Summary:
This job, at a Chicago-based insurance company, is focused on strengthening the company's cybersecurity. The role involves identifying and testing potential security weaknesses, simulating hacker attacks, and working with teams to fix any risks. The person in this role will evaluate systems like networks, applications, and cloud services, and will use the latest security tools and techniques to stay ahead of cyber threats. They’ll also communicate findings to both technical and non-technical people, help improve the company’s overall security, and make sure everything is done professionally and ethically
Essential Duties & Responsibilities
Performs a combination of duties in accordance with departmental guidelines:
- Performs offensive security assessments that actualize risk and collaborates with business and technical stakeholders to risk manage effectively.
- Serves as a trusted expert in assessing networks, infrastructure, applications, APIs, cloud and cloud native services, AI/ML, mobile, performing threat modeling, and planning adversary simulations and emulations.
- Communicates findings, attack paths, and recommendations to technical, non-technical, and senior leadership through written reports and verbal presentations.
- Assists risk triage and works with Technology teams to improve the company's risk profile.
- Serve as the breach and attack simulation (BAS) solution expert.
- Researches and integrates the latest tools, tactics, procedures, and developments in vulnerability research, exploitation, privilege escalation, defense evasion, lateral movement, and means of achieving objectives into new or existing capabilities.
- Develops and improves operational efficiencies and grows offensive capabilities by building, adapting, and evaluating tooling, infrastructure, services, procedures, processes, templates, knowledge bases, and automation.
- Exhibits professionalism, acts ethically and with integrity, operates securely, ensures consistent high-quality practices/work, and achieves business results in alignment with the company's strategies and productivity goals.
May perform additional duties as assigned.
Skills, Knowledge & Abilities
- Knowledge of methodologies, frameworks, tactics, techniques, and tools that promote effective testing, analysis, and the ability to determine root cause and create solutions that resolve the problems in the best interest of the business.
- Proficient in the use of testing frameworks, tools, and scripting and development languages, such as, Burp Suite, Postman, Kali Linux, JavaScript, Python, Java, PowerShell, and C/C++.
- Knowledge of OWASP, CWE, MITRE ATT&CK, risk, and secure software development lifecycles.
- Excellent written and oral communication skills.
- Ability to work independently and function effectively as part of a team in a dynamic environment.
- Ability to travel as assessments and operations require (<5%).
Education & Experience
- Bachelor’s degree in Computer Science, Information Technology, or related discipline, or equivalent work experience.
- Typically a minimum of five years of information security experience (red and/or purple teaming, penetration testing, cloud security, application security, or network security preferred).
- Certification(s) Preferred: OffSec Certified Professional (OSCP), OffSec Experienced Penetration Tester (OSEP), OffSec Web Expert (OSWE), Burp Suite Certified Practitioner, GIAC Penetration Tester (GPEN), GIAC Web Application Penetration Tester (GWAPT), GIAC Cloud Penetration Tester (GCPN), Certified Red Team Ops (CRTO), Certified Information Systems Security Professional (CISSP).