What this position is about - Purpose:

This position exists to ensure compliance with corporate JTI security standards and industry best practices and manage continuous assurance programs which include infrastructure (systems and networks), applications and security solutions currently used in JTI.
The objectives of this position are to manage on-going and continuous process of proactive technical security assessments which could deliver results, meet information security goal and comply with internal corporate standards and (global/local) external regulatory requirements. Additionally, this position needs to automate security validation process in the way it could be more convenient and provide descriptive details on how to rectify/fix security gaps found during the process.
The position requires knowledge or expertise on the following: evaluation of effectiveness of internal controls, breach and attack simulation solution(s) implementation, define / integrate defense tactics in offensive strategies, provide security metrics regarding offensive/defensive activities.
Desirable:
- Knowledge of OT security considerations, including ICS and safety systems.

What will you do - Responsibilities: 

• Continuous Assurance verification using DevOps automated testing tools. Definition of operating model and analysis of further solutions to automate runtime protection (RASP) in continuous Integration environments (Gitlab, Azure DevOps, Github, etc.) used by different teams in JTI.
• Continuous Assurance verification in containerized environments in which dockers/Kubernetes are used. Continuous definition/review of policies/settings to perform continuous workload protection, continuous Kubernetes protection and continuous containers/microservices protection.
• Continuous Web and mobile-based application Security Assurance. Define methodology and criteria to assess the security of constantly changing, business-critical web-based/mobile-based applications). Analysis of tools to provide continuous assurance (threat management, verification of the effectiveness of the applied application hardening measures, etc.).
• Continuous Network Security Assurance. Definition of a plan based on what to test, how and environments to be tested.
• Continuous Third-party Security assurance. Define framework and procedures for continuous third-party assurance and analysis/definition/implementation of automation tools to support in conducting security assessments where possible such as third-party technical security assessments based on projects, services provided, and IT products delivered.   
• Security solutions periodical checks or technical auditing (ASM / APM WAF rules, TM Security Workload protection rules, TME email protection rules, WD for endpoints/ for identity rules/policies, etc.)
• Continuous assurance checks to verify security design and architecture and requirements are in place before production implementations take place.
• IoT security Continuous assurance evaluation. Evaluate IoT device's connectivity, potential losses, and threats yields an objective set of priorities for a development team to tackle.
• Perform multi-vector simulations and security diagnostics (both on-demand attack simulations or targeted attack simulations) based on critical assets and security solutions in JTI automating the process using solutions which can help provide results on overall security posture so as to take action(s) accordingly. Development of short and long-term strategic security technology roadmaps which support our enterprise technology roadmaps and key business objectives

• University degree in Computer Engineering, Information Systems, or related field or relevant experience.
• 5 years of Pen Testing / Application, Network, System Security Assessment, Ethical Hacking, Vulnerability Management
• Experience in cyber security assessments of an international corporation in a multicultural environment.
• Preferably manage their own blog, be active as security evangelist or in publishing discovered vulnerabilities.
• Analytical, organized and efficient team player
• Knowledge of Security Management standards such as OWASP, NIST, ISO, Cloud Alliance, PCI DSS.
• Expertise on the following: evaluation of effectiveness of internal controls, breach and attack simulation solution implementation, integration of defense tactics in offensive strategies, security metrics regarding offensive/defensive activities.
• Fluent English written and spoken.
• Excellent team leadership, excellent analytical and communication skills

Thank you very much for your interest in the role. You are welcome to apply. 
We will make sure every candidate will receive a reply within 2 weeks after the application deadline.