Senior SecOps Engineer position description

Overview

As a Senior SecOps Engineer, you’ll monitor, analyse, risk assess and remediate the security of our digital programs using applicable security frameworks such as the Australian Government Information Security Manual ISM.

Key responsibilities include:

Apply cyber security framework principles, using risk-based methods to protect systems and data from cyber threats
Provide security services to Salsa clients
Assess Salsa’s internal processes, systems and tooling to provide a proactive approach to Salsa internal operations
Contribute to the success of our whole-of-government programs by providing ongoing security consultation, assessment, and proactive security services
Help Salsa scale our security services

The ideal person for this role will have an operational security background at enterprise scale, have technical expertise, be hands-on, love tech, be a great communicator, and have energy and vision to be a key part of Salsa delivering value to clients.

Responsibilities

The Senior SecOps Engineer is expected to interface with three groups — the Salsa Digital project team, Salsa client teams (such as the GovCMS and SDP program stakeholders) and Salsa executive management.

Responsibilities include:

Ramping up within complex, enterprise-grade, technical environments quickly
Aligning with regulatory frameworks — Becoming aware of regulatory requirements such as ISM/IRAP (for GovCMS) and whole-of-Victorian-government cyber security strategies (for example, VicGov Cloud Security Guidelines) and the implication of these frameworks across people, process and technology
Identification of SecOps vulnerabilities and exposures — Proactive identification of gaps and/or exposures in security posture of technical solutions and considered recommendations to address
Determining SecOps opportunities via an understanding of present security pain points and exposures for each major program of work, driving the delivery of a backlog of security risk mitigation actions and initiatives across each program
Maintaining an active SRMP (Security Risk Mitigation Plan) and SSP (System Security Plan) for each major program of work and driving the actions to deliver on planned activities of the SRMP
Researching technical solution options to address security exposures and documenting and presenting these options to different stakeholders
Analysing the security implications of platform changes or technical issues, providing oversight to technical change management from a security perspective
Collaborating with other technical stakeholders to determine optimal technical solution pathways and producing appropriate documentation; providing a security perspective as required
Building and releasing solutions to address security risks
Being a go-to person for technical security advice to help explain technical approaches and general knowledge-share for SecOps approaches and considerations
Working with the Product Owner (platform) to help plan and communicate the product roadmap providing input into business imperative features from a security perspective
Maintaining knowledge of industry best practice SecOps tools, applications and solution approaches
Building authentic open relationships with stakeholders — Supporting a project/program culture with open communication, trust and respect
Representing Salsa’s strong open ethos and brand to establish new trusted relationships and nurture existing ones

Requirements

The following general behaviours and experience are required:

Enterprise-grade security experience in digital programs, ideally within government
Practical knowledge and experience of relevant security frameworks such as ISM/IRAP, WoVG technical policies and standards, and/or OWASP
Strong working knowledge of digital web technologies including application, devops, hosting and containerisation technologies (Kubernetes)
Strong problem solving skills
Ability to speak authoritatively on complex technical matters, in particular security principles, risks and solutions
Exceptional communication with customer and internal managers — Listening and providing answers
Ability to build good working relationships with all program stakeholders
Ability to gather and assimilate information
Ability to adapt and prioritise
Ability to think ahead and anticipate problems, issues and solutions
Experience working on projects/programs using agile methodologies
2+ years as a SecOps or Security Engineer
3+ years’ experience as Technical Lead/Architect or DevOps Engineer
Ideally an ability to transition seamlessly between SecOps Engineer and DevOps Engineer

A critical mass of the following specific technical skills are required:

Practical experience with complex technical solutions and achieving ISM/IRAP certification
Security consulting within digital domains using toolsets such as:
- Web-serving architectures (nginx/apache/varnish)
- CDN technologies (akamai, cloudflare, cloudfront, static, etc.)
- Docker (docker-compose, image management)
- Kubernetes cluster management (EKS, AKS, Lagoon, etc.)
- CI (gitlab, circle, jenkins)
- AWX, Ansible
- ELK stack (elasticsearch, logstash, kibana)
- AWS technologies (S3, EC2, RDS, Elasticache, SES, etc.)
- PHP/CMS frameworks/platforms a plus (Drupal/Wordpress/Laravel)
Execution as a SecOps in complex regulatory environments
Demonstrated experience in current-state, future-state and transition-to-future-state of internal security systems and processes

Key performance indicators

The following KPIs are desired and presented here as a point of reference for discussion and negotiation with the Senior DevOps Engineer.

Technical knowledge and SecOps delivery

Demonstrated ability to speak authoritatively on complex technical security matters ranging across the full suite of technologies implemented on the platform (app, SecOps, DevOps and hosting)
Recognised by customers as a skilled technical leader in the security space (as measured by ratings on the program performance feedback survey)
Delivery of impactful SecOps results (as measured by increased security posture of platform and low frequency of security exposures raised by owners of the programs/platforms)
Contributor to Salsa technical thought leadership via any/all of blogs/vlogs, open source community contributions, authoritative technical whitepapers, etc.

Stakeholder communication & management

Built good working relationships and effectively communicate with customers (as measured by ratings on the program performance feedback survey)
Built good working relationships with internal and subcontractor stakeholders

Benefits

In becoming a Senior SecOps Engineer at Salsa Digital you can expect the following benefits:

Work with a team with incredible flexibility around working hours and working location
Work with a team of professionals in a flat organisational culture
An annual budget for education, health & wellness
Work with a team serious abouts its values, serious about open source
Attend professional conferences and events that support and improve your insights and knowledge to produce great work
A company culture that’s rigorous, transparent, accountable, continuously improving, commercial, innovative and values diversity — all of Salsa’s core values