Capital One: Manager, software development security risk oversight – cyber risk management

McLean 1 (19050), United States of America, McLean, VirginiaAt Capital One, we’re building a leading information-based technology company.

Still founder-led by Chairman and Chief Executive Officer Richard Fairbank, Capital One is on a mission to help our customers succeed by bringing ingenuity, simplicity, and humanity to banking.

We measure our efforts by the success our customers enjoy and the advocacy they exhibit.

We are succeeding because they are succeeding.

Guided by our shared values, we thrive in an environment where collaboration and openness are valued.

We believe that innovation is powered by perspective and that teamwork and respect for each other lead to superior results.

We elevate each other and obsess about doing the right thing.

Our associates serve with humility and a deep respect for their responsibility in helping our customers achieve their goals and realize their dreams.

Together, we are on a quest to change banking for good.Manager, Software Development Security Risk Oversight Cyber Risk ManagementCyber Risk Management is a growing organization focused on providing expert advice, credible challenge, and effective oversight of information security and technology activities to identify, assess, control, and manage cyber and technology risk throughout the company.

This organization plays a critical role in helping to ensure that the company’s risk-taking entities are aware of the risks inherent in their activities and decisions, the impact of their actions on the company at an enterprise level, and opportunities to reduce, mitigate, or avoid risks altogether.

Associates within the Cyber Risk Management organization are highly-skilled information security, cyber, technology, or risk management professionals who have a wealth of experience and a demonstrated ability to provide value-added recommendations and deliver high-impact results in their areas of expertise.

This position – Manager, Software Development Security Risk Oversight –will play a key role in assessing, challenging and advising on the secure software development lifecycle (SDLC), open-source software security (OSS), continuous integration/continuous deployment (CI/CD) pipelines, and agile delivery.

As part of the second line of defense, you will collaborate closely with associates in Cyber, Technology, the Lines of Business, and other risk management offices.

You will help develop and further build our 2nd line oversight and credible challenge program for the SDLC.

You will perform and support evaluations of the Capital One’s delivery pipeline, SDLC governance, controls and practices and offer independent advice and recommendations regarding ways to further mature the firm’s cyber and technology risk management capabilities.

In addition, you will contribute to the identification and analysis of new or emerging cybersecurity and technology risks to the enterprise, and aid in integrating cloud engineering practices with other risk management programs across the enterprise.

Essential Functions (Responsibilities): Provide technical leadership in assessing the practices of designing, developing, testing and implementing cloud native solutions to crucial business problems through thoughtful use of industry best practices and Capital One policy.

Perform risk analysis of open source software and CI/CD policies, procedures, and controls.

Evaluate/assess complex technological and business environment migrations to the cloud and integrated end-to-end solution options Build and maintain relationships with technical leaders, business owners, engineers and other stakeholders to understand and evaluate implementation plans, business priorities and technical solutions to ensure risk are well communicated and understood by the key stakeholders Keep up-to-date on cutting edge technology, standards, protocols and tools in areas relevant to the rapidly changing environment at Capital One, specifically containerization, serverless, and emerging AWS services Demonstrate strong analytical, problem-solving, and decision-making skills Communicate and drive highly complex technology solutions to broad audiences including executives, business leaders, product managers, legal experts, security specialists and software engineers Define, structure and plan work independently Perform independent risk assessment of our cloud environment focusing on architecture, engineering, networking, governance.

Provide expertise and advice regarding the effectiveness of device configurations, IT architecture, or IT engineering solutions Consult with risk owners on the design and implementation or adjustment of mitigating controls associated with emerging technologies Draft and publish independent reports for risk owners, senior management, and other stakeholders regarding risks associated with new or emerging technologies Professional security management certification; e.g.

Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), or Certified in Risk and Information Systems Control (CRISC) Basic Qualifications: Bachelor’s Degree or military experience At least 3 years of experience with agile software development, APIs, micro-services, and modern technology design patterns At least 3 years experience with open source software security and vulnerability management At least 2 years experience with Public Cloud implementations (AWS, Google, Azure) At least 1 year experience in CI/CD pipelines with containerized workloads including EKS, ECS, Kubernetes, container-as-a-service, immutable infrastructure, and enabling blue-green deployments At least 1 year experience with Application Security testing (DAST, SAST, IAST) Preferred Qualifications: Master’s Degree in Computer Science or in an Engineering discipline AWS Certified Professional Architect or other equivalent AWS certification CCSP, CCSK, or equivalent certification Experience implementing resilient cloud applications and platform services on public cloud (AWS, GCP, Azure) Experience with micro-services architecture, cloud native architecture and 12 factor application architecture principles and implementation Experience in, Data Analytics; Data Science platforms, Integration Services (RESTful API, data streams, files), Real-time monitoring and intelligence, or DevOps/CI/CD Experience with Information Security at the policy, architecture or implementation level Experience with identifying and communicating key risks related to cloud native implementations and architectures Experience applying control frameworks such as CSA-CSM, CIS, and FedRAMP At this time, Capital One will not sponsor a new applicant for employment authorization for this position.

SDL2017