R3 is a financial innovation firm that leads a consortium partnership with over 100 of the world’s leading financial institutions. We work together to design and deliver advanced distributed ledger technologies to the global financial markets.
R3 has employees based in over 11 (and counting!) countries across the globe, with our headquarters in London, alongside office locations in New York City and Singapore. Our vibrant and centrally located offices are filled with collaborative spaces, healthy (and some not so healthy!) snacks and state of the art work spaces and equipment.
The security and risk specialist is responsible for the design and maintenance of the policies and organisational controls within R3’s information security management system. Reporting to the information security manager, and part of a small team of information security specialists, you will ensure that the control environment supporting R3’s twin missions of enterprise software vendor and operator of the Corda Network is appropriately designed to address the information risks faced by R3. In particular you will be helping to develop the control environment for the Corda Network, a publicly-available internet of Corda enterprise blockchain nodes. This is an exciting role, and not for the faint hearted. You’ll be working to help define the control environment for a new technology stack and provide assurance for some demanding customers.
You’ll have a information security and risk management background in a financial, telecoms or critical infrastructure service provider, or maybe an enterprise-scale end-user security department. You’ll be used to working in environments with comprehensive security control environments, but have the insight to bring a risk-based approach to a fast-moving company with a start-up culture. This is an opportunity to help “write the book” on building a security control environment for enterprise blockchain. If this sounds like you, read on.
Responsibilities (the security and risk specialist will …. )
- Work with the wider business to identify and analyse information risk, assess the likelihood and impact of that risk and recommend and implement appropriate controls.
- Maintain the information security risk register, facilitating the various various meetings and workshops that are required.
- Contribute to the development, operation and maintenance of R3’s security control environment (ISMS) including information security policies and non-technical (organisational) operating procedures and guidelines.
- Work with the R3 platform development and operations teams to help ensure that security requirements are baked-in to products and operations.
- Engage with pre-sales and professional services teams to provide assurance to clients with regards to R3’s security control environment.
- Work with the wider security team to prepare for and undergo external assessments of the security control environments which you help to develop. R3 anticipates undergoing a SOC 2 assessment within a year.
Qualifications (the must haves …. )
- First and foremost we want you to love what you do. You’ll need to be a security evangelist within R3 and the community of Corda Network participants, both current and future.
- You’ll have five or more years experience in a direct information security role, with at least three of those specialising in governance, risk and compliance activities. We’d love to see evidence of other experience too, you might have been a developer or network operations person in a previous life.
- We believe that we work better as a team, and hope you share that belief. You’ll be working in a diverse group of people with a variety of skills and backgrounds, a high level of emotional intelligence will be assumed.
- You’ll need excellent communication skills, both verbal and written. You’ll be happy presenting to the company at all-hands meetings or explaining the control environment that you have helped to develop to R3’s clients or service auditors.
- R3’s control environment is risk-driven. You’ll have significant hands-on experience of performance out risk analysis and assessment and recommending appropriate controls. A working knowledge of ISO 27005 would be great, but experience with other standards will probably be acceptable (so long as you can demonstrate competence in risk management).
- You will have relevant experience of developing and operating security controls in mission critical service delivery environments. Financial services experience would be ideal, but experience in other areas such as telecoms or other critical infrastructure may also be a good fit.
- You will have had experience working within a well-known security control framework, such as the ISO 27000 family, COBIT or NIST cybersecurity framework. You will have worked in an organisation certified to ISO 27001 or that has undergone SOC 2 assessments. You will have played a significant, if not leading, role in the acquisition and/or maintenance of those certifications or assessments.
- You will have a solid appreciation of the variety of technical controls available to R3 including endpoint security, identity and access management, network security controls (firewalls, VPN), intrusion detection and security event management/log analysis tools. You won’t be expected to be hands-on in deploying these tools, but you’ll certainly need to be aware of how they fit within the control environment which you will help to design and operate.
- You’ll have a good understanding of the management of cryptographic keys, including specific organisational and technical controls to support key management activities. We don’t expect postgraduate mathematicians, but you should know your AES from your elliptic curve.
Qualifications (the nice to haves…)
- Relevant professional qualifications would be great. We’d love an ISO 27001 lead auditor on the team (though we’re not planning for ISO 27001 certification in the near future). We have ISACA and ISC2 members already, so we’ll obviously look favourably on professional certifications, including (but not limited to) CISSP, CISM or CRISC (if you are an OCSP, this is probably not the job for you – see our security engineering job spec for that). You’ll need to demonstrate that any certifications you claim are valid and current (we will check).
- Understanding of public key infrastructure would be very useful. We’d be particularly interested to hear from people who’ve worked in internal PKI teams or for commercial CAs.
- An engineering or science degree would be great, but appropriate career experience is just as important. Be prepared to tell us all about that experience.