Reports To: IT Risk and Security Manager
This role is responsible for providing security testing services to meet security requirements in Cathay Pacific. In addition to supporting security testing, you will also be responsible for implementing, maintaining and enforcing processes and standards in support of the methodology within Cathay Pacific (CX) standards, including but not limited to vulnerability assessment, penetration testing, security hardening and configuration review, and provide application and infrastructure recommendations to the project required. The Security Testing Analyst is also required to have skillset in managing security testing vendor to deliver and execute the security testing in according to the right scope, high quality and compliant to CX policies and standards.
- Driving and implementing security testing framework and process into project lifecycle and BAU activities.
- Oversee the quality of the delivery, including but not limited to security test documents, test scope, methodology, and test execution, to ensure the security tests are fit-for-purpose of the request.
- Manage test vendors to delivery high quality in execution and test result including review of testing pass/fail criteria, ensuring standards for stakeholder acceptance is in place and ensuring that the defined security test scenarios are adequately cover the security non-functional requirements
- Ensure all security requirements according to policies and guidelines are examined and feasible recommendations for any findings are provided by the relevant test vendor or internal resources
- Adopt risk-based approach to translate testing findings into risk by the use of IT Risk management framework
- Prepare and propose any security tools to facilitate qualitative and efficient security testing
- Provide requirements to facilitate testing environment establishment that enable the successful completion of the security testing
- Report and record all findings and communicate any residual risk into IT Risk Register
- Cross- team collaboration with test vendors and internal resources to improve the security testing methodology
- Keep abreast of the latest trends in cyberattacks and understand the implication to testing methods
- Assist to conduct training on security testing methodologies and techniques to IT teams
- Promote secure coding best practice to developers
- Over 4 years’ experience in IT security testing function
- Degree-level qualification in IT or business-related discipline is essential
- Certification in penetration testing discipline such as SANS-GWAP, PEN 300, OSCP, OSWE, OSCE, CREST CCT
- Competencies in information security processes, framework and technologies, such as: Network & Application Vulnerability Assessment, IT Risk Assessment, Penetration Testing & Ethical Hacking, OWASP Top 10, NIST, OSSTMM, OSINT etc.
- Knowledge on security solutions and tools, e.g.: Nessus, Nmap, Burp, AppScan, Kali Linux etc.
- Experience in vendor management
- Ability to listen and articulate ideas verbally and in written formats to a broad range of audiences; ability to ask probing questions and deliver presentations that have impact
- Strong interpersonal skills and able to maintain good relationship with others
- Proven management experience is a plus
- Proactive and willing to accept and drive changes to accomplish positive outcomes
- Well-developed analytical, problem-solving, and decision-making skills; strong troubleshooting skills; ability to identify patterns and generate ideas
- Focus on the end users or customers’ needs; ability to set expectations and understand end user behavior
Personal & Application Information
Cathay Pacific is an Equal Opportunities Employer. Personal data provided by job applicants will be used strictly in accordance with our personal data policy and for recruitment purposes only. Candidates not notified within eight weeks may consider their application unsuccessful. All related information will be kept in our file for up to 24 months. A copy of our Personal Information Collection Statement will be provided upon request by contacting our Data Protection Officer.
Please note that with effect from 1 June 2022 onwards, all Cathay employees and contractors who work in Cathay City and all other Cathay Group Company premises in Hong Kong must have received a third dose of COVID 19 vaccine. Being tested regularly for COVID-19 is not an option. Consideration will be given to those who are unable to get vaccinated for valid medical reasons