Type:
Permanent employment
Location:
Amsterdam
Education:
Associate degree (EQF 5), Bachelor (EQF 6)
Published:
08/10/2021
Status:
Open
Apply before:
22/12/2021
Hours p/wk:
40

Description:

Security Engineer – ING Neo is responsible for the design, implementation, support and risk management of ING Neo’s initiatives and infrastructure in alignment with ING's global IT Security and Risk minimum standards and policies.

ING's security mission is to make banking more trusted by delivering Integrated information security that creates an environment that is Secure, Agile and Responsible in order to safeguard our customer's identity and assets by actively preventing, detecting and responding to threats. ​

  • Integrated - Ensuring IT Security is baked into IT and business processes, focussing on the entire stack, and looking for innovative solutions;

  • Secure - Information is protected, trustworthy and available across its lifecycle;

  • Agile - Efficient, mature services responding to changing business needs, IT and threat landscape environment; and

  • Responsible - Respecting employee and customer rights by embracing laws and regulatory requirements, and complying with ING policies

The Security engineer leads together with the Head of IT Security the IT Security and IT teams, and is responsible for providing leadership and direction for the ING Neo organisation and initiatives in securing its information assets. This is accomplished by providing advice and security services, assisting the business and IT in managing IT Risk and maintaining compliance with information security policies and by developing solutions to mitigate business-specific exposures.

 

The Security Engineer works in close cooperation with ING's Global CISO, to ensure regional alignment to global strategies, and regional requirements are addressed in global solutions.

Major responsibility areaseted Measures of success

30%

 

Support the business

  • Provide leadership and direction for the organisation in securing its information assets

  • Oversee and steer the ING Neo IT organisation to ensure compliance with relevant local and regional regulation and ING policies & minimum standards and where applicable to ING Neo innovation strategy.

  • Act as a lead on the review and challenge, governance and policy in relation to Cybercrime Resilience, Secure Software Engineering practice, Security Operations

  • Provide security advice and expertise and consultancy at all levels of the business and initiatives

  • Ensure compliance with ING Global technology, security and architecture standards where appropriate to ING Neo environment and its initiative.

  • Build and maintain an ongoing relationship with key Business, Risk, IT and CISO's Office stakeholders, be able to be innovative and challenge policy for ING Neo while keeping the bank and its initiatives safe, secure and compliant

  • Ensure there is two-way dialogue alignment between IT and BCO and second line risk teams on emerging threats and appropriate responses to these

  • Oversee the security due diligence process on IT and information security issues for all new service providers / business partners

  • Build security culture in line with Orange Code and establish a programme of staff development to secure required skills and experience to support bank strategy.

  • Approved IT Security Roadmap

  • Up to date Risk workbooks in place for CIO functions

  • IT Risk managed to within Risk Appetite

  • Security addressed in business solutions

  • Alignment to global CISO roadmap

  • Close and seamless working relationship with second and third lines of defence

  • Compliance deficiencies known and mitigation strategies agreed

 

25%

Defend the business

  • Implementation, running and management of security capabilities:

  • Cyber Resilience - providing extensive coverage of information security topics including those associated with security strategy, incident management, cyber resilience and incident response;

  • Security Operations - running and supporting security toolsets utilised in the organisation;

  • Security Monitoring - Monitor Vulnerability and Technical Compliance Status of Systems, Security Alerts and incident response, Static Code Analysis, Dynamic analysis;

  • Security Testing - Conduct and coordinate security testing as per Security Standard requirements

  • Third party sourcing – maintain vendor relationships, work with procurement teams to review suppliers / vendors / solutions to ensure that the organisation's supply chain incorporates assessments of information security capabilities of partners and solutions

  • Secure by Design – ensure security is embedded within SDLC and solutions are developed and deployed to be secure by design

  • Compliant - Ensures all bank-level policies & security standards are followed and adapted to local and regional requirements as required

  • Key Control Testing – Ensure required key control testing completed as required

  • Reporting - Security KRI reporting, ING Neo IT Office reporting for the operational risk committees

  • Audit – Audit liaison, coordination point for internal/external auditors, regarding all IT audit programs. Review and assess all IT audit findings; agree remediation activities and due dates with key stakeholders

  • IT Security Roadmap implemented

  • Security KRI's and reporting

  • Security incidents managed with minimal impact

  • IT Risks and security threats known and managed within appetite

  • Security Capability improvements

  • Timely and accurate reporting for the operational risk committees

  • Audit results

  • IT Audit programs run to schedule

  • Audit actions managed to agreed overdue rate

 

30%

Adapt rapidly and cost efficiently

  • Ensure IT security architecture is simple, cost effective, secure, scalable and reliable

  • Monitor, identify, plan and deliver security capability improvements to support changes in the business

  • Leverage group standard solutions and capabilities where possible

  • Build and maintain relevant business industry knowledge, including trend analysis of internal and external threats

  • Keep up to date with industry developments to ensure the security infrastructure will meet future demands of the business, and will continue to protect the bank

  • Security spend within budget

 

15%

Promote Responsible Security Behaviour

  • Improve security awareness and culture and achieve expected security behaviour amongst IT and across the organisation, including business users, technical staff, senior management, systems developers and IT service providers. Expanding the concept of security awareness to include changing behaviours as a means of reducing risk

  • Risk and Control Self Assessments in place for all CIO functions in ING Neo and its initiatives

  • Participate in Head Office review processes & forums

  • Participate in financial services industry forums and working groups

  • Ensure security is embedded in SDLC

  • Ensure Security embedded in IT operations practices for ING Neo and its initiatives

  • Periodic review of security capabilities and effectiveness

  • Security awareness across IT and organisation

  • Up to date RCSA's in place

  • No policy breaches by IT Risk and Security staff

  • Feedback from management

  • Feedback from global

 

Major challenges

  • Ensuring alignment with the overall IT and business plan

  • Balancing ING Neo initiatives and ING group global requirements

  • Ensuring adoption and buy-in of security practices within ING Neo IT organisation

  • Establishing and maintaining relationships with key Business, Risk, IT and Head Office stakeholders

  • Identifying the key cost effective IT security initiatives within the ING Neo environment

  • Balancing IT Risk and Security priorities

  • Managing security service providers

 

Decision making/ delegating authority

 

Decisions Expected

  • Definition of the IT security strategy and roadmap; Security controls for risk mitigation, new systems and enhancements; Security Vendor selection; Security Capability initiatives; Security Technology selection; Changes or improvements to internal processes; Prioritisation of the team's activities

    Recommendations Expected

  • Process Improvements across security within IT; Resourcing/ Priority recommendations; IT Strategy recommendations; risk assessments; Processes / procedures to strengthen security measures and reduce gaps

    Mandatory policies and procedures that must be adhered to in all roles include:
    •Human Resource Policies and Procedures
    •Workplace Health and Safety Policy and Programs - to ensure employees health and safety and the health and safety of others in the workplace.
    •Other ING Neo Policies and Procedures|

 

Working relationships

 

Most frequent contacts (who) Nature or purpose (why)

Head of IT Security

  • Line management

  • Technology Executive

 

Leadership Team ING Neo Value Space Lead, Initiative Lead Delivery and Business Stakeholders:

  • Provide counsel and support on all facets of IT Risk and Security Management, including: threats intelligence, risk identification, incident management, key control testing, audit coordination, KRI reporting, risk mitigation activities, budgeting and finance.

 

Knowledge and skill requirements

Essential Desirable Education

Tertiary level qualifications in Business, IT or a related discipline, or practical business experience (10+ years)
Security Certifications (e.g. CISM, CISSP, CISA, SABSA)

Public Cloud Certifications (Azure, GCP, AWS)

Risk Certifications (e.g. CRISC, CGEIT)

 

Technical skills

General IT controls (access controls, change controls, physical security)

Public and Private Cloud Infrastructure & Security (Azure, GCP, AWS)
Experience with infrastructure, networking and security technologies (essential)
Understanding of Systems development processes and methodologies
Networking protocols and controls (Firewalls, Switches, Routers, IPS, Load Balancing)
Endpoint Controls (Anti Virus / Anti Spyware, device control)
Virtualisation and cloud technologies
Vulnerability & compliance scanning tools
Secure SDLC and secure coding principles
Security Information and Event Management Systems
Security policy frameworks (e.g. ISO 27001, COBIT)
Risk management
Control principles and frameworks
IT Audit

Software development and scripting
DevOps
Project Management

 

Previous experience

10+ years IT experience
5+years' experience in finance Services or internet retail

Commercial IT audit/risk management
Security and Architecture Consulting experience

 

Other skills or competencies

Lead, influence and motivate a team of risk and security specialists
Strong communication skills
Effective interpersonal skills
Client focus
Ability to operate at own initiative with a pro-active attitude, within the directions and confines of management and Bank policy
Ability to liaise with a broad range of people, including line management, senior management, external suppliers and related people.
Strong organisational, analytical and problem solving skills
Ability to identify practical solutions
Ability to solve complex issues and problems