- Security decision-maker in the specific project/team;
- Estimate overall business risk profile;
- Classify data and applications based on business risk. Establish a simple classification system to represent risk-tiers for applications. In its simplest form, this can be a High/Medium/Low categorization;
- Build and maintain compliance guidelines. Create policies and standards for security and compliance;
- Conduct technical and role-specific application security awareness training;
- Build and maintain technical guidelines;
- Closely work with the project team in order to specify security requirements for the solution;
- Build and maintain application-specific threat models (OWASP Threat Dragon/MS Threat Modeling Tool) and as a result, explicitly apply security principles to design;
- Explicitly evaluate risk from third-party components;
- Derive security requirements from business functionality.
- Good understanding of international information and data security standards and regulations: ISO 27k series, GDPR, HIPPA etc.;
- Ability to develop information security policies and guidelines and derive security requirements from them;
- Experience in Threat modeling process and tools. Understanding of threat modeling approaches: STRIDE, DREAD, PASTA, etc. Ability to develop an attacker profile base on the threat model;
- Understanding access modeling. Ability to develop access models and assess them. Understanding of segregation of duties;
- Experience in IAM solutions. Understanding of purpose and approaches of IAM. Knowledge of key tasks: identify, authenticate, and authorize;
- Good knowledge of risk management, its purpose, and approaches. Understanding the difference and consequences of various risk handling methods (rejection, mitigation, accepting, etc.) Can evaluate risks and create risks management plan;
- Understanding OWASP Top 10. Ability to describe vulnerabilities, ways of exploitations, and fix methods;
- Understanding of vulnerability management. Knowledge in vulnerability scanners. Ability to validate scan results and provide recommendations;
- Ability to develop and conduct security trainings and workshops (e.g. General security training, threat modeling);
- Hands-on experience in MS Office tools: Word, Excel. Experience in diagram building solutions: MS Visio, draw.io, etc.
- Fluent English including cybersecurity-related vocabulary;
- Good communication skills, ability to conduct email communications, lead security-related meetings and discussions.
Would be a plus (not mandatory):
- Experience in Secure SDLC. Ability to describe goals, steps, approaches, etc.;
- Understanding of the OWASP Software Assurance Maturity Model, and ways of its implementation;
- Knowledge of Microsoft 365 security features: 2FA, MDM, ATP, DLP, etc.