Product Owner - Identity & Access Management

Job ID: 3015 Location: Stockley Park Category: Technology Salary: Competitive Hours: Closing date: October 3rd 2020, 11:55 PM

Job Description:

As Marks & Spencer continues to mature their information security program, we recognize the value of a formal information security architecture process as one of the key enablers of such a program. It is the planning process that provides the models, templates and principles that are used to design, implement, and operate cloud security solutions. It enables consistency, leverage, and reuse to satisfy the business requirements for security services in an optimum manner.

M&S is currently embarking on a transformation of its existing Human Resources Service, the role of the Identity and Access Management Product Owner is a critical component of the Information Security Operating Model. The role of the Identity and Access Management Product Owner demands business insight; technical acuity; and the ability to think, communicate and write at various levels of abstraction.

Key accountabilities and measures

The Identity and Access Management Product Owner will be responsible for the following activities and functions:

  • Develop and maintain an identity and access management process that enables the enterprise to develop and implement security solutions and capabilities that are clearly aligned with business, technology, and threat drivers
  • Develop and maintain a process that enables the enterprise to develop and implement security solutions and capabilities that are clearly aligned with business, technology and threat drivers
  • Develop security strategy plans and roadmaps based on sound enterprise architecture practices to support identity and access management as a product.
  • Develop and maintain security architecture artifacts (e.g., models, templates, standards and procedures) that can be used to leverage security capabilities in projects and operations
  • Track developments and changes in the digital business and threat environments to ensure that they're adequately addressed in security strategy plans and architecture artifacts
  • Participate in application and infrastructure projects to provide security-planning advice
  • Draft security procedures and standards to be reviewed and approved by executive management and/or formally authorized by the CISO
  • Determine baseline security configuration standards for operating systems (e.g., OS hardening), network segmentation, and identity and access management (IAM)
  • Develop standards and practices for Identity and access management
  • Validate identity and Access Management reference architectures for security best practices and recommend changes to enhance security and reduce risks, where applicable
  • Liaise with the vendor management (VM) team to conduct security assessments of existing and prospective Identity and Access management vendors, especially those with which the organization shares intellectual property (IP), as well as regulated or other protected data:
  • Software as a service (SaaS) providers
  • Cloud/infrastructure as a service (IaaS) providers
  • Managed service providers (MSPs)
  • Payroll providers
  • Evaluate the statements of work (SOWs) for these providers to ensure that adequate security protections are in place. Assess the providers' audit reports (or alternative sources) for security-related deficiencies and required "user controls" and report any findings to the CISO and vendor management teams
  • Liaise with the internal audit (IA) team to review and evaluate the design and operational effectiveness of security-related controls for Identity and Access Management
  • Support the testing and validation of internal security controls, as directed by the CISO or the internal audit team
  • Review security technologies, tools and services, and make recommendations to the broader security team for their use, based on security, financial and operational metrics that support the Identity and Access Management capability.
  • Liaise with other security architects and security practitioners to share best practices and insights
  • Liaise with the business continuity management (BCM) team to validate security practices for BCM testing and operations when a failover occurs


  • Minimum requirement: Bachelor's degree in computer science, information systems, cybersecurity, or a related field.
  • Security and Technical Experience
  • The Identity and Access Management product owner should have direct, documented, and verifiable experience with the following:
  • Experience in using architecture methodologies such as SABSA, Zachman and/or TOGAF
  • Direct, hands-on experience or strong working knowledge of managing security infrastructure — e.g., firewalls, intrusion prevention systems (IPSs), web application firewalls (WAFs), endpoint protection, SIEM and log management technology

Direct experience designing IAM technologies and services:

  • Active Directory
  • Courion Core Security
  • Quest ARS
  • Lightweight Directory Access Protocol (LDAP)
  • Amazon Web Service (AWS) IAM

Strong working knowledge of IT service management (e.g., ITIL-related disciplines):

  • Access Management
  • Change management
  • Configuration management
  • Asset management
  • Incident management
  • Problem management

Required Certifications

The product owner will evidence his/her knowledge of security and risk management through ongoing continuing professional education. The ideal candidate will maintain one or more of the following certifications.

  • ISC2's CISSP
  • The Open Group's TOGAF
Apply or

Sign up for alerts

Interested InStart typing to search for a category and select one from the list of suggestions. Start typing to search for a location and select one from the list of suggestions. Finally, click “Add” to create your job alert.