Barclays Group operates in geographies across the world and is fast becoming established as one of the world’s truly global retail and commercial banking operations with an employee base of over 100,000, growing rapidly.
- - - - - - - - - - - - - -
Key accountabilities of this job holder will be:
Lead and own the design and delivery of security solutions and services into the Technology Office clients. Lead and manage virtual teams of security and technical specialists to ensure quality delivery of world class security solutions into the business technology areas. Lead Risk Assessment exercises designed to highlight and clearly articulate IT Security risk to the business in terms they understand. Provide Leadership and direction to the security consultant population Drive and lead where appropriate a variety of IT Security activities and other related activities which together aid in ensuring that the organisation’s assets and IT systems are appropriately protected against unauthorised activities including deliberate or accidental loss.
Lead the Design and Delivery of Security Solutions:
Determine which projects will require security engagement Define explicit security deliverables to the project during early engagement. Define security requirements commensurate with the overall risk the project. Design security solutions from the ground up and own the delivery of security solutions within projects. Lead the provision of detailed specifications for IT security solutions and support the development of security testing plans. Demonstrate ability to work as an integral member of the project/programme team(s) to ensure proper deployment of IT security solutions. Work with the business and project team(s) to ensure residual risks are adequately mitigated to the degree that meets the risk appetite of the business. Work within virtual teams of the specialists and Business Information Risk Managers to translate high-level business/functional requirements into robust IT security solutions and supporting business cases (particularly in support of strategic change programmes), negotiating pragmatic control implementations in line with business priorities, cost and risk appetite.
Risk Articulation and Governance:
Undertake and facilitate risk and vulnerability assessments/workshops covering the more complex design solutions during various development phases to ensure technical vulnerabilities are identified and correctly managed, proposing solutions as required. Lead the project/programme managers in accurately assessing the likelihood and impact of technical vulnerabilities. Production and management of technical risk and vulnerability reports as per approved standards and processes. Own and drive closure of risks. Quantify IT Security Risk and translating that into language that the business can understand. Ensure that Tech Office team members understand their responsibilities in secure project lifecycle and vendor management processes as well as in addressing BAU risks Provide governance and follow up where Tech Office activities are not appropriately undertaken Relationship Management: Build an effective network of relationships with senior Barclays technology partners globally to ensure trust and credibility of team is developed. Understand priorities of Tech Office contacts as well as app landscapes and business processes supported Experienced in working with technical and security specialists and the appropriate Business Teams to drive out superior performance in developing and delivering world class IT security solutions, and achieve high levels of satisfaction as a result. Ensure there exists a level of awareness of strategic IT security issues within the International business, if necessary escalating to Business leaders and the Head of International Security Consultancy and Engineering Solutions to ensure these are brought to a satisfactory conclusion. Maintain an effective network of relationships with senior individuals in service and technology providers to ensure Barclays maintains a leading capability. Share and report MI to relevant Tech Office members to ensure appropriate action
Provide technical advice, guidance, mentoring and support to the security consultants. Provide input to internal quality assurance processes covering various deliverables. Encourage and solicit innovative ideas; Motivate the team into reaching challenging goals. Leading by example inspire commitment, and a positive attitude from the team Manage a virtual team/other resources on a project by project basis as required to ensure consistent and timely delivery. Ensure that Tech Office team members are trained and aware of security requirements and controls
Due Diligence Activities:
Lead due diligence activities in relation to 3rd partys and partner organisations, including the identification of security controls and assessing their effectiveness. Produce due diligence reports to be used in the creation of action plans to guide any remedial actions needed. Own the action tracker and ensure all security related remedial actions are carried out in a timely manner. Leading in the negotiation phases of contract development with 3rd parties in relation to identifying and agreeing security requirements. Create appropriate legal security schedules and specifications in support of the above.
Undertake assessments of the Tech Office’s BAU environments and work with Tech Offices on articulating risk and remediation plans
Monitor internal processes and take actions with the larger team on improvements to improve quality, efficiency and productivity
Supplier & Product Evaluation:
To lead, from an IT security perspective, the supplier assessment process used in order to ensure that a suppliers capability to support services to an agreed level/standard is accurately assessed and reported. To lead, from an IT Security perspective, product evaluation activities to ensure products are fit for purpose and comply with minimum security requirements. Strategic Initiatives Work with Tech Offices and Business Partners on implementing strategic initiatives in a secure manner Drive security as an enabler to the business area where possible
General Advice & Guidance:
To provide technical advice and guidance on IT security related queries to both project and “BAU run” areas as and when required.
Supporting security incidents/investigation as required. Reporting Provide regular MI to senior management throughout the regular reporting cycles
Education and Experience Required:
B-degree in Information Security or equivalent 10 years (Technical/Managerial) experience in technology
Excellent understanding of security strategies and technologies including secure network design, e-Channels, remote computing, desktop and server hardening, secure web services, Compliance Auditing, Secure Software Development Lifecycles, Software Auditing, Penetration Testing, Security Monitoring, Access Controls (identification, authentication and authorization) and Encryption. Strong knowledge of information security frameworks and standards such as ISO17799/27001 and their application into diverse environments. Strong understanding of the security mechanisms associated with Windows or Unix operating systems, switched networks, web based applications and databases. Demonstrated ability to solve complex technical problems. Extensive experience creating innovative solutions and responding to information security incidents a strong plus. Able to explain security functionality from first principles. Competent to discuss the underlying technology with product developers. Understands core development methodologies and their associated technologies. Can describe major phases, activities, checkpoints and deliverables of the application development lifecycle. Understands the security controls/processes required to implement a robust secure application and can clearly articulate the risk associated with the failure of those controls/processes. Has detailed knowledge of the purpose of - and approaches to - security testing.
Can play a leadership role in formulating policies and best practices for security management. Can consult on policy guidance, interpretation and enforcement mechanisms. Knowledgeable of the full spectrum of application control techniques. Can describe all key IT security functions, major roles, responsibilities and their inter-dependencies. Has contributed to the creation of technology-related security best practices and processes. Evaluates enterprise-wide impacts and makes recommendations for the company Demonstrates a leadership role in developing and implementing security standards Can relate new technology potential for gaining a competitive advantage in business. Understands security operations from a people, process and technology perspective. Understands the role and importance of robust governance models. Understands routine IT security monitoring and administration tools. Understands performance measurements for IT security. Understands major internal support functions and services. Monitors marketplace trends and experiences on security, audit and control issues Knowledgeable of the full spectrum of application control techniques
Knows what should be communicated, when and to whom. Experienced at implementing or managing risk management processes and tools. Actively seeks ways to understand, mitigate or reduce risks. Has a wide network within and outside the organisation . Shows integrity while addressing challenging situations.
Internal & External IT environment:
Can evaluate enterprise-wide impacts and make strong recommendations for the company. Can relate new technology potential for gaining a competitive advantage in business. Has proven experience in security architectural considerations for cross-functional, cross-platform applications. Follows the progress of new security technologies, surfacing those with business potential. Has played a lead role in implementation of new security technologies.
Good awareness and understanding of the Barclay’s business unit responsibilities and structure. Ability to identify specific information security technical build guides and best practice deficiencies within the global organization and develop and drive Crossfunctional correction strategies.
Functional Analysis (Business):
Can describe deliverables associated with the requirements analysis and definition Able to identify security requirements for business applications and data Experience in evaluating the design effectiveness of IT security controls
Appreciation of risk mitigation by both technical and non-technical measures. Understands the importance of effective technical documentation in identifying and managing IT security risks.
Product & Vendor Evaluation:
Has led the development of security assessment processes and methodologies for major projects Has led the development of methodology in independent security assessment (due diligence) practices Has developed a comparative analysis of all security products or vendors under consideration Stays informed on security vendors, specific product histories, trends and directions
IT Architecture and Design:
Familiar with integration and implementation issues and their architectural implications. Active in defining architectural principles, design patterns and standards for IT security.
Can analyse and document specific business requirements. Can describe alternative problem-solving approaches and their optimal uses. Has been able to maintain a dialogue in difficult situations. Can identify customer satisfaction gaps through regular communication. Can participate in negotiations. Superior communication skills and ability to interface with both technology and senior management. Ability to work concisely when under pressure or with extremely tight timescales.