1. Drives and supports the solution architecture development process from context to physical architecture and ensures that all relevant security controls are embedded early in the SDLC phase.

2. Works with technical and business stakeholders to identify architectural attributes that may influence threat and attack vectors.

3. Collaborates with business and technical stakeholders to develop data flows, user profiles, data dictionaries, release notes, technical specification and process flows as input for threat modeling activities.

4. Reviews high level conceptual and logical architectural artifacts and presents findings to the IMF’s Enterprise Architecture Review Board.

5. Performs threat modeling activities and communicates outcomes to platform engineers, Information Security Risk Management and the Application Security teams.

6. Develops technical road maps towards achieving mid to long-term enterprise security architecture goals like zero trust architecture, automated threat modeling, secure by default, policy as code and pattern as code.

7. Attends project and enhancement meetings to advise and provide input on security architecture related issues.

8. Develops and ensures security reference architectures and patterns are up-to-date, standards-based, relevant, and agile to meet evolving business and technology needs and knowledge gaps.

9. Research new information security capabilities and technology for continuous improvement of self and the organization.

10. Collaborates with the information security assurance team on developing practical and applicable information security baselines and referencing those baselines in Enterprise Security Architecture documentation.

11. Drives and documents security architecture artifacts for protecting the IMF’s crown jewels and strictly confidential assets.

12. Collaborates with IMF’s DevOps team to define guardrails and process flows for configuration, development, delivery, and deployment pipelines.

13. Collaborates with the IMF Enterprise Architecture Division to create visibility of activities between ISG and EA division to ensure continuous synchronization.

14. Manages the implementation of an awareness program for promoting information security architecture principles and their application with business and IT stakeholders.

Requirements:

Advanced degree in information security, computer science, engineering, mathematics, or related field of study plus a minimum of 4 years of progressive information security work experience; or a bachelor’s degree in information security, computer science, engineering, mathematics, or related field of study and minimum of 10 years of progressive information security work experience.

• Candidates should possess one or more of the following certifications.  CISSP, CISM, SABSA, CISSP-ISSAP, CSSLP, CCSK, or GSSP.

Work management skills

• Familiarity with a broad range of technologies supplemented by in-depth knowledge in specific areas of relevance. Ability to quickly grasp how new technologies work and how they might be applied to achieve business goals.
• Excellent insight of business and technology trends and their impact (risks and opportunities) to business enablement.
• Analytical skills that enable synthesis and correlation of inputs from many sources and allow for strategic thinking and tactical implementation.
• Ability to establish and maintain effective partnerships and working relations in a multi-cultural, multi-ethnic environment with sensibility and respect for diversity.
• Excellent management, organizational and interpersonal skills to influence others towards a shared vision and positive results with or without the line of command.
• Excellent written and verbal communication skills that are compelling, convincing and reassuring, with the ability to articulate complex technical ideas to non-technical stakeholders.
• Personal drive, ownership and accountability to meet deadlines and achieve agreed-upon results.

Technical Skills

• Deep and hands-on understanding and expertise in at least 4 of the following 6 areas – Infrastructure, Application, Network, Cloud Security, Identity & Access Management and Security Automation.
• An understanding of Azure Cloud and Microsoft 365 security controls, solutions, and future roadmaps.
• Advanced knowledge Azure Key Vault, Azure Kubernetes Service, Azure Active Directory, Defender for Cloud, Azure monitor, Azure API Management, Application gateway.
• Understanding of application security assessment methods: OWASP Top 10, OWASP Application Security Verification Standard (ASVS), OWASP Mobile Application Security Verification Standard (MASVS), Attack and Defense techniques.
• Understanding and ability to perform threat modeling on a diverse category of architecture (Referencing STRIDE, DREAD, MITRE ATT&CK Frameworks)
• Experience implementing and designing DEVSECOPS and Security Automation delivery pipelines with automation tools like SAST, DAST, SCA, Container Security tooling.
• Familiarity with cloud security concepts like landing zones, Isolation concepts, NSGs/VCNs, conditional access, CI/CD pipelines.
• Familiarity with Datacentric Architectural concepts (Data storage, data lakes, raw and transformational data vaults, data isolation, ETL/ELT ingestion pipelines).