Security Engineer – ING Neo is responsible for the design, implementation, support and risk management of ING Neo’s initiatives and infrastructure in alignment with ING's global IT Security and Risk minimum standards and policies.
ING's security mission is to make banking more trusted by delivering Integrated information security that creates an environment that is Secure, Agile and Responsible in order to safeguard our customer's identity and assets by actively preventing, detecting and responding to threats.
Integrated - Ensuring IT Security is baked into IT and business processes, focussing on the entire stack, and looking for innovative solutions;
Secure - Information is protected, trustworthy and available across its lifecycle;
Agile - Efficient, mature services responding to changing business needs, IT and threat landscape environment; and
Responsible - Respecting employee and customer rights by embracing laws and regulatory requirements, and complying with ING policies
The Security engineer leads together with the Head of IT Security the IT Security and IT teams, and is responsible for providing leadership and direction for the ING Neo organisation and initiatives in securing its information assets. This is accomplished by providing advice and security services, assisting the business and IT in managing IT Risk and maintaining compliance with information security policies and by developing solutions to mitigate business-specific exposures.
The Security Engineer works in close cooperation with ING's Global CISO, to ensure regional alignment to global strategies, and regional requirements are addressed in global solutions.
Major responsibility areaseted Measures of success
30%
Support the business
Provide leadership and direction for the organisation in securing its information assets
Oversee and steer the ING Neo IT organisation to ensure compliance with relevant local and regional regulation and ING policies & minimum standards and where applicable to ING Neo innovation strategy.
Act as a lead on the review and challenge, governance and policy in relation to Cybercrime Resilience, Secure Software Engineering practice, Security Operations
Provide security advice and expertise and consultancy at all levels of the business and initiatives
Ensure compliance with ING Global technology, security and architecture standards where appropriate to ING Neo environment and its initiative.
Build and maintain an ongoing relationship with key Business, Risk, IT and CISO's Office stakeholders, be able to be innovative and challenge policy for ING Neo while keeping the bank and its initiatives safe, secure and compliant
Ensure there is two-way dialogue alignment between IT and BCO and second line risk teams on emerging threats and appropriate responses to these
Oversee the security due diligence process on IT and information security issues for all new service providers / business partners
Build security culture in line with Orange Code and establish a programme of staff development to secure required skills and experience to support bank strategy.
Approved IT Security Roadmap
Up to date Risk workbooks in place for CIO functions
IT Risk managed to within Risk Appetite
Security addressed in business solutions
Alignment to global CISO roadmap
Close and seamless working relationship with second and third lines of defence
Compliance deficiencies known and mitigation strategies agreed
25%
Defend the business
Implementation, running and management of security capabilities:
Cyber Resilience - providing extensive coverage of information security topics including those associated with security strategy, incident management, cyber resilience and incident response;
Security Operations - running and supporting security toolsets utilised in the organisation;
Security Monitoring - Monitor Vulnerability and Technical Compliance Status of Systems, Security Alerts and incident response, Static Code Analysis, Dynamic analysis;
Security Testing - Conduct and coordinate security testing as per Security Standard requirements
Third party sourcing – maintain vendor relationships, work with procurement teams to review suppliers / vendors / solutions to ensure that the organisation's supply chain incorporates assessments of information security capabilities of partners and solutions
Secure by Design – ensure security is embedded within SDLC and solutions are developed and deployed to be secure by design
Compliant - Ensures all bank-level policies & security standards are followed and adapted to local and regional requirements as required
Key Control Testing – Ensure required key control testing completed as required
Reporting - Security KRI reporting, ING Neo IT Office reporting for the operational risk committees
Audit – Audit liaison, coordination point for internal/external auditors, regarding all IT audit programs. Review and assess all IT audit findings; agree remediation activities and due dates with key stakeholders
IT Security Roadmap implemented
Security KRI's and reporting
Security incidents managed with minimal impact
IT Risks and security threats known and managed within appetite
Security Capability improvements
Timely and accurate reporting for the operational risk committees
Audit results
IT Audit programs run to schedule
Audit actions managed to agreed overdue rate
30%
Adapt rapidly and cost efficiently
Ensure IT security architecture is simple, cost effective, secure, scalable and reliable
Monitor, identify, plan and deliver security capability improvements to support changes in the business
Leverage group standard solutions and capabilities where possible
Build and maintain relevant business industry knowledge, including trend analysis of internal and external threats
Keep up to date with industry developments to ensure the security infrastructure will meet future demands of the business, and will continue to protect the bank
Security spend within budget
15%
Promote Responsible Security Behaviour
Improve security awareness and culture and achieve expected security behaviour amongst IT and across the organisation, including business users, technical staff, senior management, systems developers and IT service providers. Expanding the concept of security awareness to include changing behaviours as a means of reducing risk
Risk and Control Self Assessments in place for all CIO functions in ING Neo and its initiatives
Participate in Head Office review processes & forums
Participate in financial services industry forums and working groups
Ensure security is embedded in SDLC
Ensure Security embedded in IT operations practices for ING Neo and its initiatives
Periodic review of security capabilities and effectiveness
Security awareness across IT and organisation
Up to date RCSA's in place
No policy breaches by IT Risk and Security staff
Feedback from management
Feedback from global
Major challenges
Ensuring alignment with the overall IT and business plan
Balancing ING Neo initiatives and ING group global requirements
Ensuring adoption and buy-in of security practices within ING Neo IT organisation
Establishing and maintaining relationships with key Business, Risk, IT and Head Office stakeholders
Identifying the key cost effective IT security initiatives within the ING Neo environment
Balancing IT Risk and Security priorities
Managing security service providers
Decision making/ delegating authority
Decisions Expected
Definition of the IT security strategy and roadmap; Security controls for risk mitigation, new systems and enhancements; Security Vendor selection; Security Capability initiatives; Security Technology selection; Changes or improvements to internal processes; Prioritisation of the team's activities
Recommendations Expected
Process Improvements across security within IT; Resourcing/ Priority recommendations; IT Strategy recommendations; risk assessments; Processes / procedures to strengthen security measures and reduce gaps
Mandatory policies and procedures that must be adhered to in all roles include:
•Human Resource Policies and Procedures
•Workplace Health and Safety Policy and Programs - to ensure employees health and safety and the health and safety of others in the workplace.
•Other ING Neo Policies and Procedures|
Working relationships
Most frequent contacts (who) Nature or purpose (why)
Head of IT Security
Line management
Technology Executive
Leadership Team ING Neo Value Space Lead, Initiative Lead Delivery and Business Stakeholders:
Provide counsel and support on all facets of IT Risk and Security Management, including: threats intelligence, risk identification, incident management, key control testing, audit coordination, KRI reporting, risk mitigation activities, budgeting and finance.
Knowledge and skill requirements
Essential Desirable Education
Tertiary level qualifications in Business, IT or a related discipline, or practical business experience (10+ years)
Security Certifications (e.g. CISM, CISSP, CISA, SABSA)
Public Cloud Certifications (Azure, GCP, AWS)
Risk Certifications (e.g. CRISC, CGEIT)
Technical skills
General IT controls (access controls, change controls, physical security)
Public and Private Cloud Infrastructure & Security (Azure, GCP, AWS)
Experience with infrastructure, networking and security technologies (essential)
Understanding of Systems development processes and methodologies
Networking protocols and controls (Firewalls, Switches, Routers, IPS, Load Balancing)
Endpoint Controls (Anti Virus / Anti Spyware, device control)
Virtualisation and cloud technologies
Vulnerability & compliance scanning tools
Secure SDLC and secure coding principles
Security Information and Event Management Systems
Security policy frameworks (e.g. ISO 27001, COBIT)
Risk management
Control principles and frameworks
IT Audit
Software development and scripting
DevOps
Project Management
Previous experience
10+ years IT experience
5+years' experience in finance Services or internet retail
Commercial IT audit/risk management
Security and Architecture Consulting experience
Other skills or competencies
Lead, influence and motivate a team of risk and security specialists
Strong communication skills
Effective interpersonal skills
Client focus
Ability to operate at own initiative with a pro-active attitude, within the directions and confines of management and Bank policy
Ability to liaise with a broad range of people, including line management, senior management, external suppliers and related people.
Strong organisational, analytical and problem solving skills
Ability to identify practical solutions
Ability to solve complex issues and problems