|Date Posted||November 11, 2020|
The world isn’t standing still, and neither is Allstate. We’re moving quickly, looking across our businesses and brands and taking bold steps to better serve customers’ evolving needs. That’s why now is an exciting time to join our team. As a leader in a corporation with 83,000 employees and agency force members, you’ll have a hand in transforming not only Allstate but a dynamic industry. You’ll have opportunities to take risks, challenge the status quo and shape the future for the greater good.
You’ll do all this in an environment of excellence and the highest ethical standards – a place where values such as integrity, inclusive diversity and accountability are paramount. We empower every employee to lead, drive change and give back where they work and live. Our people are our greatest strength, and we work as one team in service of our customers and communities.
Everything we do at Allstate is driven by a shared purpose: to protect people from life’s uncertainties so they can realize their hopes and dreams. For 89 years we’ve thrived by staying a step ahead of whatever’s coming next – to give customers peace of mind no matter what changes they face. We acted with conviction to advocate for seat belts, air bags and graduated driving laws. We help give survivors of domestic violence a voice through financial empowerment. We’ve been an industry leader in pricing sophistication, telematics, digital photo claims and, more recently, device and identity protection. We are the Good Hands. We don’t follow the trends. We set them.
LOCATION: THIS POSITION IS OPEN NATIONWIDE TO ALL OUR TECHNOLOGY HUBS IN TEMPE, AZ OR CHICAGO, IL OR CHARLOTTE, NC OR IRVING, TX. THIS CAN ALSO BE A REMOTE HOME-BASED WORKER POSITION FOR THE RIGHT RECOURCE!
Enterprise information security architecture is a key component of the information security technology governance process at any organization of significant size. More and more companies are implementing a formal enterprise security architecture process to support the governance and management of IT.
The Cybersecurity GRC Expert will be part of the Cyber Consulting Services team within the Allstate Information Security – Security Innovation, Strategy, Analytics, and GRC division. The mission of Cyber Consulting Services is to provide cross functional capabilities, knowledge transfer, and foster integrated AIS governance strategy that supports organizational objectives while mitigating information security risks across the enterprise.
This team also provides technical oversight and expert level guidance to many strategic efforts to expand information security capabilities and improve security outcomes. We help enable our cultural shift left to a “secure from the start” mentality, aligned with Allstate’s digital transformation. This role is critical to integrating IT/business objectives and effectively managing cyber risk, and meeting compliance requirements.
A broad range of technical cybersecurity and architecture skills along with strong interpersonal skills will be required for problem-solving, collaboration with virtual cross-functional work groups, along with tracking and reporting of program status, compliance gaps and risks. Soft skills, technical aptitude, and security knowledge sufficient to help ensure alignment to our AIS guiding principles, strategic framework, and target state maturity goals while adjusting to an ever-changing threat landscape.
The successful candidate will contribute to the Information Security Program and architecture by being a trusted advisor that can clearly articulate Allstate security policies, standards, and guidelines to both technical and business audiences alike. This resource is expected to interface with subject matter experts, architects, security engineering, team leads, legal, privacy, senior and executive leadership (business and IT).
- Develop full stack security architecture to support cyber resilience for Quantum (TG)
- Participate and contribute to the development of a future-focused, technical security architecture
- Engage with Security Architecture teams to capture security requirements and acceptance criteria, socialize and communicate architectural standards created
- Enable cultural change to mature compliance-driven/tactical approaches to risk-based and business-oriented strategic approaches toward security
- Guidance of information security and assurance best practices across the full stack; application and data security, operating system and platform security, network and physical security, policies and procedures
- Collaborate with security delivery resources, technical SMEs, and various business partners / functions to support successful delivery of the overall program
Security Strategy and Cybersecurity Step Change Programs
- Perform collaboration with organizational stakeholders for analysis of the current state to identify program and technology gaps, redundancies, and opportunities for improvement
- Partnering and collaborating with stakeholders and executives from a technical security engineer / architect's viewpoint and evaluating the execution plan of strategic AIS Cybersecurity Step Change Program as follows:
- Security expert rigor on technical control deployment, implementation, adoption, operational effectiveness, and reporting that is representative of progress towards the reduction of risk
- Conduct an in-depth analysis of program approach, existing solutions and gathered requirements in alignment with risk mitigation and in relation to the complex environment
- Interrogate initiatives definition of done and mini charters to validate desired outcome and effort is focused on practical risk reduction capabilities; and document concerns and / or opportunities for improvement
- Identify potential program and technology gaps, redundancies, risks, and opportunities of improvement to initiative/program success; including cost / benefit and timeline efficiencies
- Assess whether the state of the program and projects' completion vs. timeline is reasonable, interdependencies between projects and if they are logically sequenced
- Recommending industry best practices and component solutions while leveraging knowledge of controls, technologies, and capabilities in use within Allstate businesses
Cybersecurity, Architecture & GRC Consulting
- Consultative services around the acquisition/selection of appropriate enterprise security controls to be implemented and executed (inclusive of management controls, process controls, technical controls and physical controls)
- Oversee “Three Lines of Defense” model between various risk & control management functions
- Provide consultative services to control owners across security domains
- Provide knowledge and expertise to set direction, optimize risks and resources, and monitor performance and compliance to achieve organizational objectives
- Facilitate and enable assurance functions to ensure that controls are designed and operating effectively, while ensuring compliance requirements are met consistently
- Consult on tuning, modifying and hardening security policies based on risk and business strategy
- Help facilitate continuous improvement and integration of GRC services and capabilities including leading in roadmap development, and maturity assessments
- Promoting a compliant & risk-aware culture, ensure efficient and effective risk and compliance management practices by adhering to required standards and processes
- Over 7 years’ of direct experience in Information Security Technology across multiple disciplines and domains including Governance, Risk, and Compliance
- 3+ years of recent Enterprise Information Security Architecture experience
- Serves as a security expert in application development, database design, network and/or platform (operating system) efforts, helping project teams comply with enterprise and IT security policies, industry regulations, and best practices.
- In depth knowledge of cybersecurity defense-in-depth best practices, GRC, infrastructure architecture, engineering, operations, DevOps, cloud networking architecture, cloud operations, security, automation and orchestration.
- Experience with common application security architecture and vulnerabilities (e.g. OWASP Top 10), attack techniques and remediation tactics/strategies.
- Experience with common enterprise infrastructure (OS platforms, directory services, networking infrastructure, appliances, middleware, common security infrastructure)
- Executive communication skills, both written and verbal - Ability to tailor communication of complex and technical issues to cross functional audiences for executive decision making
- Strong decision-making capabilities, with a call-to-action focus
- Self-starter with an ability to work independently in a 'semi-structured' environment
- Experience with enterprise level program/project management
- Full stack security architecture or experience working as an enterprise level senior security consultant with large scale/complex environments
- Relevant post-secondary education and/or industry standard certifications (i.e. ISACA- CISA, CISM, CRISC, CGEIT; ISC2- CCSP, CSSLP, CISSP, CISSP-ISSAP; SANS Institute/GIAC; AWS Certified Solutions Architect; PCI SSC ISA/QSA/PCIP; SABSA; EC-Council CNDA)
- Proficiency with PCI DSS 3.2, HIPAA applicable security / privacy controls, Sarbanes-Oxley (SOX) 404, ISO/IEC 27000 family of standards, NIST 800-53, NIST cybersecurity framework, and COBIT