The Options Clearing Corporation (OCC) is the world's largest equity derivatives clearing organization. Founded in 1973, OCC is dedicated to promoting stability and market integrity by delivering clearing and settlement services for options, futures and securities lending transactions. As a Systemically Important Financial Market Utility (SIFMU), OCC operates under the jurisdiction of the U.S. Securities and Exchange Commission (SEC), the U.S. Commodity Futures Trading Commission (CFTC), and the Board of Governors of the Federal Reserve System. OCC has more than 100 clearing members and provides central counterparty (CCP) clearing and settlement services to 19 exchanges and trading platforms. More information about OCC is available at www.theocc.com.
What We Offer
A highly collaborative and supportive environment developed to encourage work-life balance and employee wellness. Some of these components include:
A hybrid work environment, up to 3 days per week of remote work
Tuition Reimbursement to support your continued education
Student Loan Repayment Assistance
Technology Stipend allowing you to use the device of your choice to connect to our network while working remotely
Generous PTO and Parental leave
Competitive health benefits including medical, dental and vision
What you'll do
The Director, Security Engineering is responsible for the analysis, design, testing, documentation, support, monitoring, and administration of the information security technology product portfolio in compliance with OCC information security policies, standards, and procedures as well as applicable Financial Regulator guidance and requirements.
Manage a team of highly skilled security engineers; oversee, and execute key governance activities such as audit, compliance and process effectiveness testing.
Must have ability to think with a security mindset. The successful candidate must have a strong information security and technology background with in-depth knowledge of several key security practice areas to include access control; privileged access management; application security; identity and access management; data security and governance; network security; security architecture; mobile security and various cloud-based security strategies
Primary Duties and Responsibilities:
To perform this job successfully, an individual must be able to perform each primary duty satisfactorily.
Responsibilities of the role are as follows:
Define and assess the effectiveness of security controls for cloud-based platforms (Amazon AWS, Microsoft Azure etc.) and the major supporting service applications (storage, logging, access controls, etc.).
Collect and analyze security requirements from internal customers; reconcile and remediate any conflicts with information security policies and standards.
Design, test, and manage the implementation of security solutions using existing products in the OCC security portfolio: firewalls, proxy servers, intrusion detection/prevention, data loss prevention, anti-virus, anti-spam, vulnerability scanning, security information and event management, etc.
Provide recommendations on and lead the implementation of security solutions per the organization’s change management process and procedures.
Develop, implement, and execute control activities to ensure that security products, processes, and procedures are working as intended; remediate any deficiencies detected; provide documentation and other artifacts.
Develop and collect metrics that measure the volume and trends of work activities and events within the security operations capability; provides regular reports to management.
Assess risks to the confidentiality, integrity, and availability of the organization’s information assets; makes risk treatment recommendations to management; researches, evaluates, and recommends new security products, processes and procedures.
Collaborate with technology teams on deployments requiring the establishment of new backend systems, configurations, or controls.
Provide security engineering support and expertise to enterprise IT projects that cross multiple platforms and ensure alignment with corporate security architecture.
Support the creation of and adherence to cybersecurity and information security reference architectures by developing reusable patterns for security.
Work directly with product and development managers to track and remediate application and infrastructure vulnerabilities.
Thorough knowledge of common security standards to include NIST Cybersecurity Framework, NIST 800-53, ISO 27001, and COBIT and their application within a regulated financial sector institution.
Experience working with modern infrastructure and application security systems, host-based intrusion detection and prevention systems, stateful firewalls, symmetric and asymmetric encryption systems, zero-trust architecture and other security technologies relevant to web operations and mobile workforce management.
Maintain current understanding of cyber threat activity relevant to OCC’s business activities and technology and able to articulate their associated actors, exploits and opportunities to improve OCC’s specific defense capabilities.
Familiarity with distributed, cloud-hosted, service-oriented web applications using modern deployment technologies (Docker, Citrix, VMWare, Kubernetes, etc.).
Familiarity with modern infrastructure and message bus tooling: web services, Kafka, Hadoop, Hive, etc.
Ability to articulate the business risk associated with identified security weaknesses to senior management, Board of Directors, and Financial Regulators. Prepare formal written materials to support responses to Financial Regulator inquiries and as part of Regulatory Exams.
Manages all members of the Security Engineering team within Security Services.
Assigns personnel to projects, directs their activities and performs personnel actions (hiring, promotions, terminations, etc.).
Confer with and advise subordinates on administrative policies and procedures, technical problems, priorities and methods.
Prepare performance expectation plans and monitor progress to satisfy employee and management goals.
Promote employee development by conducting career-planning sessions with staff and selecting and scheduling employee training classes, conferences and seminars.
The requirements listed are representative of the knowledge, skill, and/or ability required. Reasonable accommodations may be made to enable individuals with disabilities to perform the primary functions.
Excellent communication, interpersonal, analytical, judgment and management skills.
Ability to work with customers, internal management, and staff.
Ability to deal effectively with stressful situations.
Proven ability to lead and motivate staff.
Ability to effectively communicate in both formal and informal review settings with all levels of management.
Ability to work with local and remote IT staff/management, vendors, and consultants.
Ability to work independently and possess strong project management skills.
Practical working knowledge of:
SIEM (Splunk ESM, ArcSight, IBM QRadar, McAfee NitroSecurity, etc.) solutions
Forensic analysis tools (MIR, EnCase, FTK)
Malware analysis tools (dynamic and static)
Vulnerability assessment tools (Qualys, ISS Scanner, Nmap, Nessus, Nexpose etc.)
Secure Web Gateway (BlueCoat, Microsoft Forefront) solutions
Network sniffers and packet tracing tools (DSS, Ethereal and tcpdump, WireShark).
Intrusion Detection & Prevention Tools (Cisco Firepower, Palo Alto, etc.)
Encryption technologies (PGP, PKI and X.509)
Experience with Active Directory security, including scans, best practices and security configuration
Experience with Application Security controls including design, dynamic scans, static code analysis
Complete knowledge of dynamic Incident Reponses process, procedures, and tools
Identity and access management (I&AM) experience with Active Directory, NTFS permissions, LDAP and Single Sign On (SSO) solutions.
Proxy and caching services
Windows and Linux Client/server platforms
Operating system hardening procedures (Linux, Windows, etc.)
LAN/WAN routing and high availability (OSPF, BGP4/iBGP, EIGRP and NSRP)
Fundamental understanding of the underlying protocols and data used as the basis for the security monitoring service, including: HTTP, HTTPS, SQL, TCP/IP, Active Directory
Application and database security experience, including code reviews.
Network and security engineering experience, including log and network traffic capture analysis.
Experience with system hardening procedures for Windows, Linux, UNIX.
Security policy, standards, governance, privacy or regulatory experience (e.g., NIST, ISO, SEC Regulation SCI, CFTC, and Federal Reserve guidance).
Knowledge of Microsoft Mobile Device Management and Mobile Application Management platforms.
Knowledge of programming and scripting for development of security tools and industry frameworks.
Education and/or Experience:
15+ years of experience in security environment management or 10 years equivalent combination of education and work experience
Bachelor’s degree in Computer Science, MIS or related discipline a plus; 5+ years of experience managing people and projects
Experience managing multiple, simultaneous projects
Track record of successful experiences with senior level representation and team building skills
Senior level knowledge of the cyber security industry and measures/techniques applied to both measure and reduce risk
Technical experience and comprehensive knowledge of threat actor capabilities, intentions, methodologies and motives.
Familiarity with computer network exploitation and network attack methodologies and understanding of the relationship these activities have with the Financial Services industry and critical infrastructure.
Certificates or Licenses:
Professional network and/or security certifications a plus (i.e., GIAC, CISSP, CISA, CISM, CRISC)
When you find a position you're interested in, click the 'Apply' button. Please complete the application and attach your resume.
You will receive an email notification to confirm that we've received your application.
If you are called in for an interview, a representative from OCC will contact you to set up a date, time, and location.
For more information about OCC, please click here.
OCC is an Equal Opportunity Employer