Senior Specialist - Digital Security Designer Technology Information at MTN

JOB DESCRIPTION

Key Performance Areas

• Participate in and lead the security design and implementation of all products across Financial Services, Consumer, Enterprise, Technology and Digital - design phase security and post implementation.
• Evaluate the ongoing effectiveness of security controls established to ensure the security of the MTN SA product and application suits.
• Partner with IT, Risk management and Group Security to develop a comprehensive set of cyber-security controls (policies and procedures) governing hosted and SaaS environments.
• Provide security guidance and review on business and technology products/ solutions, model threats and risks as well as the controls necessary to mitigate them, on both an organisational and technical level – thinking like a malicious hacker, understanding and anticipating the moves and tactics that a hacker might use to attack MTN systems.
• Research, validation and evaluation of all new product initiatives, with phase gates reviews presented to all stakeholders during the process
• Ensure that third party solutions and products follow MTN Application Security controls and standards.
• Review the security design of MTN applications and products, drive the testing process (prior to deployment).
• Perform best-practices risk assessment of MTN’s product security stacks – Momo, Digital, Consumer, etc.
• Build security into MTN Software Development Lifecycle; creating and maintaining secure software development/ acquisition methodology - secure application development/ acquisition and coding practices across all development teams (internal and 3rd Party), security testing for existing and new systems, defining processes and establishing meaningful metrics for management.
• Implement security controls and technologies for managing Microservices, APIs and Containers.
• Work with the product teams to identify and assist with the implementation of policy, process, people and technology improvements. This includes the use of automation and security specific testing tooling; Analysing and providing remediation guidance for identified weaknesses or vulnerabilities; validate and verify remediation implementation.
• Evaluate and oversee the security of outsourced / third-party technologies and hosting environments to ensure they provide adequate protection for the processing, transmission, and storage of MTN’s information:
• Implement Group reference architecture for integrating with third parties and partners
• Implement mechanisms for vetting and implementing integration with cloud providers
• Implement architectural and development standards for third party application security
• Deliver technical security solutions, standards and configurations for the MTN SA Mobile Money technology stack, including the mobile money core system, third-party interfaces, and the internal core network interfaces. Special focus on integrating disparate systems, encryption, cryptographic protocols and algorithms, automatic patch management, security hardening of applications and devices, networks segregation with strong access controls, audit management and security monitoring, and ensuring the management of security compliance of MTN’s mobile money products, services and infrastructure.
• Evaluate outsourced Mobile Money integration points to ensure they provide adequate protection for the processing, transmission, and storage of transactions.
• Act as a subject matter expert to application development and support personnel for any/all issues regarding the security design or use of applications. This includes enterprise operational staff and business unit personnel.
• Create and execute a training and awareness program for secure development and best practice

Operational Delivery:

• Assist Senior Manager Security Architecture to develop and implement the product security architecture requirements and framework, overarched by the business risk strategy
• Develop and implement the application security solution architecture, DevSecOps tooling infrastructure and define various interface requirements for various toolsets
• Drive the design and implementation of secure applications in support of Enterprise-wide and Business Unit applications. Ensure thorough security design and testing is built into them, new and existing applications and products (inhouse & applications, on-prem or cloud)
• Roadmap definitions for security of key products by monitoring security environment; identifying security gaps; evaluating and implementing enhancements.
• Utilize security tools for the appsec program such as static and dynamic code analysis tools and develop continual improvement program.
• Supervise and manage collaboration with relevant vendors/stakeholders for vulnerability scanning and penetration testing exercises. Coordinate red teams and penetration testers to facilitate exercises and work with application engineering teams on remediation. Oversee remediation efforts
• Assist with code reviews and create secure reusable patterns.
• Perform risk and threat assessments.
• Ensure implementation of technical security standards on the application platforms as well as ongoing monitoring and reporting of compliance against the standards
• Ensure the integration of the financial technology and digital platforms into the security compliance and monitoring eco-system both at opco and Group level then regularly confirm and report on ongoing effectiveness
• Participate in information security operations duties, including incident response escalations. Liaise with other relevant functions to facilitate the timeous closure of incidents and vulnerabilities in relation to the financial technology and digital platforms
• Assist relevant business owners and custodians in identifying and setting activities logs, audit trails, functional and technical requirements, and ensure adequate custody of such.
• Stay abreast of current and evolving technologies in the application security area.

Minimum Requirements

Education:

• Minimum of 3 years tertiary qualification in Information Technology/ Engineering
• CISSP/CEH/ CGEIT certification (one of)
• SABSA and/or TOGAF, Continuous Delivery Architecture qualification will be an advantage
• Business analysis/architecture qualifications
• Other qualifications (DevOps, ITIL, TMF, COBIT) advantage

Experience:

• Minimum of 5 years of strong cybersecurity experience across network network, application (web, API) & public/private cloud security architecture (web application firewalls, containers, etc..)
• Experience in managing and implementing large scale security projects preferably with banking and telecoms companies
• Other security experience such as incident handling (from appsec perspective), threat modelling, operations, GRC, OWASP, etc
• Experience working with Developers, DevOps, and Engineering teams in a dynamic environment to promote/implement the DevSecOps program throughout the organization.
• Experience in ethical hacking or vulnerability assessment on web apps, mobile, and thick-client (scanners, fuzzers, debuggers, decompliers), static code and dynamic code analysis tools
• Ability to work with APIs and Plugins to integrate security tools into established CI/CD pipelines.
• Knowledge of web application architectures, web stack technologies (HTTPS, REST, etc..) and platforms (e.g Apigee, AngularJS, Tomcat, .Net, MS SQL, Javaetc..)
• Proficient communication skills to teach other key stakeholders various concepts like scalability, automation, and security in devops