Job Description

Role Title

Principal Security EngineerStatus

No specific confidentiality or regulatory constraints above those of a standard LSEG employee. Not an approved person or similar.Role Purpose

Developing cyber defence capabilities to protect the group from cyber threats which seek to impact the confidentiality, integrity and availability of group assets. Domain area is Vulnerability & Threat ManagementReports to

Senior Manager, Vulnerability & Threat ManagementDirect reports

No direct FTE reports.

May manage contingents and vendor/partner resources in their deliveries.Key relationships & committees

Stakeholders include the wider security team including security architecture, cyber strategy business function, governance, risk and compliance, global security operations centre. Programme management. Entity level Business Information Security Officers (BISOs). Infrastructure & Cloud operations, engineering and architectures teams. Internal risk and audit functions. Architecture and corporate approval forums. External stakeholders partners/vendors, regulators and industry schemes.Responsibilities Key responsibilities

Develop and own the strategies, architectures, designs and associated artefacts within the domain area. Technologies have clear roadmaps and lifecycles defined.

Own the controls related to the domain area and ensure they remain effective through their lifecycle.

Lead projects, some with significant risk profile as part of the cyber programme and other initiatives which are complex and span the group and require a broad perspective in solving challenges.

Manage and deliver changes to controls as necessary which are not part of project activity.

Develop key indicators, analysis and artefacts to continually evidence and report control effectiveness and risk for the group.

Escalation support for any operational incident from operations or global security operations centre for related domain technologies.

Manage third parties in their deliveries related to the domain area.

Solve complex problems related to the domain area.

Remain current with principles, concepts and emerging technologies related to the role.

Influence vendor roadmaps and functionality in support of LSEG objectives.Leadership responsibilities

This role is an individual contributor and leads no FTE headcount. The role holder may be asked to deputise for the Senior Manager during any period of absence.

Expected to manage and direct the engagement of contingent workers where flex resourcing is required. Either contractors or partner resources.Critical deliverables

Delivery of activities against of agreed cyber security strategies. Shapes project delivery with the project management team and the senior manager of the domain area.

Delivery of key artefacts associated with the role, artefacts support evidencing and assurance activities.

Ongoing control operation and effectiveness and evidencing of such.

Reporting, development and management of agreed measures, key performance indicators and key risk indicators.Impact

As a group level function the role has impact across all parts of the business as it has responsibility for the relevant group security controls which seek to mitigate the risk and impact to the group from cyber-attacks. Impacts include financial, economic, regulatory, customer and brand.

The role is key to addressing regulatory concerns for all of our regulated entities related to cyber security and cyber resilience.Key KPIs

Delivery of projects and BAU activities within agreed timescales to the required standard.

Issues that are identified are fixed and remain fixed and are not recurring.

Key artefacts for the activities performed by the role exist, are accurate and of required standard.

Agreed measures related to controls owned by the role, for example Key Risk Indicators, are delivered and managed.Technical / job functional knowledge

Knowledge and experience of the architecture, engineering and operation of vulnerability and threat management technology. Discovery and classification of vulnerabilities across systems and platforms. Guidance & assurance aspects of remediation. Level of knowledge in the domain technology area would be considered as an expert.

Knowledge and experience of different operating systems and platforms in relation to the domain area which includes assurance of security configuration parameters. Level of knowledge would be considered an expert.

Architecture and engineering of layered control capabilities to an expert level.

A strong understanding of information security principles and best practices.

Adversary Tools, Techniques and Procedures. A deep understanding of TTP's is required.

Threat Modelling experience.

Broad technology knowledge across non-core domain area.

Modern engineering practices, automation to drive efficiencies. Infrastructure as Code mindset. Code / scripting for practical tasks and tool integrations.

Structured and methodical troubleshooting practices for resolving the most complex problems.

Policies, standards and security frameworks, NIST, CIS. Strong skills to author formal documentation.

Risk and control, management, monitoring and reporting.

The role holder works independently and with guidance only in the most complex of situations. The role holder is expected to solve problems with sound judgement and in a way that is aligned to good practice and in the long-term interests of the organisation.

The role holder is likely to hold one or more of the following security or engineering/architecture specific certifications, CISSP, OSCP, TOGAF, GIAC or those relevant to the role/domain area.Business and sector expertise

Experience and knowledge of technology in financial services and/or regulated environments and industry compliance schemes (for example SWIFT) preferred.

Must have significant experience of working in security focussed roles. Likely will have greater than 5 years full time in security roles as part of an overall career in technology in excess of 10 years focussed predominantly in the domain area for the role. Expected to have direct hands on experience in some of the domain area technologies.Leadership and management experience

Managing a non-FTE delivers from contingent and/or partner/vendors in delivery.

Experience in advocating for and influencing change in order to reach best outcome based on the needs of the organisation, stakeholders and from monitoring industry trends.

Mentoring and guiding those at earlier career stages to grow the competence and experience of the team.Personal skills and capabilities

Collaborating across the group to deliver successful sustainable outcomes for the group and its stakeholders.

Takes ownership and commits to delivering sustainable outcomes and resolving problems.

Demonstrates a bias for action.

Strong track record of delivering results without compromising on quality.

Critical thinker, takes in broad perspectives to assess and make decisions.

Willingness and flexibility and to work across different technologies.

Capability to quickly assimilate new concepts and technologies.

Takes ownership of own career development and learning.

Delivering feedback in a way useful for an individual and a team for growth.

Adapts messaging and presentation styles to the needs of a different audiences.

Is measured and considered in challenging and high-pressure situations. Is clear and when necessary assertive in directing what needs to happen.

The Successful Applicant

Role Title

Principal Security EngineerStatus

No specific confidentiality or regulatory constraints above those of a standard LSEG employee. Not an approved person or similar.Role Purpose

Developing cyber defence capabilities to protect the group from cyber threats which seek to impact the confidentiality, integrity and availability of group assets. Domain area is Vulnerability & Threat ManagementReports to

Senior Manager, Vulnerability & Threat ManagementDirect reports

No direct FTE reports.

May manage contingents and vendor/partner resources in their deliveries.Key relationships & committees

Stakeholders include the wider security team including security architecture, cyber strategy business function, governance, risk and compliance, global security operations centre. Programme management. Entity level Business Information Security Officers (BISOs). Infrastructure & Cloud operations, engineering and architectures teams. Internal risk and audit functions. Architecture and corporate approval forums. External stakeholders partners/vendors, regulators and industry schemes.Responsibilities Key responsibilities

Develop and own the strategies, architectures, designs and associated artefacts within the domain area. Technologies have clear roadmaps and lifecycles defined.

Own the controls related to the domain area and ensure they remain effective through their lifecycle.

Lead projects, some with significant risk profile as part of the cyber programme and other initiatives which are complex and span the group and require a broad perspective in solving challenges.

Manage and deliver changes to controls as necessary which are not part of project activity.

Develop key indicators, analysis and artefacts to continually evidence and report control effectiveness and risk for the group.

Escalation support for any operational incident from operations or global security operations centre for related domain technologies.

Manage third parties in their deliveries related to the domain area.

Solve complex problems related to the domain area.

Remain current with principles, concepts and emerging technologies related to the role.

Influence vendor roadmaps and functionality in support of LSEG objectives.Leadership responsibilities

This role is an individual contributor and leads no FTE headcount. The role holder may be asked to deputise for the Senior Manager during any period of absence.

Expected to manage and direct the engagement of contingent workers where flex resourcing is required. Either contractors or partner resources.Critical deliverables

Delivery of activities against of agreed cyber security strategies. Shapes project delivery with the project management team and the senior manager of the domain area.

Delivery of key artefacts associated with the role, artefacts support evidencing and assurance activities.

Ongoing control operation and effectiveness and evidencing of such.

Reporting, development and management of agreed measures, key performance indicators and key risk indicators.Impact

As a group level function the role has impact across all parts of the business as it has responsibility for the relevant group security controls which seek to mitigate the risk and impact to the group from cyber-attacks. Impacts include financial, economic, regulatory, customer and brand.

The role is key to addressing regulatory concerns for all of our regulated entities related to cyber security and cyber resilience.Key KPIs

Delivery of projects and BAU activities within agreed timescales to the required standard.

Issues that are identified are fixed and remain fixed and are not recurring.

Key artefacts for the activities performed by the role exist, are accurate and of required standard.

Agreed measures related to controls owned by the role, for example Key Risk Indicators, are delivered and managed.Technical / job functional knowledge

Knowledge and experience of the architecture, engineering and operation of vulnerability and threat management technology. Discovery and classification of vulnerabilities across systems and platforms. Guidance & assurance aspects of remediation. Level of knowledge in the domain technology area would be considered as an expert.

Knowledge and experience of different operating systems and platforms in relation to the domain area which includes assurance of security configuration parameters. Level of knowledge would be considered an expert.

Architecture and engineering of layered control capabilities to an expert level.

A strong understanding of information security principles and best practices.

Adversary Tools, Techniques and Procedures. A deep understanding of TTP's is required.

Threat Modelling experience.

Broad technology knowledge across non-core domain area.

Modern engineering practices, automation to drive efficiencies. Infrastructure as Code mindset. Code / scripting for practical tasks and tool integrations.

Structured and methodical troubleshooting practices for resolving the most complex problems.

Policies, standards and security frameworks, NIST, CIS. Strong skills to author formal documentation.

Risk and control, management, monitoring and reporting.

The role holder works independently and with guidance only in the most complex of situations. The role holder is expected to solve problems with sound judgement and in a way that is aligned to good practice and in the long-term interests of the organisation.

The role holder is likely to hold one or more of the following security or engineering/architecture specific certifications, CISSP, OSCP, TOGAF, GIAC or those relevant to the role/domain area.Business and sector expertise

Experience and knowledge of technology in financial services and/or regulated environments and industry compliance schemes (for example SWIFT) preferred.

Must have significant experience of working in security focussed roles. Likely will have greater than 5 years full time in security roles as part of an overall career in technology in excess of 10 years focussed predominantly in the domain area for the role. Expected to have direct hands on experience in some of the domain area technologies.Leadership and management experience

Managing a non-FTE delivers from contingent and/or partner/vendors in delivery.

Experience in advocating for and influencing change in order to reach best outcome based on the needs of the organisation, stakeholders and from monitoring industry trends.

Mentoring and guiding those at earlier career stages to grow the competence and experience of the team.Personal skills and capabilities

Collaborating across the group to deliver successful sustainable outcomes for the group and its stakeholders.

Takes ownership and commits to delivering sustainable outcomes and resolving problems.

Demonstrates a bias for action.

Strong track record of delivering results without compromising on quality.

Critical thinker, takes in broad perspectives to assess and make decisions.

Willingness and flexibility and to work across different technologies.

Capability to quickly assimilate new concepts and technologies.

Takes ownership of own career development and learning.

Delivering feedback in a way useful for an individual and a team for growth.

Adapts messaging and presentation styles to the needs of a different audiences.

Is measured and considered in challenging and high-pressure situations. Is clear and when necessary assertive in directing what needs to happen.

What's On Offer

Competitive compensation commensurate with role and skill set

Medical Insurance Coverage worth of 10 Lacs

Social Benifits including PF & Gratuity

A fast-paced, growth-oriented environment with the associated (challenges and) rewards

Opportunity to grow and develop your own skills and create your future

Contact: Anwesha Banerjee

Quote job ref: JN-062023-6104352