Principal, Information Security Architect

Job Description - Principal, Information Security Architect (MER00032E6)

Principal, Information Security Architect Group : Mercedes-Benz Group AG

Description

About Us

Mercedes-Benz is USA is responsible for the sales, marketing and service of all Mercedes-Benz and Maybach products in the United States. In our people, you will find a tremendous commitment to our corporate values. Our products and employees reflect this dedication. We are looking for diverse top-notch individuals to join the Mercedes-Benz Team and uphold these hallmarks.

Job Overview:

The Information Security Architect contributes to developing the system design and application architecture and ensures that the cyber security requirements based on the industry's best practices, including Mercedes Benz security policies, will be fulfilled.

In this role, he/she develops the Threat Modelling of the (application) system by identifying potential weak points, assessing threats, developing adequate security measures, and verifying their effectiveness. Thereby, he/she ensures that incommensurate information security risks are addressed and technological, architectural, or design-related decisions will not lead to any violation of corporate guidelines. He/she documents and communicates the results.

The Information Security Architect provides strategic direction in collaboration with the ISO, Senior Management, and IT Security Risk Management.

This role will lead the team through establishing highly effective policies based on the RISE Cybersecurity Framework, establishing sustainable processes for assessing and tracking cybersecurity risk, performing security control testing, and delivering performance metrics and reporting for each program under its management scope.

He/She will possess a strong understanding of the RISE Cybersecurity Framework, understanding of performing risk assessment, as well as performing technical control assessment.

Roles and Responsibilities:

1 ． Perform Threat Analysis & Create/Update the Threat Modelling

• The Information Security Architect performs threat analyses for complex technical designs and reports the results using standard templates.
• The Information Security Architect creates the initial Threat Modelling (with new applications/systems) or updates an existing Threat Modelling (with upgraded applications/systems).
• The Information Security Architect tracks critical and high findings and updates the respective changes in the Threat Modelling.
• Given application or system descriptions, the Information Security Architect derives security requirements that will match the respective level of abstraction.

3.Review Design and Report Issues

• The Information Security Architect reviews the design documents with respect to

o F ulfillment of security requirements

o Already known design shortcomings (are they fixed or not)

• The Information Security Architect submits a written report that lists all shortcomings and suggestions on how to fix them.

4. Review Implementation and Report Issues

• The Information Security Architect reviews the implementation with respect to
• Fulfillment of security/design requirements
• Already known implementation shortcomings (e.g., from Code scan or Pen Testing, are they fixed or not?)
• The Information Security Architect submits a written report that lists all shortcomings and suggestions on how to fix them.

5. Review Project Security Planning and Report Issue

• The Information Security Architect reviews various project management documents with respect to
• plausibility of effort estimates for planned security tasks,
• plausibility of cost estimates for planned security tasks,
• overall plausibility of the timeline for security tasks,
• the overall progress of security,
• completeness of planned security tasks
• security budget planning,
• ordering status of mandatory security services,
• mandatory security-related tasks
• The Information Security Architect submits a written report that lists.
• all shortcomings, together with suggestions on how to fix them,
• all possible risks to achieving project goals that relate to information security.

6. Cyber Security Incident Management

· Responsible for end-to-end cyber security incident management process.

• The Information Security Architect will answer explicit questions on various security-related subjects, e.g.on
• Information Classification,
• Security aspects of project management,
• Cryptography,
• TPRM – Third-Party Risk Management
• Vulnerability Review and Assessment,
• Dev Sec-ops
• Security Tools
• Audit Support (External and Internal)

8. Technical Security Tasks

· Given the necessary input, the Information Security Architect will perform complex tasks with a specific, well-described result. The tasks shall require substantial security expertise. The input the Information Security Architect needs will typically be provided in written form.

9. Stakeholder Alignment

• Should be able to work with various stakeholders, including business, IT, and cross-functional teams, in a matrix organizational setup.
• Should be able to influence the cyber security work culture and ensure the implementation of required technical controls and policy measures.

This position reports to the Mercedes-Benz Information Security Officer, closely working with the Global Chief Information Security Officer (CISO), ITS Global Chief Information Security Officer, and Information Security Officers.

Qualifications

Qualifications:

Education:

• Bachelor's/master’s degree (accredited school) or equivalent with emphasis in:
• Cyber Security / Computer / Information Science
  Information Technology

Certifications:

· The ideal candidate must be a CISSP (Certified Information Systems Security Professional).

· The ideal candidate must pursue Current & Future Mercedes-Benz-mandated certifications and MUST be certified in Mercedes Benz AG Information Security Architect within six months of onboarding.

Knowledge, Skills & Abilities:

· Minimum of 10 - 15 years of cyber security experience as an ISA (Information Security Architect).

· Experience in many of the following areas:

• Information security architect experience in various industries is a MUST.
• Knowledge of IT guidelines and corporate IT policies, IT standards, knowledge of IT organization (e.g., for escalation paths for non-standard requests)
• Overview of current threats, risks, information security techniques, and controls to mitigate them.
• Experience with Identity and Access Management (IAM) tools and frameworks.
• In-depth knowledge of IT security, in particular firewalls, protocols, encryption, authentication and authorization, and secure system design and programming
• Experience in application software planning, development, and integration into proposed business solutions
• Experience implementing comprehensive application testing methodology.
• Experience identifying, evaluating, and managing risk in a complex and changing environment.
• Experience in developing and implementing countermeasures to identified application security risks.
• Experience interacting with development teams to articulate security requirements and processes while collaborating on architecture and engineering design options, implementation, testing, and user acceptance.
• Highly proficient in the configuration and deployment of applications in complex environments
• Experience in working with software developers throughout the software development life cycle (SDLC)
• Experience supporting security in DevOps processes.
• Working knowledge of NIST, Open Web Application Security Project (OWASP), and Open-Source Security Testing Methodology Manual (OSSTMM)
• Hands-on development experience with working knowledge of web application languages.
• Experience discerning an organization's security control for application software based on vulnerabilities and business needs.

o Excellent written verbal communication, interpersonal and collaborative skills. Ability to communicate security and risk-related concepts to technical and non-technical audiences.

o Strong proficiency with common management frameworks, regulatory requirements, and industry-leading practices

Additional Information

· Must be able to work flexible hours/work schedule.

· Travel Domestic and International.

· Work Holidays and weekends when required.

EEO Statement

Mercedes-Benz USA is committed to fostering an inclusive environment that appreciates and leverages the diversity of our team.We provide equal employment opportunity (EEO) to all qualified applicants and employees without regard to race, color, ethnicity, gender, age, national origin, religion, marital status, veteran status, physical or other disability, sexual orientation, gender identity or expression, or any other characteristic protected by federal, state or local law.

Organization

Primary Location

Organization

Mercedes-Benz USA, LLC

Primary Location

United States of America-Georgia-Atlanta

Work Locations

One Mercedes-Benz Drive One Mercedes-Benz Drive Atlanta 30328