Senior Specialist: Product/ Application Security & Testing at MTN

Mission/ Core purpose of the Job: 

• This role is responsible for embedding and maintaining technical security architecture and controls requirements in mobile money and new products and applications areas in the Fintech, digital, IoT and Cloud environments. This includes planning and preparing solution designs, architecture standards and configurations, and engagement models to be implemented across all business areas, core systems, third-party interfaces, and the internal core network interfaces. This role will be a valued partner to development and engineering teams to ensure secure architectures, patterns, and solutions are created and maintained.

Key Performance Areas:

• Participate in and lead the security design and implementation of all products across Financial Services, Consumer, Enterprise, Technology and Digital - design phase security and post implementation.
• Evaluate the ongoing effectiveness of security controls established to ensure the safety of the MTN SA product and application suits. 
• Partner with IT, Risk management and Group Security to develop a comprehensive set of cyber-security policies and procedures governing hosted and SaaS environments. 
• Provide security guidance and review on business and technology products/ solutions, model threats and risks as well as the controls necessary to mitigate them, on both an organisational and technical level – thinking like a malicious hacker, understanding and anticipating the moves and tactics that a hacker might use to attack MTN systems. 
• Research, validation and evaluation of all new product initiatives, with phase gates reviews presented to all stakeholders during the process
• Ensure that third party solutions and products follow MTN Controls standards.
• Review the security design of MTN applications and products, drive the testing process (prior to deployment). 
• Perform best-practices risk assessment of MTN’s product security stacks – Mobile Money, Digital, Consumer, etc.
• Build security into MTN Software Development Lifecycle; creating and maintaining secure software development/ acquisition methodology - secure application development/ acquisition and coding practices across all development teams (internal and 3rd Party), security testing for existing and new systems, defining processes and establishing meaningful metrics for management. 
• Implement API security practices and container security management. 
• Work with the product teams to identify and assist with the implementation of policy, process, people and technology improvements. This includes the use of automation and security specific testing tooling; Analysing and providing remediation guidance for identified weaknesses or vulnerabilities; validate and verify remediation implementation.

Evaluate and oversee the security of outsourced / third-party technologies and hosting environments to ensure they provide adequate protection for the processing, transmission, and storage of MTN’s information:

1. Implement Group reference architecture for integrating with third parties and partners
2. Implement mechanisms for vetting and implementing integration with cloud providers
3. Implement architectural and development standards for third party application security

• Deliver technical security solutions, standards and configurations for the MTN SA Mobile Money technology stack, including the mobile money core system, third-party interfaces, and the internal core network interfaces. Special focus on integrating disparate systems, encryption, cryptographic protocols and algorithms, automatic patch management, security hardening of applications and devices, networks segregation with strong access controls, audit management and security monitoring, and ensuring the management of security compliance of MTN’s mobile money products, services and infrastructure. 
• Evaluate outsourced Mobile Money integration points to ensure they provide adequate protection for the processing, transmission, and storage of transactions.
• Act as a subject matter expert to application development and support personnel for any/all issues regarding the security design or use of applications. This includes enterprise operational staff and business unit personnel.
• Create and execute a training and awareness program for secure development and best practice 

Operational Delivery:  

• Assist Senior Manager Security Architecture to develop and implement the product security architecture requirements and framework, overarched by the business risk strategy
• Develop and implement the security solution architecture roll-out definition and actualization of products, including via third parties
• Drive the design and implementation of secure applications in support of Enterprise-wide and Business Unit applications. Ensure thorough security design and testing is built into them, new and existing applications and products (inhouse & applications, on-prem or cloud)
• Roadmap definitions for security of key products by monitoring security environment; identifying security gaps; evaluating and implementing enhancements. 
• Utilize security tools for the appsec program such as static and dynamic code analysis tools and develop continual improvement program.
• Supervise and manage collaboration with relevant vendors/stakeholders for vulnerability scanning and penetration testing exercises. Coordinate red teams and penetration testers to facilitate exercises and work with application engineering teams on remediation. Oversee remediation efforts
• Assist with code reviews and create secure reusable patterns.
• Perform risk and threat assessments.
• Ensure implementation of technical security standards on the application platforms as well as ongoing monitoring and reporting of compliance against the standards 
• Ensure the integration of the financial technology and digital platforms into the security compliance and monitoring eco-system both at opco and Group level then regularly confirm and report on ongoing effectiveness
• Participate in information security operations duties, including incident response escalations. Liaise with other relevant functions to facilitate the timeous closure of incidents and vulnerabilities in relation to the financial technology and digital platforms 
• Assist relevant business owners and custodians in identifying and setting activities logs, audit trails, functional and technical requirements, and ensure adequate custody of such.
• Stay abreast of current and evolving technologies in the application security area.

Budgets

• Assist with management of departmental budgets in line with business objectives and facilitate forecasting;
• Manage project initiative budgets in line with business objectives; and
• Drive initiatives that will ensure that the “cost of operations” are reduced, in line with a least cost operating strategy stemming from the business drivers.

Minimum Requirements  

Education:

• Minimum of 3 years tertiary qualification in Information Technology/ Engineering
• CISSP/CEH/ CGEIT certification (one of)
• SABSA and/or TOGAF qualification will be an advantage
• Business analysis/architecture qualifications
• Other qualifications (ITIL, TMF, COBIT) advantage
• Fluent in English

Experience:

• Minimum of 5 years of relevant work experience in Information Security 
• Experience in designing and implementing application security systems architecture
• Experience in managing and implementing large scale security projects
• Advanced working understanding of the information and technology environment of a bank or telecom company
• Other security experience such as incident handling (from appsec perspective), architecture, operations, GRC, OWASP, etc
• Experience in application development with at least one modern programming language.
• Knowledge of DevOps and Agile methods
• Experience performing code reviews and with associated applications such as static code analysis tools and dynamic code scanners in several languages
• Knowledge of web application architectures
• Knowledge of threat modelling
• Knowledge of dynamic code 

Please note that MTN is an equal opportunity employer.
Should you not hear from us within 14 (fourteen) days from the closing date of this advertisement, you may consider your application to be unsuccessful.