Allen & Overy
,
London, Greater London
Information Security Architect
Overview
Job Description
Job title: Information Security Architect Job description: Allen & Overy are currently recruiting for an Information Security Architect to join our London office as a key member of the global Information Security leadership team. In the context of the wider global Information Security function this Manager level role is focused tactically on providing advice and guidance to both operational and projects teams as they operate services securely and build new solutions securely, and strategically, on the definition and evolution of the security architecture for the firm. Central to the role are the three strategic challenges a) Enabling a secure "value from data" operating model b) Enabling secure agile virtual computing (cloud) c) Automating the capture of data on control effectiveness to enable more effective client assurance. Role purpose Controls specification and assurance - Collaboratively lead the focus on the design and architecture of a highly effective technical and non-technical security controls framework for InfoSec and IT and own the master security architecture for the firm globally. Further work closely with the Security & Data Compliance Snr Mngr in Belfast and the security operation team to agree areas of security operations focus on a weekly basis (which components to upgrade / which components to retire etc). Further work with the Security & Data Compliance Snr Mngr in Belfast and the security operations team to respond to RED/BLUE security drill exercises. Further own the pen test process for the firm globally. Key relationships * Reports to and works closely with the Chief Information Security Officer in order to firstly specify and then secondly implement (via the IT Architecture Review Board) the security architecture of the firm. * Support the Security & Data Compliance Mngr in Belfast with the task of identifying technical training needs within the security operations team and preparing for RED/BLUE cyber drill exercises. * Work with the Global InfoSec Risk and Compliance Mngr in London to attend client audit meetings (particularly for our largest clients) and provide both technical and non-technical explanations of our InfoSec controls to client audit teams. * Work with the Global InfoSec Risk and Compliance Mngr to organise control improvements and remediations often as a consequence of client audit or infosec risk assessment. Further to discuss, foresee and agree changes to security posture as a result of client audit, external 27001 certification audit and/or group financial controls audit. * Work with the whole InfoSec team to define and own the InfoSec risk assessment process and deliverables and the InfoSec review process and deliverables and act as a role model for InfoSec risk assessments and reviews. * Work with the CISO, CTO and the IT Strategy & Architecture team to define and own the process for InfoSec risk assessment and controls specification within the Architecture Review Board and the Technical Design Document artefact (define the security guard rails for the ARB). Role and responsibilities * Collaboratively develop the security architecture for the firm. * Define the InfoSec risk assessment and control specification processes within the Architecture Review Board and the Technical Design Document artefact. * Provide security advice and guidance to both project teams and the operational security teams. * Coach InfoSec staff from a technical SME perspective. * Support the CISO in delivering security presentations to both support areas and practice groups. Team No directly line management but matrix management for technical task delivery and small project delivery of the current 7 staff in Security Operations. Key requirements * Demonstrate significant experience of and subject matter expertise concerning cyber security architecture and the translation of architecture into effective operational security controls. * Strong visual thinker capable of building a compelling big picture of how the InfoSec controls landscape in the firm is and how it should change. * Someone who can think like a hacker and has significant RED/BLUE experience ideally in both RED and BLUE teams. Department purpose The Global Information Security & Data Compliance team is responsible for setting the firm wide strategy for Information Security and maintaining and changing controls to ensure continuous alignment with the strategy. The team is structured to support four core capabilities: * Assurance - Which responds to client requests to audit the information security posture of our firm as well as working to maintain compliance with certifications (eg ISO27001/ISMS) and supporting independent audit confidence (eg annual financial audit). * Data compliance - Which implements the data retention policy for the firm globally and maintains a subset of operational assurance processes like access re-attestation and unstructured data analysis. * Security operations - Which protects the digital assets and