Purpose
The Senior Information Security Architect is responsible for ensuring the completeness (fitness-for-purpose) and integrity of adidas’ information security architecture, designing, documenting, delivering and improving information security solutions and building blocks, and providing consultancy for their reuse. This includes continuous monitoring and management of requirements, including information security risks, stakeholder needs, and emerging technologies.
The primary focus of the role is to maintain a specific set of technologies, designs and standards, acting as the subject matter expert and guiding the design to meet the overall objectives for the information security domain.
This role will require Consulting and Engineering in the development and design of Information security best practices and implementation of solid security principles across the organization, to meet business goals along with customer and regulatory requirements.
This position reports directly to the Director Information Security Architecture.
Key Accountabilities
Security Architecture
* Define and maintain the policies, standards, procedures and guidelines required to appropriately document rules and usage of related IT Security controls.
* Design, build and implement enterprise-class security systems for a production environment.
* Align standards, frameworks and security with overall business and technology strategy.
* Design / adapt security architecture elements to mitigate threats as they emerge.
* Design / adapt solutions that balance business requirements with information and cyber security requirements.
* Identify security design gaps in existing and proposed architectures and recommend changes or enhancements.
* Contribute to enterprise level Architecture Principles Design from the information security perspective.
* Plan security systems by evaluating network and security technologies adhering to industry standards; maintaining requirements and architecture designs for amongst others:
* Network security and controls for office, on-premise and hosted data centers, software-defined data centers, distribution centers, corporate WAN, retail network, site-to-site and client-to-site VPNs, wireless networks (e.g. /virtual/ routers, switches, up L4-L7 firewalls, WAF, NIDS/NIPS, network admission control, DPI, content filtering, wireless protection, etc.) ;
* Cryptographic services (e.g. public key infrastructure, certificate and encryption key management, hardware security modules);
* Endpoint security solutions (e.g. anti-malware, HIPS/HIDS, host firewall, media control, EDR, application control, host DLP);
* Email security solutions (e.g. anti-malware, anti-spam, email fraud defense, email encryption, email DLP);
* Privilege Management Infrastructure (e.g. identity management, user directory services, /federated/ authentication services, authorization services, policy enforcement, privileged usage management),
* Data Loss Prevention (information classification, labelling, data discovery, scanning, control for data in transit, in use, and at rest);
* Intellectual Property Protection;
* Automated compliance testing, vulnerability management, threat management.
Consultancy
* Ensure and advise on how to reach compliance with information security related governance controls.
* Design / adapt / contribute to technical information security standards, operational security baselines, guidelines.
* Promote and guide the (re)use of information security building blocks.
* Identify, evaluate and recommend options, drive the implementation of building blocks if required.
* Collaborate with, and facilitate stakeholder groups, as part of formal or informal consultancy agreements.
* Enhance security team accomplishments and competence by planning delivery of solutions; answering technical and procedural questions for less experienced team members; teaching improved processes; mentoring team members.
* Contribute to architecture related information security risk management (especially to assessment and mitigation planning).
Technical Specialism
* Maintain an in-depth knowledge in a set of specific technology domains, and provide expert advice regarding specific information security areas.
* Be able to supervise specialist technical consultancy. The specialism can be any aspect of information security technology, technique, method and product.
Emerging trends & technology monitoring
* Maintain expertise by tracking and understanding emerging security practices and standards, participating in educational opportunities, reading professional publications, maintaining personal networks, participating in professional organizations.
* Keep an eye on the emerging threats and vulnerabilities to ensure that the organization’s security posture is kept up to date.
* Identify new and emerging hardware and software technologies and products within the information security domain, assess their relevance and potential value to the organization, and contribute to briefings of staff and management.
* Contribute to research goals, and build on and refine appropriate outline ideas for the evaluation, development, demonstration and implementation of research.
* Use available resources to maintain up-to-date knowledge of the information security field.
Requirements definition and management
* Determine security requirements by evaluating business strategies and requirements, corresponding information security standards and regulations, conducting system security and vulnerability analysis and risk assessments, evaluating the business / information system architecture / platform, identifying integration issues, preparing cost estimates.
* Select the most appropriate means of representing security requirements in the context of a specific change initiative.
* Drive the requirements elicitation process where necessary, identifying what stakeholder input is required.
* Obtain formal agreement from a large and diverse range of potential senior stakeholders and recipients to the scope and requirements, plus the establishment of a base-line on which delivery of a solution can commence.
* If necessary, take responsibility for re-evaluating requirements and facilitating changes to the architecture / program scope.
* Ensure that information security aspects are integrated to solution design.
If required: People Management
* Allocate the different work to the respective employees considering experience, complexity, workload and organizational efficiency.
* Continuously monitor and evaluate team workload and organizational efficiency with the support of IT systems, data, analysis and team feedback and make appropriate changes in order to meet business needs.
Relationship management
* Identify the communications need of each stakeholder group in conjunction with business owners and subject matter experts.
* Translate communications / stakeholder engagement strategies into specific tasks.
* Facilitate open communication and discussion between stakeholders, acting as a single point of contact by developing, maintaining and working to stakeholder engagement strategies and plans.
* Provide informed feedback to assess and promote understanding.
Knowledge, Skills and Capabilities
* Experience in conducting interviews and delivering information security assessments of the current infrastructure, projects, new technologies, external service providers and information security related changes.
* Strong understanding of enterprise-level information systems and technology architectures, expertise in network security, cryptography, virtualization, cloud security concerns.
* A solid understanding of ISO2700X, PCI-DSS, ITIL is a must.
* Technically aware of current threats and trends, emerging information security solutions / vendor products, strong analytical skills, ability to create new business models.
* Ability to provide a clear framework for performance to direct reports or to project teams
* Pro-active (engaging & impact-oriented) mindset, ability to think end-to-end.
* Business- and solution-oriented, global mindset of strategic orientation, with ability to act tactically as required.
* Ability to be self-directed while working under tight deadlines, must be able to perform well under pressure.
* Ability to work in a fast-paced environment with different international cultures.
* Ability to define problems, collect data, establish facts, carry out logical analysis, and draw valid conclusions.
* Ability to cope with change, make decisions and act comfortably with risk and uncertainty.
* Strong experience in working on several projects simultaneously, ability to deliver projects on-time, on-budget.
* Strong stakeholder management as well as the ability to negotiate and influence at all levels.
* Strong communication (both written and verbal in English) and facilitation skills (small and large groups), especially when interacting with different levels of business.
* Ability to travel, domestic or international, as required.
Qualifications
1. Bachelor’s degree in information technology or management, or equivalent combination of education and experience.
2. 8+ years of progressive work experience in at least three of the following domains: Security and Risk Management; Asset Security; Security Engineering; Communications and Network Security; Identity and Access Management; Security Assessment and Testing; Security Operations; Software Development Security.
3. 3-5 years of experience in managing a team
4. CISSP, CISM or similar certification desired
5. CISSP-ISSAP, TOGAF Certified, SABSA Chartered Security Architect Certifications, CCSP, AWS Certified Solutions Architect certifications are a plus
6. A track record in systems integration, solutions modeling, services design is desired.