Head of SecDevOps at ATNS

Job description

Major Activities

• Develop the SecDevOps strategic plan to contribute to the overall IT strategic plan to enable achievement of the ATNS business strategy.
• Build upon the ICAO Aviation Cybersecurity Strategy to ensure safety, security and continuity of ATNS services in a world increasingly jeopardized by cybersecurity threats.
• Actively participate in the development of the National Aviation Cybersecurity Strategy that underpins the aviation industry mind shift and behavioral change to carry out the identified cybersecurity key concepts supported by the establishment of a cybersecurity culture and awareness developed through collaboration and industry partnership.
• Ensure alignment of the application portfolio to the business strategy and business operations requirements.
• Drive the adoption of best practices in software development, configuration and support that integrate principles of lean thinking, continuous improvement and agility, e.g. Test-driven Development, Continuous Integration.
• Lead the secure development and maintenance of ATNS digital platforms, supported by peers in infrastructure management, data and analytics, and information security, in line with the ATNS modernisation strategy.
• Establish together with South African Civil Aviation Authority an Information Sharing Group for governance and compliance consisting of all aviation ecosystem role players with a trust framework that can be leveraged by the RSA aviation community as a whole.
• Participate in appropriate ICAO regional and international cybersecurity and SADC forums that will advance ATNS cybersecurity position and objectives.
• Collaborate effectively with technology peers and colleagues across the organization.
• Lead application rationalisation informed by business value analysis of the application inventory
• Transform the application landscape through scalable applications and technology, enabling business efficiency and growth.
• Apply strategic judgement to inform build or buy decisions.
• Ensure that all IT applications adhere to relevant standards including those set out by the relevant technology governance structures.
• Provide cybersecurity technical leadership and guidance in ICAO, CANSO, SADC and other appropriate planning groups, sub-groups, working groups and task forces.
• Develop and maintain the applications roadmap in line with agreed company priorities, initiatives and expected operational service levels.
• Lead the evolution of IT applications to a secure private cloud, applying sound architecture principles and best practices to future-proof ATNS business capabilities.
• Provide hands-on technical leadership in the planning, design and implementation of new application solutions, coordinating own staff, suppliers, ATNS teams in order to meet identified requirements, budgets and timelines.
• Ensure routine standard operating procedures are documented, kept up to date and followed.
• Provide support for use of secure private cloud-based SaaS, PaaS and IaaS solutions, leveraging Enterprise agreements where possible to advance the ATNS cloud strategy.
• Ensure compliance with relevant legislation, regulation and compliance requirements including POPIA, GDPR, ECT,  National Cybersecurity Policy Framework, SA Cybersecurity crime ACT , Critical Infrastructure Protection act, ICAO Annex 17 and 13, ICAO Cybersecurity strategy and Action Plan, National Airspace Master Plan,  ICAO SARPS, Global Air Navigation Plan and AFI Air Navigation Plan. 
• Lead efforts towards the adherence to the appropriate aviation cybersecurity standards and changes thereof , i.e. Arinc 664, Arinc 811, Arinc 823 part 1, Arinc 823 part 2 , PREN 16495 Air Traffic Management , ED-201, ED-202A, ED-203 and ED-204.
• Provide strategic leadership and guidance in the management of IT applications, operations and security to ensure effective solution delivery and support to ATNS teams.
• Provide a trusted interoperable environment that enhances secure end-to-end communications and also protects critical systems in communication, navigation, surveillance and air traffic management elements such as ACARS, GPS, ADS-B, CPDLC, ground infrastructure. Develop and maintain CNS cybersecurity policies, process, procedures and standard reflective of the aviation systems' complete life cycle. i.e. BYOD, EFBs, Ticket Booking Portals, Identity & Access, Wireless Access Points, Gatelink, CDM, Baggage Handling, Departure Control, SCM , VPN and Wi-Fi Security Policy.
• Continuous vulnerability management on CNS systems by performing regular cybersecurity obligations, threat context and exposure, risk to establish maturity.
• Contribute to  the overall security strategy for the organization, ensuring that security is an intrinsic element of ATNS software development processes.
• Secure Software Development Lifecycle (SSDLC): Institute and enforce SSDLC practices, ensuring the infusion of security into every phase of development. 
• Keep abreast of technology trends, local and global regulatory requirements, and evolving best practices in solution delivery and application management.
• Provide cybersecurity controls (covering people, processes and technology) designed to protect CNS systems, networks and data from digital attacks. This includes in depth controls for all CNS systems and network security such as Next Generation Firewalls, Wireless/Wi-Fi Security, Authentication, DNS, VPN, Systems Hardening, Cryptography, Identity & Access Management, User Account management, Data Loss Prevention, Intrusion Detection and Prevention, Multifactor Authentication, Patch Management, Network Segmentation, Endpoint Security and Privacy by Design.
• Schedule and implement regular maintenance of applications  in order to maintain a reliable and stable IT environment
• Drive cybersecurity controls to ensure that the aviation infrastructure systems and information systems ranging from legacy systems to next generation satellite communication systems are resilient to cyber-attacks and remain safe and trusted globally, whilst continuing to innovate and grow in all the defined or determined areas within the South African sovereign and delegated continental and oceanic airspace
• Manage solution delivery initiatives, build or buy, to ensure quality coding and/or that solutions are delivered efficiently
• Review and update SSDLC to improve solution quality and delivery timeframes
• Partner with all stakeholders to meet functional requirements and to comply with regulatory requirements in a dynamic business environment
• Collaborate with all relevant technology peers in every phase of the value chain: project management, architecture, information security, quality assurance, business and technical specifications, third-party sourcing, etc.
• Facilitate continuous improvement of the application development/sourcing processes
• Establish appropriate metrics for performance measurement of the Applications Team.
• Container Security: Assure the security of containerized applications and images.
• Secrets Management: Safeguard and efficiently manage sensitive information and credentials utilized in the software development and deployment workflow.
• Vulnerability Management: Oversee and actively resolve vulnerabilities across the digital platform, collaborating closely with development and operations teams.
• SAST/DAST Controls: Implement Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) controls to spot and mitigate security risks.
• CVE and CVSS Management: Administer Common Vulnerabilities and Exposures (CVE) and Common Vulnerability Scoring System (CVSS) criticality and severities for software.
• Risk Management: Identify, evaluate, and mitigate security risks, partnering with teams to conceive risk mitigation strategies.
• Project Management: Supervise security-related projects, ensuring timely and budget-compliant completion.
• Agile Collaboration: Actively participate in planning meetings and stand-ups, addressing security concerns and risks within an agile development framework.
• Incident Response: Lead and coordinate security incident response, encompassing investigation and resolution.
• Policy and Process Management: Create, revise, or archive security policies and documented processes in alignment with industry best practices.
• Technology Trends: Stay abreast of emerging technology trends, frameworks, and security methodologies to bolster software security.
• Security Advocacy: Cultivate a culture of secure coding and configuration across all applications and features.
• Leadership and Team Management: Oversee and mentor a team of DevSecOps engineers and specialists. Set clear objectives, provide consistent feedback, and support team members' professional growth. Foster a collaborative and innovative team milieu.
• Define and continuously enhance DevSecOps processes and practices.
• Security Integration: Embed security practices throughout the software development lifecycle (SDLC). Collaborate with development, operations, and security units to implement security controls and best practices.
• Automation and Tools: Implement and manage SecDevOps automation tools and technologies. Continuously evaluate and select appropriate tools to augment the SecDevOps pipeline.
• Maintain constructive and productive stakeholder relations across the business and with relevant external parties
• Visible and active leadership of the organisation's applications landscape.
• Manage the allocation of duties and the performance of all staff in the team
• Determine capacity requirements (fixed and variable) to effectively deliver the required value and service.
• Manage outputs by third-party suppliers to ensure optimum value
• Develop and maintain together with the South African Civil Aviation authority a clear national governance and accountability framework for civil aviation cybersecurity to ensure coordination with competent national authority for cybersecurity.
• Develop a RACI matrix that clearly identifies and assigns information security roles for the various experts and stakeholders.
• Identify key risks, develop and implement effective mitigating plans and actions in order to avoid or minimise relevant risks, and report and raise these risks in the appropriate forums.
• Implement a cybersecurity resiliency metric to facilitate decision-making and accountability, to facilitate cyber maturity in CNS systems.
• Ensure that effective data recovery plans are in place to ensure business continuity in case of a disaster or potential threats.
• Ensure adherence and compliance with the relevant regulatory framework.
• Ensure training of all users on the applicable compliance and governance requirements.
• Identify the key SecDevOps-related risks across the business, and raise them in applicable forums.
• Ensure timely compilation and submission of all required reports (internal and external) to ensure compliance with all governance requirements.
• Ensure optimisation of human resources through effective deployment and management of skills.
• Develop a robust cybersecurity culture through structured training and awareness programs to capacitate staff from end to end, i.e. Cybersecurity Education, Training and Skills.
• Ensure that staff is managed in accordance with HC policies, processes and practices.
• Ensure continuous development of staff. Ensure that staff remain suitably trained to achieve expected performance outcomes in a dynamic technology environment.
• Create and maintain a harmonious and effective work environment to support a motivated, high-performance culture.
• Educate and upskill development teams and managers on secure coding practices, OWASP standards, and other IT security-related subjects.
• Ensure effective management of expenditure in line with business priorities and within financial parameters.
• Report on expenditure on a monthly basis, including possible deviations to the budget.

Minimum requirements

Minimum Qualifications

• Bachelor’s degree in Information Technology, Information Systems or a related field 
• Postgraduate Degree in Information Technology, Information Systems or a related field                
• Master's degree preferred.
• Certification: PMI-ACP, OSCP, CEH, CISSP. Other certifications like TOGAF, ITIL, COBIT or related certifications would be an advantage.
• Knowledge of cloud technologies (Infrastructure or DevOps or Solution Architecture). Certification will be advantageous. 
• ISACA Professional Registration would be an advantage.
• Leadership experience or qualification in a field relevant to aviation/aerospace/aeronautics would be an advantage.

Minimum Experience

• Seasoned professional required with minimum 10 years' experience in Information Technology of which at least 5 years' experience in SecDevOps or a related field, and 5 years' experience in managing technical team(s).
• Experience in a high technology electronic environment.
• In-depth knowledge and understanding of aeronautical communication, navigation, surveillance and satellite systems would be an advantage.
• Must be experienced in SecDevOps and Agile software development principles, an advocate of lean thinking and display an appreciation for cybersecurity and continuous improvement.