Security & Compliance Engineer

Introduction

Working in IBM Cloud gives you the platform to learn, develop and utilize your skills everyday by working on the latest cloud related technology products and services. You'll be working in an environment where we understand how we can thrive best when we play to our strengths. That's why developing our people is key to our success, the door is always open for those ready to advance their career. Curiosity and courageous thinking are both vital when working in IBM Cloud, as we continue our dedication in guaranteeing that we are at the forefront of cloud technology. Our renowned legacy means we are leading the way in everything from analytics and security through to unmatched hardware & software designs. We provide our clients with the full end-to-end transformation as we build IBM's next generation cloud platform which is focused around delivering performance and predictability at a global scale. IBM's product and technology landscape includes Research, Software, and Infrastructure. Entering this domain positions you at the heart of IBM, where growth and innovation thrive

Your role and responsibilities

• Developing, implementing, maintaining, and overseeing enforcement of security policies.
• Providing subject matter expertise in the creation, implementation, and maintenance of appropriate enterprise programs, policies, and procedures to be compliant with all applicable regulations including ISO, SOC, HIPAA, PCI, FedRAMP/FISMA
• Having the ability to utilize working knowledge of information security best practices such as: NIST 800 series, ISO 27000 series, GDPR, etc
• Interpreting standards, requirements, and their application to the enterprise Cloud environment in the most reasonable and cost-effective manner.
• Collaborating with security architects and technical security teams to define and implement security processes and procedures based on industry-standard best practices and compliance requirements. Defining the requirements and validating the procedures and audit testing methodology
• Conducting regularly scheduled audits on systems and hosting third-party audits as required in order to maintain certifications and compliance certificates.
• Working with the DevOps teams to prepare ongoing client reporting, information for prospective clients, and marketing materials
• Providing training to teams as needed
• Assisting team members and internal clients in addressing highly complex security issues applicable to enterprise environment

Required education
Bachelor's Degree

Preferred education
Master's Degree

Required technical and professional expertise

• Minimum of8+years of relevant compliance experience and cybersecurity knowledge.
• Experience with container based architectures and implementations such as kubernetes, docker, etc.
• Programming experience in Python/Automation.
• Knowledge of multi-cloud environments (AWS, Azure, GCP) and their security models.
• Understanding of cloud-native security architecture (Zero Trust, least privilege).
• Experience with Infrastructure as Code (IaC) security (Terraform, CloudFormation).
• Familiarity with security scanning tools (Qualys, Nessus, Tenable).
• Experience with compliance automation tools.
• Experience with container security (Twistlock, Prisma Cloud).
• Familiarity with GitOps security practices.
• Experience with continuous compliance monitoring automation and reporting.
• Experience conducting security risk assessments and threat modelling.
• Ability to utilize working knowledge of information security best practices such as: NIST 800 series, ISO 27000 series, GDPR, etc.
• Experience with compliance programs such as FFIEC or FedRAMP/ FISMA, HIPAA, GDPR, SOC 2, or PCI.
• Experience in risk assessment processes, policy development, proposals, work statements, product evaluations, and delivery of technology.
• Ability to understand enterprise business computing operations/requirements, and in particular, Cloud.
• Ability to understand and interpret laws and regulatory requirements related to information protection, and develop and implement appropriate processes to achieve and maintain compliance and reduce risk.
  
  Communication & Collaboration:
• Ability to translate technical security concepts to non-technical audiences.
• Experience presenting to executive leadership and audit committees.
• Strong written communication for policies, procedures, and reports.
• Cross-functional collaboration with engineering, legal, and business teams.

Preferred technical and professional experience

• Working in a change-controlled production environment.
• Diagnosing the root cause of problems and propose solutions: Examples would be failed patches, tooling issues, false positives on system tests, authentication problems.
• Expertise in system configuration, especially privilege control (for example sudoer configuration), and system level firewall (iptables)
• An understanding of basic networking concepts: ipsec tunnels, firewalls, routers, public and private addressing.
• Project Management knowledge and experience a strong plus.
• Experience with operations of data centers or Cloud, and networking security including security systems such as firewalls, intrusion detection, vulnerability scanning, OS patching, healthchecking.

Years of Experience:
8-16