JOB DESCRIPTION. Error! Unknown document property name. Version No: Digital Security Architect 1.1. Architecture and Solution Design Team Leader

Transcription

1 JOB DESCRIPTION Role title: Digital Security Architect Version : 1.1 Reports to: Architecture and Solution Design Team Leader Function: Digital GGS: GGS13 Location: Leeds, London, Bristol EE is one of the most innovative brands in a truly dynamic industry. EE has 27 million customers served through particularly mature channels including retail and call center operations. EE s digital agenda is therefore unprecedented in terms of scale of opportunity, which is why the Digital Department sits at the heart of EE s transformation strategy. Following a significant investment in a new digital infrastructure, platform and experience, the digital department is now well positioned to accelerate the effectiveness and value of its digital touch points to drive better customer experience, satisfaction and commercial return. EE s Digital teams consist of professionals with skills across ecommerce, eservice, Customer Experience, Content, Design/UX, Product Management, Planning, Analytics and Development & Operations. The organisational structure is evolving to adopt an enterprise agile framework, broadly based on the Spotify engineering model. The structures that EE will adopt include: Organisation structure & department profile: Squads A multidiscipline team of between 7-9 people including product owner, scrum coach, solution designer, developers and QA. Each squad has its own mission and feature sets to develop. The squad is led by a product owner who sets the vision of what they wish to build Tribes A collection of between 2-10 squads. Each grouped around a specific product area: Shop, Selfserve, Web, App, Tech Enablement. The Tribe is led by a Chief Product Owner who sets the vision of what they wish to build at the product level. The Technical Product Owner sets the direction from a technical perspective in support of the product vision. Chapter A group of people having similar skills and working in the same competency area. The Architecture & Design Team has 2 Chapters (Architecture and Solution Design). Other chapters include Quality Assurance, DevOps / Continuous Integration, Operations & Release. Each chapter is led by a Chapter lead. They are responsible for the professional development and management of that specialty. E.g. the Head of QA will lead the QA chapter and supply all testers (both automated and manual) to the squads. Guild An informal community of interested team members from across digital who are interested in a common topic. E.g. web technology guild where anyone with an interest in this area can attend meetings on this topic.

2 The guild is led by a guild co-ordinator who co-ordinates this community of people Role purpose: The role holders purpose is to effectively champion security across EE Digital. The Architecture chapter wants to introduce a Security by Design principle which will ensure security is part of the design, and thus guide the development of Digital products which meet security policies and standards from the development. This role will work closely with not only DevOps team members, but the BT Security organisation. Establishing and maintaining relationships are key to this role, The role holder will need to identify any existing security gaps (process, people or technology). Working alongside the Lead Architect (Architecture Chapter Lead) will be imperative to the role in order to establish an approach which encompasses security into the architecture, and thus drives us towards a state of security readiness from the start rather than a pro-active response. The role holder is expected to be accountable for the analysis and assessment of all digital security, it is therefore expected they play a leading role in risk assessments, penetration/security testing, security vulnerability assessments, security policy compliance, and security governance. The establishment of processes is key to this role. It is expected that the role holder can effectively communicate and manage security related risk and implement processes which can streamline security for EE Digital. The role holder will also be responsible for providing support and consultancy services to operational teams in the event of a security incident. Additionally the role holder will need to stay up to date with external changes i.e. legislation, standards, which may impact our architecture and products. The role holder will provide security domain expertise to support the evolution of our digital architecture, it is expected that they can directly develop the security architecture alongside the other architectural areas. For the assigned scope, the role holder will be responsible for: Key Responsibilities & Accountabilities: (In priority order) Accountable for producing holistic solutions to maintain and improve Digital security while minimising impact on delivery and innovation Responsible for supporting Digital teams to deliver secure products for our customers Be the lead of a Security Guild aligned with the Tribes and Squads model to build security awareness and best practice throughout DevOps Engage with key stakeholders from BT Security to understand and influence BT s overall consumer security strategy Provide security related architectural guidance for post-incident reviews, supporting root-cause analysis and calling out lessons learned Provide clear, actionable insights and proposals to the leadership team Build on best practices within the business, the industry and beyond to develop and implement innovative approaches to Digital security Build relationships with Security and Digital stakeholders to enable collaborative, agile approaches to Digital security Delivery of Digital Impact Assessments and support the articulation of security impacts to other Impact Assessments within the team Be responsible for the delivery of Digital architecture artefacts

3 Work with BT Security on the roadmap for group-wide security to ensure that Digital s interests are taken into account Work with other consumer-oriented parts of the Group to share learning around Digital security practices and tools Maintain relationships with strategic external partners to influence their roadmaps and continue taking best advantage of their evolving capabilities Understand key regulatory requirements (PCI, EU GDPR, Digital Economy Act etc.) and their potential impacts on Digital solutions Ensure value for money in Digital security solutions, aligning expenditure to business value via recognised risk management methodologies Encourage input from all areas of the business, ensuring that security concerns and suggestions are heard and handled effectively Communicate responsibly, professionally and appropriately at all times, bearing in mind the sensitivity of security matters Lead by example, living the company values: Personal, Simple & Brilliant Team Player: Our team is the key to our success We embrace and meld diverse backgrounds, roles and experience to provide unparalleled support to each other and our customers. Drive: Self-motivation and enthusiasm to develop quality solutions. The ideal candidate will grow with the team, welcoming new challenges and leadership opportunities. May manage external suppliers and partners Problem Solving: The role holder will need to be able to understand complex business and IT design and development requirements taking into consideration their functional and non-functional needs and leading the security design. To contribute to IT strategic plans, in particular for integration / services / abstraction, understanding the likely impact of tactical versus strategic solutions being implemented. Decision Making Key Challenges: (in priority order) The role holder will contribute to the management of security incidents, define action and mitigation planning and be responsible for the security of our architecture. Strategic Influence Directly supporting the Architecture Chapter and Leadership team by representing our Security by Design principle. This will directly support the evolution of our target architecture which will encapsulate security rather than conform to it. The role holder will also provide consultancy services to internal teams by offering strategic guidance on security and ensuring security standards are met. This will be to directly support our centre of excellence vision. Business Knowledge To understand existing technology, people and processes and how they comply/become compliant to both EE/BT Security Policies and Standards and, external standards such as GDPR.

4 To understand the business area sufficiently to recognise and manage any potential vulnerabilities across all domains. To develop a security capability with the lead architect which will directly support the evolution of the architecture People Management: People Management comments: Financial: Financial Impact comments: Key Relationships: (level, nature & purpose) Manages people? If yes, direct or virtual (project)? Responsible for: allocation of work (task based) setting direction (objective based) performance management recruitment absence management of direct reports: 0 Overall team size (headcount): Cost centre manager OPEX responsibility n/a CAPEX responsibility n/a P&L responsibility n/a Within own directorate: Senior Managers, Heads of & Directors total awareness of internal aspirations and means of achieving this across all brands within EE Ltd. BAU and transformation development / delivery/test/support teams (all levels), including both technical and UX/business colleagues across other directorates: Directors, Heads of and Senior Managers PMO, IT external suppliers: Offshore / Agency interaction, web partners where appropriate external customers: N/A Other key relationship comments: EE values Critical Knowledge & Experience (non time related): Be Bold Be Clear Be Brilliant professional / technical Definitely must have some of: An excellent understanding of Information Security Frameworks (GDPR, PCI DSS, Cyber Essentials) can demonstrate at least one in detailed knowledge Demonstrable experience as either an architect or a security manager Demonstrable experience years in either an application development role, security role, infrastructure/engineering role Ability to build strong relationships with Leadership

5 Skills and knowledge: teams and BT Security Practice Excellent technical writing, communication and presentation skills Experience at building security programmes (with support from the lead architect) Understanding of security technologies, techniques and best practice Experience in risk management and security policy implementation Experience of Agile (or agile / waterfall hybrid) development practices and techniques Good planning and time-management skills Experience of working to tight deadlines in a technical environment Ability to manage changing business and technical requirements in highly dynamic project environments Business process modelling Demonstrable knowledge of security standards, approaches and frameworks Experience of solution design for customer focused digital services such as web, mobile, ecommerce and ebusiness Uses defined tools, templates and standards to design, create and test simple, well-engineered systems. e.g. experience of test driven development Conflict management and negotiation skills Relationship management of both internal and external customers Mentoring and people development Risk analysis and change management experience CISSP, CISA, CISM certification would be ideal but not essential, can be worked towards as personal development goal Experience in the use of corporate wikis and work collaboration tools such as Confluence and JIRA nice to have: Experience of working with teams based across multiple time zones Experience of ecommerce platforms and cloud infrastructure e.g. Hybris Basic coding experience Degree in appropriate subject area (or equivalent) business / context internal company knowledge (policies; procedures; strategies); industry background; knowledge of external market Experience in a specialist function relevant to the role Broad understanding of IS applications and business areas e.g. Telecommunications, Billing, Data Definitely must Warehousing, Marketing, Finance have some of: Experience of working in a team environment Experience in delivering designs under waterfall and iterative project models Telecom Domain Portal Systems / Customer Facing Systems User Experience and Security impact nice to have: Formal advanced certification in required technical and domain skills Project planning and scheduling experience Experience in delivering designs under agile model Skills and knowledge required for recruitment purposes should be recorded here.

6 Please select from the list below (also available on the Resourcing intranet site) Knowing the Commercials Planning & Organising Working Collaboratively Delivery of Results Leading & Implementing Change Any other comments: Must be naturally curious about new technologies, security, innovation and change in the digital space. Entrepreneurial and catalytic in gaining traction from new ideas inside a large corporate environment