Principle Security Engineer

Title: Principle Security Engineer

Location: NYC, NY

Compensation: Full-time Salary + Full Suite of Excellent Benefits
($150,000 – $190,000)

The Principal Security Engineer position will work as a part of
the Security organization, reporting to the Director of
Information Security and Compliance but will work closely with
the CISO and the VP of Technology Operations to proactively
identify and resolve security risks and issues. Assess
information risk and facilitates remediation of identified
vulnerabilities within network, systems, and applications.
Reports on findings and recommendations for corrective action.
Performs vulnerability assessments as assigned utilizing IT
security tools and methodologies. Performs assessments of the IT
security/risk posture within the IT network, systems, and
software applications and assessments within the Vendor
Management Program. Identifies opportunities to reduce risk and
documents remediation options regarding acceptance or mitigation
of risk scenarios. Facilitates and monitors the performance of
risk remediation tasks, changes related to risk mitigation &
reports on findings. Maintains oversight of IT and vendors
regarding the security maintenance of their systems and
applications. Provides weekly project status reports, including
outstanding issues. The Principal Security Engineer assists in
all IT audits, risk assessments, and regulatory compliance.

RESPONSIBILITIES

§ The Principal Security Engineer will be our technical SME
within the Security domain responsible for defining, designing,
and implementing the enterprise cybersecurity roadmap including
associated technology and procedural controls.

§ Analyze, design, and recommend security controls and procedures
throughout the development, and change management lifecycle of
enterprise applications/integrations, and provide
oversight/governance to ensure compliance. Lead and assist in
security risk assessments for systems and applications.

§ Work closely with the SOC in reviewing and developing playbooks
and serve as Level 3 escalation for SOC incidents. Will work
closely with team members to effectively enhance, implement, and
configure scalable security technologies, and enhance detection
and response capabilities.

§ Investigate security breaches and lead incident response,
including steps to minimize the impact and then conducting a
technical and forensic investigation into how the breach happened
and the extent of the damage

§ Develop/validate/continually improve controls around CIS
benchmarks, conduct CIS assessments, recommend/develop
remediation plans/actions and drive overall governance around
consistent adherence and compliance with CIS/NIST cybersecurity
frameworks.

§ Develop policies, procedures, and standards that meet existing
and newly developed policy and regulatory requirements, including
SOX, PCI, GDPR, COPPA and other privacy/compliance regulations.
Address questions from internal and external audits and
examinations as needed.

§ Analyze trends, news and changes in threat and compliance
environment with respect to organizational risk; advise
organization management and develops and executes plans for
compliance and mitigation of risk; oversee risk and compliance
self-assessments and engage/coordinate third-party risk and
compliance assessments.

§ Serve as the principal lead within IT security projects and
provide advice on project costs, design concepts, or design
changes

§ Conducts a Cyber Security Incident response plan tabletop
exercise no less than annually

§ Assesses information risk and facilitates remediation of
identified vulnerabilities

§ Performs vulnerability assessments as assigned utilizing IT
security tools and methodologies.

§ Identifies opportunities to reduce risk and documents
remediation options regarding acceptance or mitigation of risk
scenarios

§ Oversee the development and administration of information
security training and awareness programs.

§ Very deep understanding of OWASP, CWE 25, Data Protection,
Access management software vulnerabilities and best practices
design and threat modeling skills who can work in a dynamic
environment.

§ Build tools and automation scripts that enable developers to
easily consume security services delivered by Security
Engineering and Automation team.

Qualifications

§ A bachelor’s degree in information systems, engineering, or
equivalent work experience

§ Candidates with the following certifications are preferred:
ISC2, SANS, ISACA, or other recognized security professional
credentialing organizations

§ Minimum 10+ years of experience in designing and implementing
security solutions, including IAM, EDR, MDM, SIEM, KMS, and PAM

§ 7-10 years of experience in security roles with increasing
responsibility

§ 5-8 years of experience in an enterprise technology
environment, ideally with experience across a variety of
functions– operations, networking, systems, and infrastructure
architecture, or other as applicable

§ 3-5 years of experience in a Security Operations Center or
Continuous Monitoring role

§ 3-5 years working and supporting Incident Response functions

§ 2-3 Years of Experience in Web Application Security, SSDLC and
Threat Modelling with MS/BS degree in Information System
management / Computer Science / Information Security or a related
technical discipline, at least 2 years of Software Development
experience

§ Hands on experience with Software Development Java / C# / C++,
JavaScript and HTML

§ Strong “Hands On” infrastructure security skills, including
IDS/IPS, firewall, SIEM, server, and OS hardening, malware
detection, physical security, transport and at-rest encryption on
file systems, DB, and other data persistence mechanisms

§ Experience in managing application security testing tools like
SAST, DAST and Open Source Vulnerability Scanning

§ MUST have deep understanding of OWASP Top 10 and CWE 25; with
proven track record and experience in implementing and
integrating remediation strategies.

§ Experience implementing SOX, PCI, NIST CSF, CIS / SAN Critical
Controls are a must

§ Excellent written and verbal communication skills — including
the ability to effectively communicate security- and risk-related
concepts to technical and non-technical audiences — and strong
interpersonal and collaborative skills

§ Able to work independently and be a self-starter. Managing
multiple tasks according to priorities, results-oriented, and
proven ability to meet deadlines

§ Ability to operate with minimal supervision; a self-starter
that can identify and fix problems without being told to resolve
an issue

§ Knowledge of tactics, techniques, and procedures that are
leveraged to perform recon, which can be used to gain
persistence, move laterally, or exfiltrate data

§ In-depth knowledge and understanding of information risk
concepts and principles as a means of relating business needs to
security controls, excellent understanding of information
security concepts, protocols, industry best practices, and
strategies

§ Ability to work in a highly fast-paced environment with high
expectations

#theAMSway

Job Location