Head of security of manufacturing and industrial IT / digital solutions
Department overview:
Reporting to the CIO, the RMIS (Risk Management, Information Security and compliance) department is in charge of Information Security in STMicroelectronics and risk management and compliance within the ICT organization.
Role overview:
Reporting to the head of RMIS, you will:
- Ensure information security risks in ST manufacturing and facilities are identified and mitigated or accepted.
- Build and lead the network of business InfoSec Officers in the concerned business organizations so as to guide them and to coordinate security progress in manufacturing and facilities.
- Identify the required security controls in manufacturing and facilities (business process, IT solutions, access rights management), implement them (or drive their implementation) and monitor them.
- Using the support of the other RMIS groups, validate security in IT / digital solutions for manufacturing / facilities and drive the yearly security assessments plan in IT / digital solutions for manufacturing / facilities.
The position is located in the site of Crolles. Rousset location may be considered as well.
Experience:
10+ years’ experience in IT security landscape. You must have a broad knowledge in all aspects of information security and be knowledgeable with new security technology trends in cloud, IOT, mobile and IAM.
You must have several years’ concrete experience in:
- Security in manufacturing and industrial environments:
- Covering MES (Manufacturing Execution System) and its ecosystem, manufacturing equipment and facilities equipment.
- Use of “generalist” security approaches (network segmentation and security perimeter, system sealing, network access protection…) applied to industrial environments.
- Specific ICS security protections.
- Making the right balance between speed / flexibility / cost / security.
- Making the translation between technical issues and risks understandable by stakeholders.
Role and responsibilities:
You will work closely with the head of RMIS to:
- Act as the primary RMIS interface for a security project that is starting. This includes but is not limited to France fabs.
- With the support of the other RMIS groups (which includes "security engineering", "IT infrastructure security”, pen testers):
- Ensure that security in projects for IT / digital solutions in manufacturing and facilities is taken into account).
- Build and lead execution of the yearly security assessment plan of IT / digital solutions in manufacturing / facilities.
- Build an animate the network of business InfoSec Officers (GISO) to ensure security alignment with business priorities:
- Ensure that "diamonds" (*) within manufacturing and facilities are identified. (*) assets which require stronger protection due to customers' requests or criticality to business.
- Ensure that security is addressed in deals with suppliers and other business partners in manufacturing and facilities.
- Define security controls related to the protection of manufacturing and facilities.
- Define and maintain the security dashboard for use by the GISO to report the security status of their groups.
- In close work with GISO, business owners, embedded IT, RMIS security experts and the IT groups in charge of manufacturing, ensure that security risks in manufacturing and facilities are assessed and mitigated or accepted.
- Drive studies to define roadmaps for better protection of manufacturing and facilities, and put forward projects.
- Guide ICT and business stakeholders in defining sensible security requirements for IT / digital solutions for manufacturing and facilities.
- Raise the security consciousness in manufacturing and facilities at all levels
- Assist the head of the "ICT Risk management, compliance and information Security" in all tasks that may be required to maintain an efficient service to ST
Requirements:
- Master degree in computer science or security, or equivalent experience.
- English fluent.
- Generalist knowledge in all fields of information security.
- Good knowledge on network security, system security (windows, Linux, including system sealing solutions).
- Experience in security in manufacturing and industrial domain and ICS specificities.
- Familiar with current and future developments within the area of security in cloud, IOT, mobile and IAM.
- Strong knowledge of ICS security standards (ISA, NIST, ENISA…).
- Knowledge of general security standards (ISO 2700x, NIST, SANS…).
- A pusher:
- Ability to treat several topics in parallel, to "clarify the unknown" and to anticipate.
- Ability to convince. Tenacity.
- Ability to identify and use the right levers to get things done.
- Ability to consider short-term as well as longer term actions.
- Result oriented.
- A security expert with ability to execute by himself:
- Self-starter.
- Leverage on her/his skills (technical skills as well as soft skills) and experience to overcome obstacles.
- Proven ability to keep learning and to keep up to date.
- A security expert able to communicate:
- Ability to translate technical aspects into risks and to communicate on those risks.
- Ability to interface with diverse people at all levels.
- A strong teammate:
- Indisputable team spirit.
- Proven interpersonal and collaboration skills in a multicultural environment.
Certifications:
ICS security certification (GIAC-GICSP, ISA/IEC 62443 Cybersecurity Expert) preferred.
Generalist Information Security certification (such as CISSP, CISM, GIAC-GSE) appreciated.
Certification in the fields of security architecture, security engineering or cloud security (such as ISC2-ISSAP, ISC2-ISSEP, ISC2-CCSP) is a plus.