Senior Network Security Engineer (Network Security Architecture) at Tiger Brands

• A Senior Network Security Engineer is a senior tech expert who protects acompany's computer networks from cyber threats. They design strong digitalwalls, block hackers, and keep data safe.

WHAT YOU WILL DO:

Network Security Architecture, Verification and Standards

• Own Tiger Brands' network security platform architecture as the internal SME and decision authority — covering perimeter security, OT/IT boundaries, and remote access security.
• Define security design patterns based on Zero Trust principles, defense-in-depth, and least-privilege network access models.
• Produce and maintain architecture documentation, security standards, and configuration baselines across FortiGate, FortiManager, FortiEMS, FortiProxy, FortiAnalyzer, and FortiNAC.
• Define Fortinet Security Fabric integration standards — specifying how FortiGate, FortiManager, FortiEMS, FortiAnalyzer, and ancillary Fortinet products integrate into a unified Security Fabric, including fabric connector requirements, device onboarding standards, and inter-product telemetry sharing.
• Translate security requirements and risk decisions into clear, implementable technical specifications for the Service Delivery team.
• Conduct architecture reviews for new and existing IT and OT solutions with network security implications — defining security requirements and validating proposed designs meet Tiger Brands' network security standards before implementation.
• Validate all network security platform implementations against approved designs and baselines — covering firewall policies, access control configurations, ZTNA settings, VPN configurations, and web security controls.
• Identify deviations, misconfigurations, and policy violations in implemented configurations and issue formal remediation requirements.
• Own continuous configuration drift detection — define and maintains mechanisms to identify when validated network security configurations deviate from approved baselines post-deployment. Drift findings must be logged, risk-assessed, and tracked to remediation.
• Define security control resilience and fallback requirements for each critical network security control owned by this role.
• Maintain a validation and drift register covering completed checks, findings, drift events, fallback status, and sign-off records.

Firewall Policy Architecture and Access Control Standards

• Own Tiger Brands' firewall policy architecture — defining security policies governing traffic between network zones, segments, and trust boundaries.
• Define firewall rule base design standards — covering least privilege, implicit deny, rule ordering, object naming conventions, rule documentation requirements, and change justification standards.
• Define rule base hygiene standards — specifying requirements for the identification and remediation of shadowed rules, unused rules, overly permissive policies, and undocumented exceptions.
• Define High Availability (HA) design standards — specifying FortiGate cluster configurations (active-passive, active-active), failover behaviour requirements, session synchronization standards, and HA heartbeat network design. Validate that deployed HA configurations meet the defined standard and provide the required resilience posture.
• Define NAT architecture standards — specifying NAT design patterns and NAT policy documentation standards. Validate that NAT implementations are correctly configured and do not introduce unintended access paths.
• Define and validate FortiManager policy package standards — covering device onboarding requirements, policy inheritance, administrative domain structure, and change tracking.
• Define site-to-site VPN security architecture standards — covering IPsec design, IKE standards, and encryption requirements. Validate that VPN implementations meet the defined security standard.
• Validate firewall policy implementations against approved standards and VPN configurations. Issue formal remediation requirements for all findings.

Zero Trust Network Access (ZTNA) Architecture

• Own Tiger Brands' ZTNA architecture standard using FortiEMS and FortiClient as the primary platform.
• Define device posture requirements, endpoint compliance standards, and application access policies governing ZTNA enforcement.
• Define integration standards between FortiClient EMS, the enterprise identity platform, and endpoint security platforms — ensuring ZTNA policy decisions are informed by both identity and device health state.
• Define on-net versus off-net behaviour standards and validate that access enforcement is consistent across both scenarios.
• Define and validate ZTNA application gateway configurations, access proxy settings, and traffic inspection requirements.
• Define the roadmap for ZTNA maturity — expanding coverage across corporate applications and phasing out legacy remote access VPN.
• Validate ZTNA implementations against approved architecture and posture standards.

OT/ICS Network Security Architecture

• Own the security architecture governing Tiger Brands' OT/ICS network boundaries — defining security controls, access requirements, and enforcement standards at IT/OT boundaries across all manufacturing sites.
• Define the security requirements governing all traffic flows across IT/OT boundaries — including historian access, remote maintenance, vendor connectivity, and engineering workstation access.
• Define OT network access control standards — covering authentication requirements, jump server standards, and privileged access to industrial control systems.
• Define OT-specific firewall policy standards — accounting for the availability, determinism, and safety requirements of industrial control systems where standard security hardening may not apply.
• Define FortiNAC standards for OT device visibility, profiling, and network access control.
• Validate that IT/OT boundary firewall implementations meet the defined security standards.
• Produce and maintain OT network security architecture documentation and risk assessments across Tiger Brands' manufacturing footprint.

Web Security and SSL Inspection Architecture

• Own Tiger Brands' web security architecture leveraging FortiProxy as the primary outbound web security platform.
• Define web filtering standards, application control policies, and URL categorization requirements aligned to Tiger Brands' acceptable use and security policies.
• Define SSL/TLS inspection standards — specifying what traffic must be inspected, what categories are excluded, and the certificate management requirements for inspection deployment.
• Define DNS security control standards and validate correct implementation.
• Define certificate authority (CA) trust standards for SSL inspection and validate that endpoint trust configurations are correctly deployed across the managed device estate.
• Validate that web security and SSL inspection configurations are correctly implemented and enforcing as expected.

Security Telemetry and Log Standards

• Validate that FortiGate, FortiManager, FortiProxy, and FortiEMS are configured to generate complete, accurate logs that meet the managed SOC's ingestion and detection requirements, and that log forwarding is implemented without gaps.
• Act as the Fortinet platform SME in engagements with the managed SOC on matters of log source quality, data gaps, and platform-side configuration requirements.
• Design automation scripts and workflows for configuration management, compliance reporting, and platform automation, and review and validate automation built by the Service Delivery team before production deployment.

Platform Stewardship and Governance

• Produce and maintain deployment runbooks, configuration guides, and technical SOPs that enable the Service Delivery team to implement network security changes accurately and consistently.
• Validate the technical capability of the Service Delivery team to execute against defined standards — identify gaps and define upskilling requirements. Ensure no single individual holds undocumented platform knowledge.
• Advise Tiger Brands on Fortinet licensing strategy — including optimisation of existing entitlements and recommendations for capability uplift where security gaps exist.
• Actively track the Fortinet product roadmap, maintain a forward-looking view of how it affects Tiger Brands' network security architecture, and lead the evaluation of new capabilities prior to adoption.
• Define and enforce security requirements for all third-party and vendor access to Tiger Brands' network security infrastructure — including vendor remote access, MSP connectivity, and out-of-band management. Maintain an active register of third-party network access.
• Represent Tiger Brands' network security function in ARB, TDA, CAB, and related governance forums — reviewing proposed changes and technology decisions for network security impact, risk, and control alignment.
• Conduct technical risk assessments for new vendor connections, third-party integrations, and technology changes with network security implications.
• Exercise formal change gate authority — no changes to Fortinet security platform configurations or firewall policies may proceed without this role's technical review and sign-off. Changes that do not meet the defined standard must be formally rejected with documented rationale.
• Own the network security baseline exception process — all exceptions must be risk-assessed, business-justified, owned by an accountable party, and subject to a defined review date.
• Document key network security decisions, architecture exceptions, risk acceptances, and lessons learned — maintaining an accessible record that informs future architecture decisions and supports audit and governance requirements.
• Produce regular network security posture reports to the Cybersecurity Engineering Lead and governance forums, covering policy compliance, drift findings, open exceptions, validation status, and upcoming roadmap decisions.
• Act as escalation point and trusted advisor for infrastructure, cloud, OT, and governance teams on all network security matters.

WHAT YOU WILL BRING TO THE TABLE:

Minimum Qualifications

Education

• Bachelor's degree in Information Technology, Network Engineering, Computer Science, Information Security, or equivalent practical experience.

Experience

• 8+ years of hands-on, production experience with Fortinet network security platforms — this is a hard requirement, not a guideline.
• The incumbent must have personally designed and operated Fortinet environments at enterprise scale. This is what makes their architectural specifications credible and their validation judgements authoritative.
• Demonstrated depth across FortiGate, FortiManager, FortiAnalyzer, FortiEMS, and FortiProxy in complex enterprise environments.
• Proven experience designing and governing large-scale firewall policy architectures.
• Hands-on experience with ZTNA implementation — FortiEMS, FortiClient, device posture enforcement.
• Experience securing OT/ICS environments — IT/OT boundary security, industrial firewall policy, OT network access control.
• Experience with enterprise VPN security architecture — IPsec site-to-site and remote access VPN at scale.
• Track record of driving measurable network security posture improvement through standards, governance, and platform optimisation.
• Exposure to POPIA, ISO 27001, IEC 62443, or NIST CSF compliance requirements advantageous.
• FMCG, manufacturing, or IT/OT hybrid environments advantageous.
• Cisco security platform experience advantageous.

Certifications

Required:

• NSE 7 – Enterprise Firewall (Fortinet)
• NSE 6 – FortiEMS (Fortinet)
• NSE 7 – OT Security (Fortinet)

Advantageous:

• NSE 8 – Fortinet Certified Expert
• CCNP Security (Cisco)
• CISSP