Head of Security Testing & Threat Vulnerability Management

Do you want to define and lead the security testing and threat vulnerability management efforts for one of London’s finest financial institutions? This organisation powers financial markets and exchanges, and delivers bleeding-edge products to firms all over the globe.

As the Lead of this team, you’ll take charge of the development and execution of strategy for the team, setting and driving the achievement of important metrics and objectives through effective leadership and ensuring alignment with the broader CIS strategy. You will manage the performance, development, and wellbeing of your specialist team across various technical domains to provide robust control, security, and resiliency of the compute environment.

Your goals will always be towards protecting customer and employee confidential information. You and your team will achieve these by developing and executing a security testing framework and implementing the best tools and processes at your disposal. Managing penetration testing, vulnerability scanning, red-teaming, and intelligence lead testing (CBEST), you’ll work closely with infrastructure and application teams to monitor, track, and ultimately drive down key vulnerabilities. Your colleagues in business and technology will lean on you as a trusted advisor, so expect to be involved in major change activities to ensure the appropriate security engagements.

A full and (very) in-depth job outline is below.

Role Purpose

To define and lead the Security Testing & Threat Vulnerability Management team. This role will be responsible for defining strategic, tactical, operational and technical security & threat intelligence capability within LSEG.


Key Responsibilities

  • Leads the development and execution of strategy for the Security Testing & Threat Vulnerability Management team, setting and driving the achievement of important metrics and objectives through effective leadership and ensuring alignment with the broader CIS strategy
  • Manages performance, development and wellbeing of the Security Testing and TVM specialists across various technology domains to provide robust control, security and resiliency of the computing environment, protecting customer and employee confidential information, and compliance with regulatory requirements
  • Responsible for the development and execution of the Security Testing framework, methodology, tools and processes across Technology
  • Manages and is responsible for the following functions:
  • Penetration testing
  • Vulnerability scanning
  • Security code scanning.
  • Red Teaming
  • Intelligence Lead Testing (e.g. CBEST)
  • Is responsible for vulnerability management and working with infrastructure and application teams to drive down key vulnerabilities.
  • Monitor and track key vulnerabilities and the resolution of these issues.
  • Managing the Front Door process to ensure appropriate security engagement for major change activities (i.e. not limited to security testing).
  • Maximises relationships with vendors, regulators and industry bodies to seek and adopt standard methodologies in Security Testing, Pen Testing, Threat Vulnerability detection and mitigation
  • Acts as trusted advisor and leader across the wider LSEG Technology


Leadership responsibilities

Responsible for the total Security Testing, Threat Vulnerability Management Team (circa 19 FTEs). Member of the CISO Leadership team.


Critical Deliverables

  • Security Testing Framework and methodology
  • Standardised security testing tools and processes across LSEG
  • Indicators of Compromise
  • Security Testing Run books


Impact

This role will affect all members of the Security Testing & TVM team. Potential severe disruption to service and/or harm to customers resulting in reputational, financial and/or regulatory compliance impacts to the whole of LSEG


Key KPI’s

  • Mean time to detect vulnerabilities
  • Mean time to resolve vulnerabilities
  • Average window of exposure
  • Scan coverage
  • Scan frequency
  • Number of open critical vulnerabilities
  • Vulnerability re-open rate
  • %age of systems with no open critical vulnerabilities


CANDIDATE PROFILE AND REQUIREMENTS


Technical / Job Function knowledge

  • Understanding of Security Testing protocols, pen testing and code testing
  • Experience in Red Team management
  • Current working knowledge of the industry threat landscape and tracking of cyber threat
  • An understanding of the threat intelligence data formats and standards (openioc, stix, taxii, maec)
  • An understanding of SIEM platforms (e.g. Splunk/QRadar/LogRhythm).
  • Experience in security event analysis & triage, incident handling and root-cause identification
  • Experience with performing malware analysis using a variety of techniques including dynamic and static analysis
  • An understanding of Windows/Linux internals, and how malware typically interacts with the OS
  • Solid understanding of networks including the TCP/IP stack, typical organisation architectures, and common protocols abused by malware.
  • Knowledge of Windows Active Directory and how it is commonly abused by threat actors


Business and sector expertise

  • Experience in financial services organisations or similar regulated organisations
  • Experience of working with multi-country organisations and complex post-merger integration programmes with significant business impact
  • Experience of developing and influencing strategic working relationships with key technology suppliers


Leadership and management experience

  • Ability to build and maintain a positive relationship with a division’s Business and Technology partners. Be the voice of Security Testing & TVM in the division/business area and the voice of the business within InfoSec.
  • Experiencing in defining a road map that is aligned with an overall Technology, and owning this to completion
  • Ability to effectively identify and resolve risks and issues.
  • Experience around planning, introduction, delivery services and initiatives for a technology function or sub-function
  • Examples of where they have showcased thought leadership by identifying industry technical trends as well as customer and engineering feedback to recommend, plan for, and address core market opportunities


Personal skills and capabilities

  • Gravitas to communicate with Board member at LSEG, Executive Committee and senior Regulators
  • Ability to influence across multiple Divisions, Businesses and Functions
  • Excellent communicator.
  • Experience of successfully planning and delivering large scale complex Technology integration and Technology transformation programmes with proven track record of establishing important relationships with the executive leadership
  • Excellent verbal, written and interpersonal communication skills Listen and communicate technical subjects to both technical and non-technical audiences, flexes style to suit the needs of the audience
  • Ability to work effectively with colleagues, with 3rd parties, internal teams, and international business units, promoting knowledge sharing within and across teams
  • Frequently keeps up to date with the latest industry developments