Playing a lead role in identifying, defining and implementing platform and company security requirements, and working reporting to the Head of Technology within the development and DevOps team to help design secure architecture and ensure compliance with our regulatory and governance requirements.
For Purple's cloud hosting, owning all security procedures, security architecture, security documentation and security standards compliance within the dev, DevOps and SRE teams, and own monitoring and intelligence relating to all cyber threats.
The applicant should be curious about all aspects of technology, especially as it relates to infosec, and will be an enthusiastic learner. They will be passionate about the security of the business, and take every potential vulnerability as a personal affront. They will enjoy challenges, and be open and transparent about the problems they face, and will enjoy helping colleagues resolve their own problems without judgement.
The successful applicant will be hands-on and able to both design solutions and then implement and maintain those designs.
The successful applicant will be able to demonstrate as many of the core competencies as possible, but we understand that any applicant is unlikely to meet all the criteria immediately.
- Understanding of designing, building, and delivering a security programme in line with business objectives
- Security and monitoring in IaaS environment (GCP, AWS, or Azure - Purple primarily host in GCP)
- Knowledge of ISO27001 and GDPR
- Assess and analyse a wide range of information to draw conclusions on how to improve the security of our systems
- Deep knowledge of networking, infrastructure and applications from a DevOps perspective with a security focus
- Data storage/architecture best practices with respect to data security
- Awareness of common software security flaws and web application security best practice (OWASP top 10, CWE/SANS Top 25)
- Vulnerability management (OWASP Zap)
- SIEM (Security Onion)
- Experience of EDR solution (ideally CrowdStrike)
- Identity and Access Management
- Maintaining documentation on how to secure and maintain all Purple services
- Applying/enforcing relevant parts of industry standards like IS27001 and PCI DSS
- Understanding of DevOps and Agile principles and how to embed security into the SDLC
- Strong understanding of Linux tooling and ecosystem
- Line management responsibilities
- Make it happen - We own things and get them done whatever it takes
- Playful and positive - Life's too short to take things too seriously, we like to have fun while we're working and we love positivity - and yes the glass is half full
- We're in it together - We all have our day jobs to do, our KPI's to hit and projects to complete but we're always available to help for the greater good of the business
- No bullsh*t, no politics - Seriously! We want to enjoy coming to work and that stuff doesn't make it pleasant
- Know your stuff, keep learning - We value people who have the knowledge and have a thirst for it, lots of it
- No drama - Things don't always go right as much as we try, having a hissy fit over it won't help the situation and you won't find that here
- With great data, comes great responsibility - Personal data is a big thing, particularly when you are the custodian of a lot of it, we take that very seriously