Cloud Security Architect
As Marks & Spencer continues to mature the information security program, we recognize the value of a formal information security architecture process as one of the key enablers of such a program. It is the planning process that provides the models, templates and principles that are used to design, implement, and operate cloud security solutions. It enables consistency, leverage, and reuse to satisfy the business requirements for security services in an optimum manner.
Since the core hosting philosophy for Marks & Spencer puts Cloud products at the forefront of Technology business, the role of the Cloud security architect is a critical component of the Security Architecture Operating Model. The role of the Security Architect demands business insight; technical acuity; and the ability to think, communicate and write at various levels of abstraction.
Develop and maintain a cloud security architecture process that enables the enterprise to develop and implement security solutions and capabilities that are clearly aligned with business, technology, and threat drivers
Develop cloud security strategy plans and roadmaps based on sound enterprise architecture practices
Develop and maintain cloud security architecture artifacts (e.g., models, templates, standards, and procedures) that can be used to leverage security capabilities in projects and operations
Track developments and changes in the digital business and threat environments to ensure that they are adequately addressed in security strategy plans and architecture artifacts
Participate in application and cloud infrastructure projects to provide security-planning advice
Contribute to security procedures and standards to be reviewed and approved by executive management and/or formally authorized by the CISO
Determine baseline cloud security configuration standards for operating systems (e.g., OS hardening), network segmentation, and identity and access management (IAM)
Conduct or facilitate threat modeling of services and applications that tie to the risk and data associated with the service or application
Coordinate with DevOps teams to advocate secure coding practices, and to escalate concerns related to poor coding practices to the CISO
Coordinate with the Data Privacy Office to document data flows of sensitive information in the organization (e.g., PII or ePHI) and recommend controls to ensure that this data is adequately secured (e.g., encryption and tokenization) within the cloud ecosystem
Liaise with the vendor management (VM) team to conduct security assessments of existing and prospective vendors, especially those with which the organization shares intellectual property (IP), as well as regulated or other protected data:
Software as a service (SaaS) providers
Cloud/infrastructure as a service (IaaS) providers
Evaluate the statements of work (SOWs) for these providers to ensure that adequate security protections are in place.
Liaise with the internal audit (IA) team to review and evaluate the design and operational effectiveness of cloud security-related controls
Support the testing and validation of internal security controls, as directed by the CISO or the internal audit team
Review security technologies, tools and services, and make recommendations to the broader security team for their use, based on security, financial and operational metrics
Liaise with other security architects and security practitioners to share best practices and insights
Liaise with the business continuity management (BCM) team to validate security practices for BCM testing and operations when a failover occurs
Works closely with enterprise architects, other functional area architects and security specialists to ensure adequate security solutions are in place throughout all IT Cloud systems and platforms to mitigate identified risks sufficiently, and to meet business objectives and regulatory requirements.
Develops the business, information and technical artifacts that constitute the cloud information security architecture and solutions.
Serves as a security expert in application development, database design, network and/or platform (operating system) efforts, helping project teams comply with enterprise and IT security policies, industry regulations, and best practices.
Contributes to the alignment of cloud security governance with the overall information security governance and project and portfolio management (PPM) acting as the Security Subject Matter expert within the formal Enterprise Architecture structure, specifically in active participation of the Cloud Security Architecture Forum.
Researches, designs and advocates new cloud technologies, architectures, and security products that will support security requirements for the enterprise and its customers, business partners and vendors.
Contributes to the development and maintenance of the overall information security strategy within the cloud technology space.
Evaluates and develops secure solutions, based on approved cloud security architectures. Analyzes business impact and exposure, based on emerging security threats, vulnerabilities and risks.
Communicates security risks and solutions to the Information Security Risk function and Business Information Security Officers.
- Very strong IT and security work experience, with a broad exposure to infrastructure/network and multiplatform environments.
Expert knowledge of security issues, techniques, and implications across all existing computer platforms.
Experience in using an enterprise architecture methodology (for example, Zachman, TOGAF and Gartner frameworks).
Knowledge of a security-specific architecture methodology (for example, SABSA).
Proven ability in security process and organizational design.
This is an expert/lead technical role. It defines the information security architecture and design for the enterprise.
This person works on multiple projects as a project leader or as the subject matter expert.
The role is involved in projects or issues of high complexity that require in-depth knowledge across multiple technical areas and business segments.
Coaching and mentoring of more-junior technical staff will be required.