CenturyLink (NYSE: CTL) is the second largest U.S. communications provider to global enterprise customers. With customers in more than 60 countries and an intense focus on the customer experience, CenturyLink strives to be the worlds best networking company by solving customers increased demand for reliable and secure connections. The company also serves as its customers trusted partner, helping them manage increased network and IT complexity and providing managed network and cyber security solutions that help protect their business.
The Lead Information Security Engineer on the Cybersecurity Vulnerability Assessment Services (CVAS) team within Enterprise Security is primarily responsible for identifying and ethically exploiting vulnerabilities on internal CenturyLink servers, databases, applications, and network elements across the corporate enterprise to present the associated risk to the business. The engineer will assist as applicable to perform Adversarial Cybersecurity Emulation (ACE) exercises designed to emulate real world attacks against CenturyLink with designated objectives specified per each engagement to determine the defensive capabilities protecting the objectives. The intended result of ACE exercises is to identify cybersecurity deficiencies and recommend methods to strengthen areas of greatest risk. Additionally, the engineer is responsible to assist with identifying, designing, proposing, and realizing strategic security initiatives to improve CenturyLink vulnerability management, penetration testing, and remediation capabilities as well as the overall security posture of CenturyLink.
The engineer must possess practical experience and technical knowledge of cybersecurity threats, vulnerabilities, technologies, intrusion techniques, and exploit methodologies. The engineer must possess strong knowledge of Information Security and Information Technology (IT) systems as well as a reasonable understanding in all disciplines of networking, programming, application development and system administration. The engineer must have strong oral and written communications skills and experience in presenting to a wide variety of audiences. The engineer is responsible for creating vulnerability analysis, penetration testing, and ACE exercise reports intended for risk awareness to the business and appropriate executive management levels. The engineer must be able to work independently as a strong leader, as well as collaboratively with others, to foster consulting with internal partners on cybersecurity topics and strategic security initiatives.Job Description
- Represent Corporate Security as a Subject Matter Expert (SME) of cybersecurity pertaining to threats, vulnerabilities, intrusion techniques, and exploit methodologies.
- Oversee the immediate response to Critical severity vulnerabilities that impact CenturyLink systems by analyzing the vulnerabilities, identifying systems impacted, and collaborating with system owners in the business to determine the risk of vulnerabilities, establish remediation priority, ensure remediation plans, and validate remediation efforts.
- Coordinate and perform penetration testing on CenturyLink systems as required for compliance of Payment Card Industry Data Security Standard (PCI DSS), Federal Information Security Management Act (FISMA), Health Insurance Portability and Accountability Act (HIPAA), and other industry compliance standards as necessary.
- Identify vulnerabilities on CenturyLink systems through penetration testing methods for CenturyLink infrastructures, products, and services encompassing network elements, operating systems, databases, and applications across the corporate enterprise.
- Identify, design, propose, and realize strategic security initiatives to improve CenturyLink vulnerability management, penetration testing, and remediation capabilities through automation development, processes enhancements, and infrastructure expansion.
- Perform Adversarial Cybersecurity Emulation (ACE) exercises as sanctioned attacks utilizing real malicious actor methods to determine the defensive capabilities of CenturyLink and provide security improvement recommendations.
- Collaborate with key stakeholders throughout the business to improve systemic security risks identified through vulnerability assessments, penetration testing, or ACE exercises.
- Enhance capability to aggregate and distribute newly disclosed vulnerabilities for vendor products used within CenturyLink as Security Alerts to system owners as relevant notifications for proactive remediation efforts.
- Develop, facilitate, and maintain the Information Security Policy, Methods & Procedures, Technical Standards, Technical Best Practices, and general processes for vulnerability management, penetration testing, application security, and ACE exercises.
- Assist with vulnerability scanning to support compliance obligations.
- Instill a security culture company-wide through vulnerability awareness and remediation mindset.
- Undergraduate degree in Information Security, Computer Science, Computer Engineering, or related field, or equivalent experience.
- 4+ years experience in domains relevant to information security; or 2+ years with a Masters degree or Ph.D. and relevant work experience.
- Applied experience performing penetration testing.
- Broad technical knowledge of current and emerging cybersecurity threats, vulnerabilities, intrusion techniques, and exploit methodologies.
- Awareness of OWASP Top 10, SANS Top 20 Critical Security Controls, and NIST Vulnerability Database within penetration testing engagements.
- Experience utilizing multiple vulnerability assessment and penetration testing tools such as Core Impact, Nessus, Burp Suite, AppScan, Kali Linux, and Metasploit.
- Experience in application development utilizing C/C++, C#, VB.NET, ASP, PHP, PERL, Python, Java, Assembly, UNIX Shell, Microsoft PowerShell, or other programming language.
- Reasonable understanding of common networking protocols.
- Applied experience and knowledge of UNIX derivative and Windows operating systems.
- Strong oral and written communication skills to executive management and technical audiences.
- Self-motivated individual who can drive goals independently and collaborate in a team environment.
- Ability to perform mixed work hours and days to accommodate penetration testing on production systems during scheduled maintenance windows.
- Applicable professional certification encompassing multiple foundational security domains must be in place, such as CISSP, GSEC, GCED, or Security+.
- Applicable specialized professional certification in the domain of vulnerability assessments or penetration testing must be in place, such as CEH, GPEN, GWEB, OSCP, or superseded by an advanced specialized professional certification as described in Preferred Qualifications.
- Masters degree in Information Security, Computer Science, Computer Engineering, related field, or equivalent experience.
- 2+ years of experience performing penetration testing full time for medium to large enterprises.
- Applied experience leveraging OWASP Top 10, SANS Top 20 Critical Security Controls, and NIST Vulnerability Database within penetration testing engagements.
- Applied experience in performing adversarial exercises, also known as Red Team exercises.
- Experience performing assessments on mobile devices and applications.
- Certified or considered an expert in utilizing C/C++, C#, VB.NET, ASP, PHP, PERL, Python, Java, Assembly, UNIX Shell, Microsoft PowerShell, or other programming language.
- Applied experience and knowledge of networking.
- Dedicated experience as a network/firewall engineer, administrator, designer, implementer, or support technician with technologies, tools, and process controls to minimize risk and data exposure.
- Knowledge of information security industry and regulatory obligations (PCI, FISMA, HIPAA, ISO 27001/27002, NIST Framework) pertaining to vulnerability management.
- Experience producing professional training material, presenting at professional security conference, or teaching a subject in a formal class setting.
- Advanced specialized professional certifications in the domain of vulnerability assessments or penetration testing, such as GWAPT, GMOB, GXPN, OSCE, OSWE, and CEPT.
- Possesses a US Government security or suitability clearance.
Alternate Location: US-Arizona-Phoenix; US-Colorado-Broomfield; US-Colorado-Littleton; US-Massachusetts-Framingham; US-Minnesota-St Paul; US-Missouri-Saint Louis; US-Ohio-Dublin; US-Virginia-Arlington; US-Virginia-Herndon; US-Washington-Bellevue
Requisition #: 215676
This job may require successful completion of an online assessment. A brief description of the assessments can be viewed on our website at http://find.centurylink.jobs/testguides/
We are committed to providing equal employment opportunities to all persons regardless of race, color, ancestry, citizenship, national origin, religion, veteran status, disability, genetic characteristic or information, age, gender, sexual orientation, gender identity, marital status, family status, pregnancy, or other legally protected status (collectively, protected statuses). We do not tolerate unlawful discrimination in any employment decisions, including recruiting, hiring, compensation, promotion, benefits, discipline, termination, job assignments or training.
The above job definition information has been designed to indicate the general nature and level of work performed by employees within this classification. It is not designed to contain or be interpreted as a comprehensive inventory of all duties, responsibilities, and qualifications required of employees assigned to this job. Job duties and responsibilities are subject to change based on changing business needs and conditions.
Apply on company website