Job Description

BNY Mellon Data and Analytics Solutions is a public- and private-cloud-based software and content offering that builds client-centric data, technology, and content capabilities.

Operating with the skill and agility of a fintech, Data and Analytics Solutions combines the expertise and resources of the Eagle product suite, Intermediary Analytics, and other BNY Mellon technology and data assets. Moreover, the division further extends BNY Mellons Asset Servicing capabilities in securities and cash into the worlds most important asset class, data.

Data and Analytics Solutions helps firms to analyze their data from different vantage points and transform it into actions that can achieve higher alpha and cheaper beta, with lower costs and less risk. Offering an ecosystem of proprietary and third-party business applications, Data and Analytics Solutions helps firms manage their core investment processes and beyond.

Security Architecture and Engineering (SecEng) is a critical service within the BNY Mellon Information Security Program (ISP) and this SecEng Lead role will be reporting to the Chief Information Security Officer (CISO) within the Data & Analytics Business.

What You Will Do and your Key Responsibilities

t
* Lead team and manage full scope SecEng service (infrastructure and application architecture reviews, common control design/implementation/testing, document generation of system security plans, communicate architecture and platform risk, advise on vulnerability impact with regard to remediation and/or where necessary implement hotfix/workarounds) .
t
* Collaborating on initial ideal concept POCs with product owners, developers, technical operation teams within the both Product Development Lifecycle (PDLC) and Software Development Lifecycle (SDLC) and formulating initial threat models for consumption and ownership by Product owners.
t
* Continuous improvement and service delivery of the Security Architecture and Engineering program, aligning staff, tools, and processes to key security metrics and controls within the PDLC/SDLC enabling timely and secure Product feature releases.
t
* Provide Security Architecture and Engineering guidance and oversight across Product Management, Research & Development, and Operations teams to Influence the design and implementation of upcoming products and services with a mindset of Security by Default.
t
* Consulting product teams on how to architect and implement secure solutions and ensuring SOC2 audit compliance.
t
* Responsible for overall Security Architecture and Engineering assessments and posture through security design, threat modeling, owning and implementing common architecture controls throughout the product portfolio and platforms.
t
* Design and deploy state-of-art technology to meet the business needs and interface with business units regarding technical planning and security architecture/engineering topics.
t
* Perform proof-of-concept and proof-of-technology testing for integrating new 3rd party security products into the development and deployment processes.
t
* Perform validation of security controls to insure adherence with compliance and industry best practices.
t
* Perform hands on security design, implementation, and testing of products and services to proactively Client risk and track them to resolution.
t
* Design and assess SaaS and PaaS cloud services and virtualization technologies within Public Cloud Service Provider (CSP) offerings.
t
* Use a risk-based approach, advocate for and help prioritize remediation of security findings and develop/report metrics measuring the state of application security program.

Manages multiple teams responsible for organization data protection. Oversees and develops policies regarding CTS security architecture, security monitoring and auditing, incident reporting/response and forensics. Leads and oversees broad information security projects and resourcing. Liaises with business process owners to ensure ongoing alignment. Participates in the planning and implementation of security for complex CTS projects. Evaluates security applications and systems. Presents recommendations on whether to use systems to senior management. Demonstrates advanced ability to conduct cost-benefit analysis to justify investment in security and/or COB controls to mitigate risks. Presents advanced analyses to senior management with recommendations aligning customer/business needs and capabilities. Evaluates new and emerging products and technologies, recommending which technologies to implement, develops functional specifications and documentation. Monitors budgets and schedules for projects conducted by teams and ensures they are completed in a timely manner. Recruits, directs, motivates and develops staff, maximizing their individual contribution, their professional growth and their ability to function effectively with their colleagues as a team. Manages multiple information security teams. Contributes to the achievement of multiple teams' objectives.

Qualifications

t
* t

Bachelor's degree in computer science or a related discipline, or equivalent work experience required, advanced degree preferred. 12+ years of experience in information security or related technology experience required, experience in the securities or financial services industry is a plus.

t
t
* t

Previous experience in information security architecture and engineering domains (e.g., design/implementation reviews, threat modeling)

t
t
* t

Experience working within enterprise class application architectures that are highly scalable and reliable and the ability to secure them

t
t
* t

Experience with DevSecOps tooling

t
t
* t

Experience with Public Cloud (e.g., Azure, AWS, and GCP) technologies (e.g., kubernetes, containers, databases as service)

t
t
* t

Experience with securing containers, host, databases, and application solutions for multi-tier and microservice systems.

t
t
* t

Have a strong knowledge of building security into continuous integration and delivery (CI/CD) pipeline.

t
t
* t

Ability to understand business requirements and apply security without adversely affecting the desired functionality

t
t
* t

Experience with securing containers, host, databases, and application solutions for multi-tier and microservice systems.

t
t
* t

Relevant security certifications a plus (such as: CISSP, CISM, GPEN, GCIH)

t
t
* t

High level of personal integrity, with the ability to professionally handle confidential matters, and reflect appropriate level of judgment as it pertains to security.

t