Senior Director - Product Security

Posted 16 days ago by Thomson Reuters
Location Nottingham Salary Excellent
Posted 16 days ago Apply by Friday, 5 October 2018
Job Type Permanent Job Functions Cyber Threat & Vulnerability Analysis, Cyber Security, Head of Cyber Security, Information Security, Director of IT Security, IT Compliance, Security Architect,
Job Reference 191529 Sector Advertising, Creative & Media , Business & Management Consultancy , Technology, ICT & Telecoms

Financial & Risk is looking for a few highly skilled cyber security specialists to help in the Nottingham location. This new facility will be home to a number of critical cyber security disciplines, designed to improve the overall security posture of F&R– including its assets, data and operations. Be part of an exciting, fast-paced environment that will help F&R strengthen its position.

The Information Security team seeks a high-energy, motivated individual who combines solid technical credentials with a high degree of business acumen for the position of Sr. Director, Product Security within the Secure Architecture & Design team. In this role, you will collaborate with technology peers and business partners while leading a team of architects. Holistic product security has been defined as a strategic direction for Thomson Reuters and a cornerstone of security for both infrastructure and product. A successful candidate for this role will be able to lead a team that strengthens the security posture of products & enterprise applications.  This vison will be implemented in Thomson Reuters data centers, in cloud services world-wide and will be leveraged by a diverse set of enterprise technologies across all business units.

Primary Responsibilities: 

  • Define a Product Security strategy for F&R’s products to support business and customer needs.
  • Partner with software engineers and development teams on building information security requirements and specifications into F&R products.
  • Facilitate compliance with product security policies, practices and legal requirements
  • Review internally developed code for advanced security issues as part of an Agile Development process and educate Product Development teams on secure coding best practices.
  • Develop and leverage automation and analytics capabilities to improve our cyber threat detection and prevention capabilities.
  • Develop and assist in the implementation of threat modeling exercises with product teams.  
  • Assist with product penetration testing and interact with penetration testers and other external vendors to validate security controls.
  • Evaluate the security posture of third party libraries and frameworks and provide product teams with guidance and documented best practices for safely incorporating them into their products.
  • Develop and maintain internal libraries that provide common implementations of critical security controls.
  • Research and evaluate new Product Security technologies for internal consumption.

Required Skills:

  • Extensive software development experience:
    • Fully competent in most of the programming languages, software engineering methodologies, and software development tools our team uses:
      • Java, Groovy, jUnit, Spock, SQL, Elasticsearch
      • Angular2, ngrx, HTML5, JSON
      • AWS, UNIX/Shell, Jenkins, Gradle
      • Aspose, JxBrowser
  • Extensive experience of application/product security experience in a large enterprise.
    • Demonstrated and hands-on experience in the following areas:
      • Source code auditing, penetration testing, product assessments, vulnerability research, and reverse engineering
  • Strong understanding of the software development lifecycle (SDLC).
  • Willing to travel internationally up to 20%.
  • Familiarity with common software flaws that lead to exploits, and experience with techniques for securing embedded systems (e.g. ASLR).
  • Strong experience in conducting static analysis (SAST), dynamic analysis (DAST), security technical implementation guide (STIG), and fuzz testing (FUZZY) and vulnerability scans
  • Experience with various security tools and products (Fortify, Burp Suite, HP Webinspect, Checkmarx, Nessus, IBM AppScan, etc.)
  • Experience with common security scoring systems – CVSS v3 and CWSS, and secure coding standards/best practices
  • Experience identifying and protecting against web application and web service security vulnerabilities including those found in the OWASP Top 10 and CWE Top 25.
  • Excellent verbal and written communication skills.

At Thomson Reuters, we believe what we do matters. We are passionate about our work, inspired by the impact it has on our business and our customers. As a team, we believe in winning as one - collaborating to reach shared goals, and developing through challenging and meaningful experiences. With more than 45,000 employees in more than 100 countries, we work flexibly across boundaries and realize innovations that help shape industries around the world. Making this happen is a dynamic, evolving process, and we count on each employee to be a catalyst in driving our performance - and their own.

As a global business, we rely on diversity of culture and thought to deliver on our goals. To ensure we can do that, we seek talented, qualified employees in all our operations around the world regardless of race, color, sex/gender, including pregnancy, gender identity and expression, national origin, religion, sexual orientation, disability, age, marital status, citizen status, veteran status, or any other protected classification under country or local law. Thomson Reuters is proud to be an Equal Employment Opportunity/Affirmative Action Employer providing a drug-free workplace.

Share this Job


Thomson Reuters provides professionals with the intelligence, technology and human expertise they need to find trusted answers. We enable professionals in the financial and risk, legal, tax and acc...

Live Jobs: 16 - View all Jobs