National Grid (https:\\careers.nationalgridus.com)
About the Position:
The Penetration Test and Advanced Adversary team is part of the Cyber Security Operations department within Digital Risk and Security, and supports the Digital Risk and Security team?s global operations by identifying vulnerabilities via standard Penetration testing assessments and identifying threats posing a genuine risk to National Grid via red / purple / advanced adversary team tests that replicate behaviors of threat actors, assessed by Government and commercial intelligence providers. This information will enable National Grid to proactively adjust its defensive posture.
This role will assist the UK lead to define and implement/ operate a fully functional team including processes, procedures and a globalised operating framework. Once in place, the team will carry out Penetration testing across a number of environments including web app, infrastructure and mobile platforms. In addition to performing red team / advanced adversary exercises based on Cyber Threat Intelligence and internal intelligence generated from tooling, security incidents and threat hunting. This role will also have links with the Operational Testing facilities.
The US lead must be an expert Penetration tester capable of performing security assessments while maintaining a business focus. The successful candidate must be an expert in network security and Penetration testing.
Explain findings and recommendations to technical and non-technical audiences
Mentor junior testers
Maintain high technical competency on all engagements providing noticeable quality and technical expertise
Provide oversight of projects delegated to team members to ensure consistent delivery and client satisfaction
Create supporting tools, templates or processes to support the team
Assist with developing a framework for internal Red Team and pen testing engagement across the business
Assist with developing and refine procedures to conduct Red Team and Penetration testing operations effectively
Assist with develop Red Team / advanced adversary scenarios consistent with real attacks
Work with other parts of the business to develop a method for testing detective capability through Red Team exercises (e.g. purple teaming)
Input into production of the yearly Test schedules which will determine what we will be testing based on known weaknesses and cyber intelligence data.
Monitoring the teams workflow.
Outsource testing if skills are not yet in house.
Managing third party vendor contracts
Ensure all compliance and regulatory testing for the US is conducted and evidence maintained for audits.
Deal with issues such as quality control; escalations etc
Ensure defects are managed in line with processes and establishing reporting and KPIs, ensure they are meet
Deal with all commercial and legal requirements such contracts, insurance, authority to Test, disclosure, research etc.
Reviews and development
3 -5 direct reports
Willing to work out of hours or flexi time if required
Ability to travel to different US sites and potentially the UK.
Direct engagement with 3rd party suppliers/vendors in ensuring they fulfill their contractual requirements, including high lighting gaps and influencing IS and business stakeholders to ensure these gaps are addressed.
Senior management from Cyber Security Operations teams.
Digital Risk and Security teams
Senior management from IS, including Service and Business owners
Program staff (Project Managers, Business Analysts, and Solution Architects).
Internal compliance and assurance teams.
Internal legal team.
Internal Security Architecture team.
External regulatory and compliance bodies.
Third party suppliers/vendors.
Knowledge, Experience & Technical Know How:
5 years technical testing experience in your area of expertise
Experience in project scoping and estimating
Full understanding of the Penetration testing and cyber security testing life cycle and its pain points. Experience of implementing the life cycle.
In depth knowledge of the commercial, contractual and legal aspects of Penetration / cyber testing.
Demonstrated ability to review reports, plan projects, manage testers, understand project prerequisite requirements prior to kickoff.
Knowledge in the following:
Internal / External / Wireless
Hardware / Device Testing
Network security concepts and best practices
Interpreted languages (Ruby, Python, PHP, etc.)
Compiled languages (Java, C, C++, Assembly, etc.)
Web-based application security concepts and Penetration testing
Network security concepts
Social engineering techniques and tactics
Experience of using Open Source and COTS for Penetration testing which could include Nmap, Nessus, Metasploit, Kali Linux, Burp Suite Pro and similar
Collaborative and team-oriented attitude
Ability to prioritize and complete multiple tasks with little to no supervision
In depth knowledge of security operations
A strong understanding of Information/Cyber Security.
A strong understanding of cyber threat intelligence attack models such as the Cyber Kill Chain or the MITRE ATT&CK model and how these can be applied for testing security systems and personnel.
A good understanding of compliance standards such as PCI DSS, ISO 27001, NERC CIP and GDPR.
Strong communication (Written and Verbal), leadership and partnering skills.
Able to demonstrate a high degree of credibility and influence senior stakeholders within the Organisation.
Able to operate as a highly independent worker and as part of a strong team/collaborative approach.
Experience of managing and mentoring a small team.
Qualifications Required: Formal certification in one of the following:
Information Security Qualifications such as CISA, CISSP or an MSc Information Security preferred.
Security Qualifications such as CEH or CHFI, GCHI, GWAPT, GPEN, CREST
National Grid is an equal opportunity employer that values a broad diversity of talent, knowledge, experience and expertise. We foster a culture of inclusion that drives employee engagement to deliver superior performance to the communities we serve. National Grid is proud to be an affirmative action employer. We encourage minorities, women, individuals with disabilities and protected veterans to join the National Grid team.
:IS DIgital Security & Risk
:Mar 2, 2018, 7:19:38 PM