most diverse derivatives marketplace. But who we are goes deeper than that. Here, you can impact markets worldwide. Transform industries. And build a career shaping tomorrow. We invest in your success and you own it – all while working alongside a team of leading experts who inspire you in ways big and small. Joining our company gives you the opportunity to make a difference in global financial markets every day – whether you work on our industry-leading technology and risk management services, our benchmark products or in a corporate services area that helps us serve our customers better. With 2,500 employees located around the world, we’re small enough for you and your contributions to be known. But big enough for your ideas to make an impact. The pace is dynamic, the work is unlike any other firm in the business, and the possibilities are endless. Problem solvers, difference makers, trailblazers. Those are our people. And we’re looking for more.
Where Futures Are Made - CME Group is the world’s leading and most diverse derivatives marketplace. But who we are goes deeper than that. Here, you can impact markets worldwide. Transform industries. And build a career shaping tomorrow. We invest in your success and you own it – all while working alongside a team of leading experts who inspire you in ways big and small.
With 2,500 employees located around the world, we’re small enough for you and your contributions to be known. But big enough for your ideas to make an impact. The pace is dynamic and the work is unlike any other firm in the business.
Problem solvers, difference makers, trailblazers. Those are our people. And we’re looking for more.
The Manager of Application Security Assessors will lead and manage all functions of the Application Security Assessor Team and report directly to the Director of GIS Application Security Architecture. The manager will oversee a team of 5+ employees and is responsible for overseeing all application security assessment work. The role is accountable for operating the application security assessment program and acts as a business liaison with other business units of CME, and helps facilitate demand management as well as consulting services for the application development teams.
The manager will be a hands-on manager, requiring a high level of technical expertise, including the ability to perform blackbox / greybox / whitebox security assessments and provide application design support and guidance, in the form of consultation. In addition, the manager will be responsible for mentoring and career planning for all direct reports.
The manager is expected to drive change across the organization, and support the evolution of the organization to a Secure Development Operations (Sec/Dev/Ops) model. In addition, the manager will help to provide consulting services to application development teams, both directly and through their staff. The manager and their team will also assist in perpetration of security requirements, design documents, reference architectures, and technical standards.
The candidate will be considered a subject matter expert in SDLC and secure application architecture, who provides internal consulting and mentorship to the team being led, and acts as a security advocate to the broader organization.
As a member of the Security Architecture leadership team, the manager of Application Security Assessors is accountable for ensuring their staff is aligning with the larger organization’s goals and strategy, while also acting as a consultative enabler. The manager will shall also coordinate information security assessment activities with other departments.
As a key member of the Global Information Security Team (GIS), the incumbent is expected to remain engaged with and support other leaders across GIS and Technology to ensure the timely delivery of security and business solutions.
Principal Accountabilities
• Managing 5+ people, working in conjunction with GIS and peers in technology
• Advisory: This role will actively interface with application development teams, providing guidance and direction on proper secure coding practices, security training, and application design quality.
• Providing consulting services at critical points in the SDLC.
• Combine knowledge of business environment with the architecture of secure solutions.
• Bridge the current secure technical capabilities with the business strategy of the organization.
• Operational management: This role will help forecast demand for application assessors by meeting with CME business units to better understand their needs. This role will also help determine necessary resource levels to support assessment work.
• Participate in security architecture reviews.
• Produce documentation (reports) and present findings of manual security assessments.
• Financial: This role will make staffing and purchase recommendations for the application security assessments.
• Operational: This role will be responsible for prioritizing all assessment activities and ensure the quality and timeliness of assessments.
• Drive objectivity and build consensus among internal and external stakeholders with widely divergent perspectives and drivers.
• Lead application security assessments and assist in planning the remediation of assessment, audit, and regulatory findings.
• Evaluate possible implementation of new technology, consistent with the goal of improving existing security posture and in meeting the needs of the business.
• Governance: Participate in and contribute to key working groups across the enterprise, including but not limited to: Architecture Review Board and/or change advisory boards. Prepare reports for senior management including presentations, metrics, and other documentation required to support governance functions.
• Assist Enterprise Architecture in defining high level security requirements.
• Develop Security Standards and Reference Architectures to ensure adequate security controls throughout CME Groups systems and technologies.
• Continuous improvement and maturation of the methods, instrumentation, training, documentation, and processes required to properly assess and govern application architecture and software development lifecycle.
• Research, collect and disseminate information on emerging security technologies and key learning throughout the organization.
• Create meaningful metrics on assessments that have been performed and be able to speak to them.
• Participate in the development and management of a technical security road-map
• Leadership: Mentor, advise, knowledge-share and train others on tools and processes that you use as a subject matter expert.
Day-to-day
• Management of the assessment queue and all application assessment work
• Perform application assessments including, but not limited to: blackbox / greybox / whitebox security assessments
• Provide consultation on secure coding and design
• Communicate securities vision to business partners and IT staff
• Actively participate in Communities of Practice to ensure effective adoption and continuous improvement of security efforts
• Act as an advocate for security and lead efforts to promote security awareness at all levels of the organizations
• Act as primary contact and respond to questions or actions related to application assessments and software security audits
• Ensure that all risk considerations are identified and addressed with new and modified software
• Monitor and enhance secure coding standards within the Software Development Lifecyle
• Support larger projects while leading and managing internal projects
This role will influence and collaborate regularly with various peers via steering committees, standards and policy governance teams and other group settings that formulate CME Group security policies, standards, and reference architectures. This role will support formation of policies, standards, reference architectures, process and procedures as they related to application architecture at CME Group.
Education:
A Bachelor's or Master's degree in Computer Science, Information Systems or other related field; or equivalent work experience.
Experience
• 5+ years of experience at manager level in publicly traded companies or finance/technology industry operations.
• Experience with or deep exposure to the financial industry, focused on clearing or trading
• Demonstrable knowledge of a broad range of Information Security technologies and practices
• Demonstrable, impeccable writing skills for technical, management, and executive audiences
• Demonstrable communication capabilities including oral presentation and ability to present in front of senior leadership
• Demonstrable experience coordinating multiple concurrent issues, in high-pressure situations
• 10+ years of application security analysis, design and application development OR demonstrated ability to meet job requirements through a comparable number of years of technical work experience
• Advanced knowledge of blackbox/greybox/whitebox security assessments and application pen testing
• 5+ years performing manual reviews of application source code for security vulnerabilities written in various languages including: Java, .Net (C#, VB#), C++, *
• Expert in application security testing tools including: Burpsuite, sqlmap, nmap
• Experience with application reverse engineering and using tools such as: Java decompilers, .Net decompilers, IDAPro, etc.
• Experience with scripting languages such as: Python, bash, Powershell, etc.
• Experience with the Build Security In Maturity Model (BSIMM) methodology and assessment process
• High understanding of the application development process, including specification, documentation and quality assurance
• High degree of understanding in the theories, methodologies and principals underlying secure technical analysis, design and implementation of software applications, systems, and databases
• SSCP or other industry certifications are desirable. PMP is a plus
• Relevant experience designing, implementing, and supporting large scale solutions
Certifications
• Preferred: one or more certifications, including: CISSP, CISA, GIAC, GSEC, EnCE, GWAPT, OSCP/OSWE