Senior Security Engineer
At Northwestern Mutual, we are strong, innovative and growing. We invest in our people. We care and make a positive difference.
Remote role available.
What's the role?
As a Senior Security Engineer, your job is to partner with the both the engineering and business organizations to assist them with information protection, cyber-security, and privacy related risks. This includes helping them navigate through the multifaceted risk and cyber security assessment processes, prioritization and establishment of plans to address findings, generating threat models, mitigating security vulnerabilities, hands-on mentoring and treatment of risks in different stages of the development lifecycle.
You will report into the Risk Engineering function and act as a liaison for the centralized Information Protection and Cyber Security department. Your role will be that of an embedded team member for a set portfolio of applications. You will be under the mentorship of a Risk Engineering Leader, in a team with experienced Risk Engineers to help you learn and navigate the processes and tools that Northwestern Mutual uses as well as support you in your career growth!
Your general milestones are the following:
- Within the first two (2) weeks, jump head-first into getting to know the business and engineering teams with the goal of understanding what their business priorities are, how they work and function as a team to best integrate security tasks and what applications / systems they lead and support.
- Within one (1) month, understand the highest risk applications in their space, status of the application's Authorization to Operate, when the last penetration testing assessment was completed, and have a comprehensive list of outstanding findings, security vulnerabilities and other risk management concerns.
- Within two (2) months, have a solid grasp of the various risk management processes, how to engage in them and what documentation is required to complete them. At this time, the individual will be fully engaged in those processes and helping teams complete all vital activities.
- Within four (4) months understand the entire space from an information protection and cyber security perspective and be a point person if the area has questions or concerns, is engaged early in the process when new efforts (large development changes or vendor evaluations) are underway, lead efforts through completion and identify and solution opportunities for automation.
- Within five (5) months, demonstrate sustainability of assessments, findings, vulnerabilities through various dashboards and metrics. Begin work on crafting control patterns to help other areas handle risks in a consistent and repeatable manner.
- Within six (6) months, earn additional AWS or Security Equivalent certification if desired / needed. Growth opportunities exist in application security - getting hands-on in code reviews, fixing infrastructure, container and application related vulnerabilities and securing CI/CD pipelines. Additionally, growth in Penetration Testing - looking at the areas application and continually performing static and dynamic application testing to identify weaknesses and broken controls.
Bring Your Best! What this role needs:
- 5-7+ years of experience preferred
- Strong appreciation and skill in partnering with leaders as well as developers, ability to understand, follow risk management processes, practices and documentation needs
- Ability to balance risk issues with business priorities to drive mutually agreeable timelines for remediation, and strong technical understanding of cloud, application security tools and application vulnerabilities.
- Proven results of delivering and process improvement
- Automation mentality with an ability to identify manual processes that can be made more efficient and repeatable and by assisting development teams to apply automation patterns
- Continuously improve by collecting and responding to feedback and metrics
- Proactively learn emerging platforms and related technology
- Ability to tackle sophisticated technical and security issues and enable/teach others
- Can move quickly. Everyone here is especially kind and very willing to share knowledge and a helping hand, but you have to be willing to take ownership of the outlined goals and make things happen
- Certifications may include (CRISC, CCSP, CISSP, CEH, or equivalent)
Technical skills:
- Amazon Web Services (AWS) Cloud
- Microservice / Micro-architectures
- Experience with automation tools or coding/scripting (i.e. Ansible, Terraform, Python, Java/JavaScript, PowerShell)
- Architecture Diagrams / Data Flow Diagrams / Threat Models
- Application Security - SAST, DAST, Continuous Delivery / Continuous Integrations assuring security and compliance
- Risk Management (Identity and Access, Data Encryption, Incident Response, Logging and Monitoring, Vulnerability Management)
- Familiarity with NIST, OWASP, security maturity frameworks (i.e. OpenSAMM, BSIMM), secure software development lifecycle, cyber security regulations, GRC tools
Benefits:
- Whip-smart team that is very friendly and always willing to lend a hand
- Tons of room for career growth, coaching and mentoring
- Highly competitive salary
- Outstanding Benefits- PTO, bonuses, medical, dental, vision, 401k, and pension plans
#LI-post
This job is not covered by the existing Collective Bargaining Agreement.
Required Certifications:
Grow your career with a best-in-class company that puts our client's interests at the center of all we do. Get started now!
We are an equal opportunity/affirmative action employer and all qualified applicants will receive consideration for employment without regard to race, color, religion, gender identity or expression, sexual orientation, national origin, disability, age or status as a protected veteran, or any other characteristic protected by law.