Details of the offer for IT security architect M/W at STMicroelectronics in Rousset Cedex 2

Department overview:

Reporting to the CIO, the RMIS (Risk Management, Information Security and compliance) department is in charge of Information Security in STMicroelectronics and risk management and compliance within the ICT organization.

Role overview:

Within RMIS, reporting to head of “security engineering and operations”, you will:

• Maintain and improve the architecture security principles according to the evolution of technology, evolution of security threats and company needs.
• Validate security in IT solutions and, whenever needed, support architects to solve security challenges in IT solutions.
• Evaluate, define, build and deploy security solutions.

The position is open for the site of Crolles. Grenoble or Rousset locations may be considered as well.

Experience:

10+ years’ experience in IT security landscape. You must have a broad knowledge in all aspects of information security, from infrastructure to applications and be knowledgeable with security technology trends in cloud and mobile and IAM.

You must have at least 5 years’ concrete experience in:

• Securing manufacturing and industrial systems.
• Making the right balance between speed / flexibility / cost / security.
• Making the translation between technical issues and risks understandable by stakeholders.

Role and responsibilities:

With other members of the security engineering team:

Framework:

• Improve and keep updated the framework for “security in architectures and security in the design of IT solution”, which includes the development and maintenance of security patterns.
• Ensure that the framework is the right one, considering ST business, technology strategy and security threats, as they emerge.
• Develop the tooling required to support the framework. This is to allow architects being as autonomous as possible and to allow the security engineering team to focus on most complex projects / designs.

Security validation / support service for all projects:

• Perform security review to validate the design of IT solutions in all domains (business applications, R&D, manufacturing, IT infrastructures), manage exceptions and waivers.
• Identify security design gaps in existing and proposed architectures, recommend enhancements and help resolving those gaps.
• Feed the security risk database to ensure that those security gaps are followed-up and resolution is driven by KPIs in place.

Engineering of security solutions:

• Participate in the selection / build of security solutions.
• Propose new approaches / strategies which improve speed / flexibility / cost / security or anticipate needs to come (before the lack of such solutions result in loss of speed / flexibility / security or additional cost).
• Gather information security requirements from RMIS and its counterparts and translate them into actionable solutions.
• Partner with IT teams to drive the deployment of security solution.
• Establish RACIs to ensure clear ownership of responsibilities for security solutions.

Leadership and coaching:

• With enterprise architects, define and document the security architecture target state and put forward a roadmap.
• Work closely with enterprise architects, solution / technical architects, project managers and IT experts, to ensure that security principles/designs are known and followed across projects and teams.
• Coach and mentor other members of the security engineering team.

Other:

• Assist head of “security engineering and operations” in all tasks that may be required to maintain an efficient service to ST.

Requirements:
 

• Bachelor’s degree in computer science or related field, or equivalent experience.
• Strong knowledge in security architecture, covering IT infrastructure / application design/implementation:

• Security of cloud designs (IaaS, PaaS, API, CASB) and mobility solutions (MDM, AppVPN…).
• IoT security (OS, network, standard and ecosystem, management).
• SDN and SD-WAN security.
• Security of big data approaches and technologies.
• Web services architecture (SOA, micro services…).
• WAF.
• Design of internet-facing solutions.
• Software development security (Java, PHP, C/C++/C#, Python, Ajax…).

• Technical knowledge in security in at least half of the following topics:

• Network, operating system and middleware security:
  • Network security: LAN, MAN, WAN (IPSEC VPN, SSL-VPN, firewall, IDS, IPS...).
  • LINUX/UNIX OS and hardening.
  • Database security.

• Security of Windows-based infrastructure:
  • Windows OS and hardening, as well as Microsoft-based architecture (AD…).
  • Endpoint security: antivirus, device control, integrity, HIDS…

• Design of security solutions:
  • Identity & access management: two-factor authentication, directory, SSO, access controls…
  • PKI (HSM, enrolment authority, smart card, certificate policy).
  • Log management: collect, aggregation, storage, SIEM/analysis, timestamping…

• Good knowledge of security standards (ISO 2700x, NIST, SANS, SABSA, other industry framework / methodologies).

• Indisputable team spirit.
• Proven interpersonal and collaboration skills in a multicultural environment.
• Ability to translate technical aspects into risks and to communicate on those risks.
• Ability to treat several topics in parallel, to “clarify the unknown” and to anticipate.
• Ability to consider short-term as well as longer term actions.
• Strong analytical skills.
• Obviously TPC/IP, security of Linux / Windows / virtualization have no secret for you.
• Obviously English is fluent.

Certifications:

Certification in the fields of security architecture, security engineering or cloud security strongly preferred (such as ISC2-ISSAP, ISC2-ISSEP, ISC2-CCSP, SABSA).

Generalist Information Security certification (such as CISSP, CISM, GIAC-GSE) appreciated.

Certifications from industry-leading vendors of network security solutions would be desirable but aren’t essential