Director / Principal Security Architect - System and Application Security
IT - Information Technology
Estimated Travel Percentage (%): Up to 25%
Relocation Provided: No
American International Group, Inc.
The Principal Security Architect - System and Application Security (SAS) will be responsible for:
- System and Application Security Strategy: Develop AIG global SAS security strategy, identify gaps between current state and target state architecture, and build execution roadmap. Align SAS project execution to the strategy. Develop SAS investment plan. Serve as the accountable leader from Information Security Office on SAS and work with the rest of AIG stakeholders on managing SAS security investment projects.
- System and Application Security Architecture: Develop SAS security capabilities that include application security architecture patterns, DevOp security (e.g., Docker, Chef, …), patching and hardening, application security testing, and shared infrastructure security (e.g., Active Directory, SSO, AutoSys). Build a cohesive architecture to realize global SAS capabilities. Drive the architecture for all SAS security project execution. Provide rationalization for SAS toolset. Serve as the SAS security design authority.
- SAS Product Management and Technology Evaluation: Serve as a SAS technologist to lead SAS security technology evaluation and POCs. Survey and evaluate leading edge technologies that align with target state architecture. Develop product management roadmap.
In this capacity, the person will work closely with AIG's global SAS stakeholders, Effectiveness Assessment team and security monitoring team to deploy the right capabilities and evaluate the capability effectiveness (e.g., are DevOp security controls identified and implemented? How can we verify them automatically?). The person will use the capability effectiveness assessment to revise SAS strategy, architecture, technology evaluation and drive future SAS security investment.
The Principal Security Architect - SAS Security main job responsibilities:
- Act as security design authority for all projects within Information Security Office's SAS portfolio. Engage from the idealization through the system development lifecycle in project execution.
- Develop AIG SAS security strategy, architecture and execution roadmap (short term and long term)
- Develop AIG global DevOp security capabilities and solutions. Define DevOp security controls and automates these controls.
- Develop application security patterns and measure the effectiveness of pattern adoption. Review large scale application security projects (e.g., blockchain).
- Perform SAS security capability “effectiveness” assessment, identify capability gaps and propose enterprise solutions (could be new solution or re-architecting or re-configuring existing solutions)
- Function as a principal SAS security technologist to perform technology evaluation, define use cases, architect POC environment, lead POC execution and conduct trade-off analysis
- Drive SAS security solution design for in eight areas of the security architecture framework (credential management, access provisioning, authentication and authorization, data security, application security, infrastructure security, security monitoring and operations security)
- Deliver security architecture diagram and security architecture specification per security architecture engagement.
- Review enterprise critical project security architecture and assist SAS security solution integration for enterprise projects as needed.
- Develop / Harvest security architecture patterns from architecture engagements and build enterprise security architecture pattern repository.
- Communicate security strategy and drive the standardization and consistent definition and application of security principles to all stakeholders.
- 10 years' experience in an information technology role with increasing responsibility in information security architecture focusing on system and application security.
- Expert solution knowledge and implementation experience in building security in a global DevOp and cloud based environment. Experience with major container based technologies (e.g., Docker).
- Expert solution knowledge and implementation experience enterprise vulnerability management capabilities, and application security (e.g., OWASP top 10) solutions.
- Experience in security operation center execution. Understand how SAS supports cyber incident responses. Provide system and application security context during cyber incident responses.
- Familiar with how cyberattacks are carried technically and can build architecture constructs to prevent them and enable incident response. Understands that architecting a good solution and architecting the right solution may not be the same thing - there are times when adding an application or functionality is not in the best interests of the organization.
- Ability to research, analyze and resolve complex problems with minimal supervision and escalate issues as appropriate
- Excellent written, verbal communication and presentation skills
- Must be a strong team player
- Trusted Advisor - the person needs to possess the personality and behaviors (diplomatic, tenacious and tactful) to rapidly establish themselves as trusted advisors to the business and as interpreters for the development of IT security solutions.
- Practical Futurist - need to have shown that they can be ready for ‘unpredictable' risks and opportunities, developing architectures that are resilient enough to keep up with the evolution of the enterprise and cyber threat landscape.
- Commercial acumen - needs to be familiar with ‘Do more for less', be able to identify and work with stakeholders to collect, aggregate and evaluate requirements in light of current and future technology resources and budgets.
- Bachelor's degree in information technology or computer science strongly preferred. Master degree preferred.
CISSP, OSCP (Offensive Security Certified Professional), AWS Solution Architect certification preferred
It has been and will continue to be the policy of American International Group, Inc., its subsidiaries and affiliates to be an Equal Opportunity Employer. We provide equal opportunity to all qualified individuals regardless of race, color, religion, age, gender, gender expression, national origin, veteran status, disability or any other legally protected categories.
At AIG, we believe that diversity and inclusion are critical to our future and our mission - creating a foundation for a creative workplace that leads to innovation, growth, and profitability. Through a wide variety of programs and initiatives, we invest in each employee, seeking to ensure that our people are not only respected as individuals, but also truly valued for their unique perspectives.