Novartis is actively seeking a Security Architect - Applications Information Security to join our team in Cambridge, MA.
This Information Security Architect works across information security and risk management and with all IT functions to define technical security standards, design and blueprint security architecture and support project teams in choosing the right security architecture within the Application Security domain.
Also, ensures that Novartis has accurate, threat driven, and timely understanding of vulnerabilities within the global design and source code of technology and that processes address remediation.
Takes responsibility for standards of architecture in the Application Security domain and ensures the effective elaboration, validation, and communication of the architecture for Application Security.
Ensures processes are well designed and operating effectively for software vulnerabilities reporting to stakeholders.
Embed secure design lifecycle, including project information risk and associated security testing and oversee practices as the threat landscape evolves.
Be accountable for the threat posture in software design, driven by the level of vulnerability remediation globally.
Management of security aspects of the Systems Development Life Cycle (SDLC) service; overseeing processes and enforcing standards to plan, create, test, develop and deploy applications securely in the Novartis IT landscape.
Ensures project technology deliverables within the Application Security domain are tested effectively by assigning appropriate methodology, e.g. source code review, penetration test.
• Complete oversight of entire secure design lifecycle:
o Define the tooling and services required for secure software design and development globally across major design fields, e.g. digital, ERP, web applications and Industrial Control Systems.
o Define and manage the tooling and services required for security testing services, e.g. penetration testing, mobile application security testing, source code inspection.
o Define the tooling and services required for information risk management during projects.
o Oversee all vendor contracts for secure software design and development.
o Define and report to CISO the appropriate metrics to judge operational effectiveness as well as outstanding risk of the organization due to vulnerabilities introduced by projects, e.g. software vulnerabilities and insufficient development practices
o Define remediation requirements for global Application Security project and development teams.
o Manage associates that operate secure software design and development and remediation oversight
o Define requirements for system retirement or other protection in case software vulnerabilities cannot be addressed in source code itself
o Ensure information risks introduced by new technology and technology related services are identified, communicated to appropriate stakeholders and remediated
o Ensure applications are effectively security tested, according to their criticality, throughout development and its’ lifecycle.
o Ensure that project and development teams gain a sufficient level of IT security awareness for designing new services, technology and source code to gain an effective and sustainable IT security improvement and lower risk to the organization when projects are handed over to operations.
• Provide in depth expertise to Application Security topics
• Develop and enforce security policies and procedures across the Application Security Domain
• Design security measures and an overall security architecture for the Application Security landscape in line with the ISRM policy framework
• Ensure Information Security regulatory compliance
• Ensure auditing of security policies and procedures
• Take responsibility to ensure adherence with Security and Compliance policies and procedures within Security Architect scope
• Ensure that developed solutions are peer reviewed and formally documented
• Ensure accurate provisioning and metering of services
• Support projects in secure application design
• Identify major internal application security related deficiencies and suggests pragmatic approaches on how to remediate them at scale
• Collaborate closely with other Security Architects and IT Architects on Application Security related matters
• Promote IT Security culture
• Solution oriented, can define various pragmatic alternatives leading to appropriate application security results
• Reports on application security status across company
• Ensures industry network in regards to Application security
The Novartis Group of Companies are Equal Opportunity Employers and take pride in maintaining a diverse environment. We do not discriminate in recruitment, hiring, training, promotion or any other employment practices for reasons of race, color, religion, gender, national origin, age, sexual orientation, marital or veteran status, disability, or any other legally protected status.
University degree in business/technical/scientific area or comparable experience
• 8 + years of working experience; 4 of those years with Information Security management
• 5+ years of working experience managing a Security SDLC program
• Demonstrated senior leadership skills:
2 plus years’ experience in senior management positions in a matrix organization
• Experience in reporting to and communicating with senior level management (with and without IT background), with and without in depth risk management background on information risk topics
• Excellent understanding and knowledge of general IT infrastructure technology, systems and management processes
• Experience of sourcing complex IT services, working closely with vendors and making full use of their capabilities
• Proven experience to initiate and manage projects that will affect other divisions, departments and functions, as well as the corporate environment.