CASY-MSCCN Jobs

Description

Summary:

Looking for an experienced SDLC and API engineer or architect to work as a SDLC API risk manager supporting Huntington’s transformation and use of cloud technologies and traditional on prem data centers. As a risk manager, you will work with the Huntington operations and engineering teams to help them design and build SDLC processes and policies, API development utilizing best practices from the OWASP, ITIL, ISO standards, NIST framework, BSIMM, and the cloud platform providers recommended best practices. You will be responsible for identifying potential deficiencies, assisting the business segment in audit findings and responses, reviewing remediation plans, and be a trusted advisor to identify risk to the company.

Description:

Huntington is on a journey to move applications and infrastructure computing to leverage various Cloud provider services. This SDLC risk position is tasked with partnering with the engineering segments providing risk support and control design implementation. This resource will help ensure engineering processes are following defined governance processes, standards, and control requirements. As a SDLC Security Risk Manager, you'll be a subject matter expert in SDLC process, API gateway solutions and software that will balance the need for speed and flexibility of infrastructure deployments while ensuring Huntington is protected against ongoing and potential security threats. Seeking an individual who has supported financial services and help assess and help develop their SDLC and API strategy, cybersecurity and IT risk management programs against regulatory requirements and industry best practices. This person will be influential to SDLC and API platforms and help build compliant governance programs.

Responsibilities:

• Provides Risk Management leadership for the Bank's public SDLC and API implementations to refine the risk strategy for architecture and implement policies and standards to ensure conformance with Risk Governance and Risk Appetite Framework.

• Deep understanding of appropriate controls to secure development pipelines, security gates, and development testing and reviews.

• Serve as “voice of risk” for the Technology and Cybersecurity teams that integrate security into the SDLC process; establish and mature a risk management function to promote secure system development in both waterfall and agile methodologies.

• Provide credible challenge on Management’s governance and effective integration of security into system development.

• Interact with regulatory oversight teams and supporting external exams as required.

• Ensure that emerging risks identified are socialized with key stakeholders and mitigation strategies are in place.

• Identify areas of engagement based on level of investment, inherent risk, complexity of change and other risk factors, by partner with peers supporting Application teams, as well as 2nd and 3rd line oversight bodies.

• Execute Risk Control coverage strategy, ensure appropriate risk mitigation actions are in place and escalate to management as appropriate.

• Assist with prioritizing and addressing roadblocks encountered. Leverage reporting to identify trends, themes and areas requiring improved controls.

• Drive Manager's Control Assessment monitoring, quarterly approvals and improvements required and consult on the development and review of key risk metrics, controls, and control tests.

• Provide security consultation and guidance on design practices and controls adoption. Perform technical security assessments, and analysis of design architectures to validate appropriateness of controls.

• Complete risk and control self-assessment including analysis of inherent risk, control environment, residual risks, segment risk appetite metrics, top and emerging risks, control effectiveness, metrics, findings, risk acceptances, and changes since last period according to Firm standards.

• Update risk register when issues/findings identify new risks, significant changes to existing risks.

  Basic Qualifications:

  10 years of combined technology experience in architecture, engineering, development, cyber security, compliance, audit, or risk based on the qualifications below:

• Bachelor's degree in a computer science, engineering, or similar field.

• 3 years’ experience engineering, development, architecture, or security.

• 3 years’ experience with SDLC and API development, engineering, deployment pipelines, DevOps, DevSecOps.

• 3 years’ experience with engineering standards, procedures, controls, and frameworks such as OWASP, BSIMM, ISO, Agile, Scrum, Waterfall or similar.

• 3 years’ experience with software deployments in traditional data center and one or more cloud platforms AWS, Azure, GCP.

• 3 years’ experience with a primary development language such as Python, Java, .Net or other common frameworks.

• 2 Experience with SAST, DAST, IAST, MAST, SCA code scanning platforms.

• 2 years’ experience in Cyber or IT Risk Management.

  ​

  Preferred Qualifications:

• Experience in migrating to cloud services and supporting SaaS, IaaS, IAC development.

• Excellent communication skills required to negotiate internally, often at a senior level.

• Some external communication may be necessary.

• Willingness to learn, able to learn on the job and a desire to continually learn and develop new technical skills Strong written and oral communication skills.

• Organized, responsive, and highly thorough problem solver Demonstrable Public Cloud Risk knowledge based on working in real-world environments & situations.

• Understanding of security requirements, best practices, and execution in various cloud implementation scenarios: IaaS, PaaS, SaaS Mid-level professional with 5-10 years of experience in consulting, financial services, technology/fintech or government regulatory agency with an IT risk-related role.

• Master’s degree or relevant professional qualifications with Risk or Security management.

• CISSP, CISM, CISA, GIAC, CIPP/US or other security/privacy certifications preferred.

• Cloud Certifications - CCSP, AWS, Azure or GCP certifications in security, architecture, or engineer.

  #LI-Hybrid

#LI-SG1

​

Exempt Status: (Yes = not eligible for overtime pay) (No = eligible for overtime pay)

Yes

Workplace Type:

Hybrid

Huntington is an equal opportunity and affirmative action employer and is committed to providing equal employment opportunities for all regardless of race, color, religion, sex, national origin, age, disability, sexual orientation, veteran status, gender identity and expression, genetic information, or any other basis protected by local, state, or federal law.

Tobacco-Free Hiring Practice: Visit Huntington's Career Web Site for more details.

Agency Statement: Huntington does not accept solicitation from Third Party Recruiters for any position