Digital Security Architect

Position Function:

This position will play an integral role in supporting efforts to minimize security risks associated with digital, web, and DevOps. They will serve as the Subject Matter Expert (SME) in areas related to DevOps, APIs, web development, etc. and its impact on employee and customer experiences pertaining to things such as authentication methods, establishing security programs and controls, etc.

The ideal candidate will have broad experience developing and securing applications, web services, and APIs. They will work closely with the business and project teams to advocate security requirements to ensure web services, applications, and APIs align with policies, standards, and best practices, while ensuring the security architecture and practices do not infringe on the needs of the business.

They will be responsible for:

• Developing and maintaining information security risk management processes that are clear and understandable, workable, up-to-date, and reflect regulatory and CPB-specific requirements and issues.
• Assisting in communicating such processes throughout the business, including holding training sessions where appropriate.
• Assisting with the planning, coordinating, implementation, and management of security measures that manage risks to computer systems and data, to prevent unauthorized modification, destruction, or disclosure of information, including outsider service providers.
• Analyzing and appraising new products and/or systems for security weaknesses and provide measures to prevent exposure and loss.

Performs all duties and interacts with internal and external customers in a manner that is expressly aligned with the Company's Core Values of approaching all actions with a "Voyaging Spirit" and being "Positively Ohana". Exhibits core competencies that result in consistent delivery of positive Customer Interactions, Empowerment and Ownership and demonstrates key professional and performance skills such as Active Listening, effective Oral and Written Communication, Action and Solution Oriented and Thoroughness.

Primary Accountabilities:

Conducting security assessments of systems, application design, and infrastructure to ensure appropriate security controls as part of the overall risk management practice of the organization to include, but not limited to:

• Validates IT infrastructure and other reference architectures for security best practices, and recommend changes to enhance security and reduce risk where applicable
• Administering API security testing and code reviews
• Conducting code reviews of applications to determine security flaws or other issues that would impact the confidentiality, integrity or availability of the system
• Conducting or facilitating threat modeling of services and applications that tie to the risk and data associated with the service or application

Delivering operational security support to include, but not limited to:

• Development, maintenance, and monitoring of security tools and processes
• Conducting incident response exercises with colleagues throughout the organization and incorporates lessons-learned into existing security architectures and practices
• Conducting forensic analysis of security-related incidents in a manner consistent with best practices and guidance from the organization's counsel, human resources or law enforcement
• Review financial transactions to ensure sound system functionality and security architecture

Other departmental duties and functions including, but not limited to:

• Performs risk analyses pertaining to the security needs of the bank and prepares recommendations based on risk/exposure versus cost. Prepares and presents research findings in written and/or oral form. Presents objectives, alternatives, risk analyses, and cost/benefit analyses.
• Assists the Information Security Manager with the planning and directing of information security activities of the bank to ensure compliance with internal/external audits, and to federal and State regulations, which include FDIC, relevant sections of the Gramm-Leach-Bliley Act (GLBA), and Sarbanes-Oxley Act Section 404 provisions, and other duties to be assigned.
• Maintains an outward-facing and forward-looking view to provide solutions to ensure that the bank's Information Security Program is current and relevant.
• Designs, implements, and manages Information Security data identification, aggregation, analytics, and validation to meet department goals.

Collaborate in developing and maintaining security architecture documentation (policies, standards, procedures, models, templates, etc.) that may be applied towards security governance in projects and operations

• Initiate and execute on process improvements, policy/procedure updates, etc.
• Tracking developments and changes in the digital business and threat environments to ensure they are adequately addressed in security strategy plans and architecture artifacts
• Documenting data flows of sensitive information within the organization (e.g., PII or ePHI) and recommends controls to ensure this data is adequately secured (e.g., encryption, tokenization, etc.)

Serving as the Subject Matter Expert in providing guidance in the areas of web applications, DevOps, and API security:

• Participates in application and infrastructure projects to provide security planning advice
• Coordinating with teams performing DevOps to advocate best practice on APIs, secure coding practices, etc. and escalate concerns associated with API security testing and code reviews
• Liaisons with the vendor management team to conduct security assessments of existing and prospective vendors, especially those with which the organization shares intellectual property, PII, ePHI, regulated or other protected data, including SaaS providers, cloud/infrastructure as a service (IaaS) providers, managed service providers, etc.

Team Lead Responsibilities:

• Responsible for training other staff on policies and standards related to DevOps best practices, SDLC, API security, cloud security, and also training staff on methodologies in conducting risk assessments related to this area.
• Will review/delegate work related to the governance and oversight of controls related to DevOps, APIs, web applications, and cloud security.

Minimum Qualifications:

Education:

• Bachelor's Degree from an accredited 4-year university in any discipline (preferably in the fields of Information Security, MIS, Computer Science, or a related discipline) required

Experience:

• 4+ years of experience and working knowledge in information security, web development, application security, and regulations & privacy laws pertaining to release of information, and security & access control technologies, or equivalent experience required
• Data processing or analytics and related technical experience preferred

Physical Requirements & Working Conditions:

• Must be able to perform light physical work and to move or lift items including but not limited to boxes, files and papers up to 20 pounds unless otherwise as indicated.
• Must be able to operate and proficiently use standard office equipment, including phone, copier, personal computer and/or other work related mechanical or electronic devices and applications.
• Must be able to clearly communicate verbally and in writing with all internal and external customers. Must also be able to hear sufficiently to engage in daily discussions and interactions.
• Must be able to read and understand bank-related documents.
• Must be able to work in a conventional office setting, involving sitting at a desk or workstation for long periods of time. Must also be able to adapt to different work environments as needed to perform the job.

We are proud to be an EEO/AA employer M/F/D/V. We maintain a drug-free workplace and perform pre-employment substance abuse testing.