Principal Engineer, Cyber Security Assurance at NCBA Group

Job Description

JOB PURPOSE STATEMENT

The Principal Engineer, Cyber Assurance will be responsible for conducting security reviews on new and existing systems, products and services in compliance with the NCBA Digital Business security policies and industry best practices such as ISO27001, CIS, PCI DSS among others. They will also be responsible for providing timely security assurance reports and advice to the business when required even with very tight timelines.

The role will lead and coordinate all cyber security assurance activities in 5 markets (Kenya, Tanzania, Rwanda, Ghana and Ivory Coast). They will manage external Penetration testing activities periodically for key systems.

KEY ACCOUNTABILITIES (DUTIES AND RESPONSIBILITIES)

• Conducting Security Reviews for new and existing NCBA Digital systems (40%): Perform security assessment on new and existing systems to identify cyber risks and ensure the necessary controls are in place.
• DevSecOps Implementation (20%): Drive the culture of implementing built in security controls end to end in the software development lifecycle and automate the security testing processes.
• Research (20%): Stay up to date with new trends in technology and cyber by continuously researching on emerging technologies and threats to ensure necessary controls are in place.
• Leadership (20%): Manage and coordinate cyber assurance initiatives by both internal and cyber security external teams. Define and report on key cyber metrics to senior management to measure return of investment in Cyber.

Main Activities

• Perform design reviews and provide cyber security input to ensure the necessary security controls are included from the beginning of new projects.
• Perform threat modelling for the Digital Business systems to ensure threats are identified and mitigated.
• Perform vulnerability assessments and penetration testing across NCBA Digital Business systems.
• Perform compliance hardening reviews for the NCBA Digital Business systems.
• Provide timely and quality security assurance reports to the business.
• Do regular follow ups with system custodians to ensure identified risks are addressed within the agreed timelines.
• Implement cyber assurance testing tools within the CI/CD pipeline to automate security testing.
• Research on new technologies, threats and vulnerabilities to inform the necessary security controls and investments in cyber.
• Continuously review and improve cyber processes to ensure efficient support to the agile process of software development.

JOB SPECIFICATIONS

Academic:

• A Bachelor’s degree in Computer Science, Information Technology or related field.
• Information security certifications e.g. CEH/CISSP/CISM/CISA/GIAC/CPTP/OSCP

Desired work experience:

• Minimum of 5 years’ working experience in Information Systems Security – e.g. Ethical Hacking, Penetration Testing, Vulnerability Assessments, ICT Audits, Pre-and-Post Implementation System Reviews
• Minimum of 2 years’ working experience in Networking and Operating Systems e.g. Cisco, Huawei, Windows (All) and Linux.

JOB COMPETENCIES

Technical Competencies

• Demonstrate competency in the use and administration of ethical hacking tools e.g. KALI Linux, Metasploit, Nexpose, Nessus, Nmap, BurpSuite etc.
• Hands on experience in software development with major languages Java, C++, C# and practical experience using relation RDBMS e.g. Oracle and MS SQL etc.
• Working knowledge of Cloud technologies in at least one of the following: AWS, Azure, Google and Huawei.
• Working knowledge and experience in DevSecOps technologies and practices i.e. AGILE, Jenkins, Jira, Github, Gitlab etc… will be an added advantage
• Excellent analytical, problem solving and reporting skills
• A good knowledge of the systems and processes within Financial Services industry.
• Experience in leading teams of security analysts will be an added advantage

Behavioural Competencies

• Relate easily and naturally with executives, business managers, technical teams and customers. Has excellent listening skills and understands the desires and challenges of all our leaders and customers.
• Ability to form trusted relationships with technical teams and customers
• Possess broad knowledge of business and has an interest in market trends. Have intricate knowledge of our business: its vision, mission, strategy, values and how it operates.
• Clearly communicate and share the planned cyber initiatives, reports, and risks with executives, business leaders, and stakeholders across the organization – in a manner that leaves them all touched, moved and inspired.
• Passionate about innovation. Loves technology and possesses both a deep and broad understanding of the technology market and cutting-edge technology and Cyber trends.
• Continuously listening to our stakeholder’s feedback and coming up with new architectures and enhancing existing ones to leverage these cutting-edge technologies.
• Self-motivated and self-managing.
• Have a material impact in attracting new customers, delighting existing customers, increasing our market share and enhancing our organizations efficiency and profits.
• Delivery model is organized around delighting our customers, increasing our profitability, and increasing the businesses efficiency.