Director, Ethical Hacking at CNA
Leadership position responsible for advising security and technology leadership on ways to reduce CNA's threat landscape. This position develops strategy for the following areas: Ethical Hacking Red-Team and Purple team cyber threat assessments and social engineering campaigns. This function oversees all penetration testing related operations work. This position also serves as the subject matter expert for leveraging various TTPs utilized by various threat actors to help CNA understand whether an actual threat actor using similar techniques would be able to accomplish specific objective(s).
Essential Duties & Responsibilities
Performs a combination of duties in accordance with departmental guidelines:
- Develops and delivers the Ethical Hacking initiatives and roadmaps after initial assessment of the environment.
- Builds leads and has full management responsibility for the performance and development of Ethical Hacking team.
- Collaborates with leaders to define secure approach by analyzing information requirements; determines systems architecture components and technologies; studies business capabilities; develops points of views on emerging technologies and evaluates their applicability to business goals and operational requirements.
- Provides coaching guidance and direction on Ethical Hacking activities ensuring overall fit CNA InfoSec direction.
- Participates in technical testing against CNA's WebApps infrastructure and network assets from operational planning initiation and remediation to reporting
- Communicates findings attack paths and recommendations to technical non-technical and senior leadership through written reports and verbal presentations.
- Oversees the development of scripts tools techniques and methodologies to improve the overall ability of the team to deliver high-quality tests.
- Helps develop and employ advanced internal networks wireless networks mobile applications thick-client applications embedded applications or hardware penetration testing techniques.
- Responsible for development and contribution to Red-Team's Tactics Techniques and Procedures (TTPs) knowledge base
- Demonstrates an understanding of penetration testing techniques and methodologies.
- Develops and customizes payloads specific to the environment software version or for evasion of defensive technologies related to mobile applications.
- Establishes performance metrics and leverage metrics to drive control and process improvements.
May perform additional duties as assigned.
Typically AVP or above
Skills Knowledge & Abilities
- Senior-level knowledge of tools associated with penetration testing (Metasploit Burp Suite Cobalt Strike etc.)
- Ability to effectively code in a scripting language (Python Perl etc)
- Expert level knowledge of Ethical Hacking Red Team Pentesting and Social Engineering security concepts.
- Proven ability to effectively lead coach and develop a team.
- Senior-level knowledge of platform security technical solutions (to properly gauge compensating controls and their affect)
- Senior-level knowledge of modern security architectures (i.e. Zero Trust Architecture)
- Demonstrated success in establishing strategic objectives and driving tactical execution of initiatives aligned with company goals and objectives.
- Subject matter expertise across all facets of Ethical Hacking
Education & Experience
- Bachelor's degree in Computer Science or related discipline or equivalent work experience
- Typically a minimum of ten years in Information Technology preferably with Penetration testing experience
- Applicable certifications preferred (e.g. OSCP GPEN OSCE)