Senior Specialist: Application & Endpoint Security at MTN

Mission/ Core purpose of the Job: 

• This role reports into the MTN SA Hub that provides Information Security Services to the identified Spoke MTN Operating Companies (Opcos). The role is responsible for embedding and maintaining technical security architecture and controls requirements across MTN infrastructure, applications and networks. This includes identifying security threats, software vulnerabilities, and building robust security systems. The role will research and investigate the potential impact of new threats and exploits, plan and prepare solution designs, standards and configurations, and engagement models to be implemented across all business areas, core systems, third-party interfaces, and the internal core network interfaces. This role will be a valued partner to development and engineering teams and technology operations teams to ensure secure architectures, patterns, and solutions are created and maintained.

Key Performance Areas: 

• Key Deliverables - Ensure clear execution on below delivery from SA Hub Opco to allocated Spoke Opcos
• Provide security guidance and review on business and technology products/ solutions, model threats and risks as well as the controls necessary to mitigate them, on both an organisational and technical level – thinking like a malicious hacker, understanding and anticipating the moves and tactics that a hacker might use to attack MTN systems. 
• Prevent unauthorized access and malware infection of networks, infrastructure applications using security countermeasures. 
• Implement policies and standards for anti-virus and malware protection requirements in line with Group Information Security policies and localised Hub policies.
• Conduct network and/or system monitoring for malicious activities or policy violations.
• Implement firewall rule request, review, and approval process as per Group defined standards and Hub processes.
• Define local Opco security policies and standards for applications and endpoint protection
• Implement policies and standards to protect data, applications, and the associated infrastructure that reside in a public cloud
• Set standards to prevent transmission of malware and spam via email.
• Implement and maintain secure configuration / hardening standards in line with approved standards.
• Implement policy on web content types/categories that is permissible to access as per Policy
• Work with Data Protection team to define and implement Office 365 Data leakage prevention policies for OneDrive, Exchange online and SharePoint and integration with other platforms
• Configure and implement Mobile Application/ Device management policies
• Provide technical support for continuous monitoring, computer exploitation and reconnaissance; target mapping and profiling; and, network decoy and deception operations in support of computer intrusion defense operations.
• Provide technical support for a comprehensive risk management program identifying mission critical processes and systems; current and projected threats; and system vulnerabilities.
• Participate in and lead the security design and implementation of all products across Financial Services, Consumer, Enterprise, Technology and Digital - design phase security and post implementation.
• Evaluate the ongoing effectiveness of security controls established to ensure the safety of the MTN SA product and application suits. 
• Develop a comprehensive set of cyber-security policies and procedures governing hosted and SaaS environments. 
• Ensure that third party solutions and products follow MTN Controls standards.
• Review the security design of MTN applications and products, drive the testing process (prior to deployment). 
• Build security into MTN Software Development Lifecycle; creating and maintaining secure software development/ acquisition methodology - secure application development/ acquisition and coding practices across all development teams (internal and 3rd Party), security testing for existing and new systems, defining processes and establishing meaningful metrics for management. 
• Work with the product teams to identify and assist with the implementation of policy, process, people and technology improvements. This includes the use of automation and security specific testing tooling; Analysing and providing remediation guidance for identified weaknesses or vulnerabilities; validate and verify remediation implementation.
• Evaluate and oversee the security of outsourced / third-party technologies and hosting environments to ensure they provide adequate protection for the processing, transmission, and storage of MTN’s information: 
• Implement Group reference architecture for integrating with third parties and partners
• Implement mechanisms for vetting and implementing integration with cloud providers
• Implement architectural and development standards for third party application security
• Act as a subject matter expert to application development and support personnel for any/all issues regarding the security design or use of applications. This includes enterprise operational staff and business unit personnel.
• Create and execute a training and awareness program for secure coding/ development and best practice 
• Assist in executing upgrades to existing systems, communications and coordination of change with impacted departments, directly or through delegation
• Activities that are not executable from the Hub Opco needs to be raised to the relevant stakeholder to ensure cyber security risks are addressed. 
• Build a strong relationship with Spoke Opco to ensure delivery. 
• Where there are challenges to perform tasks remotely, ensure the Spoke Opco execute actions that are in line with above mentioned activities. 
• Where there are challenges to execute actions remotely, the incumbent needs to resolve the challenges in a timely manner and inform the relevant stakeholders.

Budgets

• Assist with management of departmental budgets in line with business objectives and facilitate forecasting
• Manage project initiative budgets in line with business objectives
• Drive initiatives that will ensure that the “cost of operations” are reduced, in line with a least cost operating strategy stemming from the business drivers.
• Assist Spoke Opcos with contract negotiations

Minimum Requirements  

Education:

• Minimum of 3 years tertiary qualification (degree/ national diploma) in Information Technology/ Engineering
• CISSP/CEH/ CGEIT certification (one of)
• Business analysis/architecture qualifications
• Other qualifications (ITIL, TMF, COBIT) advantage
• Fluent in English 

Experience:

• Minimum of 5+ years of relevant work experience in Information Security 
• Experience in managing and implementing large scale security projects
• Advanced working understanding of the information and technology environment of a bank or telecom company
• Other security experience such as incident handling (from appsec perspective), architecture, operations, GRC, OWASP, etc
• Knowledge of application architectures and application development with at least one modern programming language.
• Knowledge of DevOps and Agile methods
• Knowledge of threat modelling  
• Ability to express complex technical security control concepts passionately and effectively
• Ability to work well with people from different disciplines and countries with varying degrees of technical experience.
• Ability to communicate effectively when dealing with business customers and suppliers.
• Knowledge of national and international regulatory compliances and frameworks such as NIST-CSF, ISO-27000, GDPR, PCI, etc.