Job Summary: The IS Security Manager protects the confidentiality, integrity, and availability of Canonical's information systems. Serves as expert advisor to management, peers, and employees in defining, recommending, and implementing necessary policies, controls, and procedures to cost-effectively assess and manage security-related risk, educate workforce, and participate in regulatory compliance activities, especially with regards to data privacy and security legislation. Assists with development, implementation, and maintenance of world-class information security organization, including annual and ad-hoc information security risk assessments, policy governance, compliance with regulatory requirements, information security training and awareness initiatives, third-party audits and assessments, contract and procurement guidelines, and third-party risk. Oversees and coordinates information security-related risk management.
This role can be home or office based. Periodic international travel for training and business meetings is required.
Key Responsibilities:
- Shape and drive the company strategy for access controls, compliance, audit, and penetration testing that supports the company's business units and enables risk management and regulatory compliance. The challenges include identifying where and how we use data; determining what tools and technologies we should deploy; ensuring that preventive/detective/corrective controls are in place and functioning effectively; staying current with government regulations and commercial agreements governing the use of data.
- Maintain security policies and work with our Legal team to respond to internal and external compliance issues.
- Collaborate closely with leaders in each business unit to understand what customers they serve and in which markets those customers exist in, how data that they process and retain is categorized, what business processes make use of the data and why, and how the controls provide proper security and compliance. Be a representative for our customers, making sure that customer data is safeguarded and used ethically and responsibly.
- Organize and lead Risk/Privacy/Compliance training programs across departments, in order to educate and inform employees about our practices and standards, raise the level of cooperation and help people to understand the rationale for the rules.
- Manage internal and external audit and testing programs, reporting risks and areas that need correction to the senior management team and prioritizing compliance work.
- Reviewing and responding to security questionnaires and contract questions from customers on Canonical’s information security policies and practices.
Required skills and experience:
- Bachelor's degree (or equivalent) in Computer Science, Information Systems, or related field.
- Ability to read, write, and review Python and/or Go code.
- You are familiar with contractual compliance obligations, contractual security, privacy and completing security questionnaires and reviews.
- Experience defining and implementing appropriate methodologies for penetration testing, auditing, secure coding standards, incident response playbooks, forensic analysis procedures, takedown processes/law enforcement/censorship.
- You can speak intelligently about situational awareness, change management, access control, and incident response.
- You have demonstrated ability to communicate complex or detailed technical topics to a non-technical business audience, clearly conveying risk assessments, actions needed, and cost implications.
- You have a general understanding of privacy and compliance legislation in the UK and Europe, including the GDPR.
- Experience in working with legal, audit, and compliance staff.
- Experience in developing and maintaining policies, procedures, standards, and guidelines.
- Experience in driving risk-based decisions supporting business owner expectations and needs.
Preferred Experience:
- Strong knowledge and experience of applicable frameworks and regulatory requirements, e.g. ISO 2700x, PCI-DSS, NIST.
- Strong technical or engineering background, including but not limited to software development, scripting, networking, and cloud architecture.