Senior Information Security Specialist

• The Information Security Specialist III is a senior technical expert responsible for leading the design, implementation, and oversight of the organization's cybersecurity strategy. This role requires deep knowledge of information security concepts, advanced threat mitigation techniques, and regulatory compliance. The Specialist III serves as a key advisor to leadership and mentors junior team members while playing a central role in security architecture, incident response, and risk management initiatives.

Project Overview:

• You will primarily work with your team and external teams to solve challenging problems, communicate status to stakeholders, implement process changes and maintain existing systems, while researching new technologies. Rely on your broad experience and leadership skills to resolve business needs mentor less experienced team members, and resolve issues with efficiency. Your role is critical in keeping the team focused and moving at a sustainable pace.

Requirements:

• Bachelor’s degree in Cybersecurity, Information Systems, Computer Science, or a related field (Master’s degree preferred); or equivalent experience.
• 5+ years of progressively responsible experience in information security roles.
• Proven expertise in areas such as incident response, threat hunting, cloud security, data loss prevention, or security engineering.
• Strong knowledge of cybersecurity frameworks (e.g., NIST CSF, CIS Controls, MITRE ATT&CK).
• Experience with advanced security tools and platforms (e.g., SIEM, SOAR, EDR, CASB, DLP).
• Excellent analytical, problem-solving, and communication skills.
• Experience developing and presenting security metrics and executive-level reports.
• Professional certifications such as:
• CISSP (Certified Information Systems Security Professional)
• CISM (Certified Information Security Manager)
• GIAC certifications (e.g., GCIA, GSEC, GCPN)
• AWS/Azure/GCP security certifications
• Experience in secure software development lifecycle (SSDLC) or DevSecOps practices.
• Familiarity with governance, risk, and compliance (GRC) tools.
• Leadership experience in cross-functional security initiatives or mentoring security teams.

Responsibilities:

• Lead complex security investigations and manage incident response processes across endpoints, networks, cloud, and applications.
• Design and implement enterprise-level security solutions and controls.
• Conduct risk assessments and develop strategies to mitigate information security risks.
• Ensure ongoing compliance with regulatory and industry standards (e.g., NIST, ISO 27001, SOC 2, HIPAA, PCI DSS).
• Provide subject matter expertise on cybersecurity architecture and secure system design.
• Analyze threat intelligence and apply findings to strengthen organizational defenses.
• Influence and implement TMHCC security policies, procedures, standards, and guidelines.
• Serve as a mentor and technical resource to other information security staff.
• Collaborate with cross-functional teams including IT, legal, compliance, and business units to align security initiatives with business goals.
• Lead internal and external security audits and prepare management reports on risk posture and mitigation plans.
• Core Application Security Technical Expertise
• Secure Software Development Lifecycle (SSDLC):
• Shift-Left Security: Deep understanding of how to embed security throughout the entire development pipeline, from requirements gathering and design (threat modeling) to coding, testing, and deployment.
• DevSecOps Principles: Experience integrating security tools and practices into CI/CD pipelines (SAST, DAST, SCA, IAST).
• Secure Coding Practices: Knowledge of common vulnerabilities (e.g., OWASP Top 10, CWE Top 25) and how to prevent them through secure coding. This includes understanding language-specific security best practices (e.g., .NET, Python, Java, JavaScript).
• Vulnerability Management and Testing:
• Static Application Security Testing (SAST): Ability to analyze source code for vulnerabilities without executing it.
• Dynamic Application Security Testing (DAST): Experience with scanning running applications for vulnerabilities.
• Software Composition Analysis (SCA): Proficiency in identifying and managing vulnerabilities in open-source and third-party components.
• Interactive Application Security Testing (IAST): Knowledge of tools that combine aspects of SAST and DAST for more comprehensive runtime analysis.
• Manual Penetration Testing & Code Review: Strong skills in manual security testing techniques and the ability to perform thorough code reviews for security flaws.

Cloud Security:

• Cloud Native Application Security: Expertise in securing applications deployed in cloud environments (AWS, Azure, GCP), including serverless, containers (Docker, Kubernetes), and microservices architectures.
• Cloud Security Best Practices: Understanding of cloud provider-specific security features (e.g., AWS Security Hub, Azure Security Center, GCP Security Command Center), secure configuration, and access management within cloud contexts.

API Security:

• OWASP API Security Top 10: Deep understanding of common API vulnerabilities and how to design and implement secure APIs.
• Authentication and Authorization: Expertise in securing API endpoints with robust authentication (OAuth, OpenID Connect) and fine-grained authorization.
• Identity and Access Management (IAM):
• Authentication Mechanisms: Strong knowledge of multi-factor authentication (MFA), single sign-on (SSO), and adaptive authentication.
• Authorization Models: Experience with role-based access control (RBAC), attribute-based access control (ABAC), and least privilege principles.
• Secrets Management: Proficiency in implementing and managing solutions for secrets management (e.g., HashiCorp Vault, CyberArk, cloud native secret stores).