Threat & Vulnerability Analyst

Job content

At M&G our vision is: to become the best loved and most successful savings and investment businessand we’re looking for people who are excited about joining us on our journey. We’re digitally transforming and investing heavily in technology and innovation to develop new and improved customer propositions that really raise the bar for our customers. To help us achieve our vision we’re looking for exceptional people who live our values and behaviours and who can inspire others; embrace change; deliver results and keep it simple.

We know that an inclusive environment makes us more accessible and ensures we attract, engage, promote and retain exceptional people. We welcome applications from all individuals regardless of age, gender/gender identity, sexual orientation, ethnicity/nationality, disability, or military service and welcome those who have taken career breaks. We will consider flexible working arrangements or home working arrangements for any of our roles.

What You Can Expect From Us

We are committed to creating an environment where you can be exceptional at all you do. To help us deliver this, we promise to:

• Challenge Your Limits by creating a stimulating working environment and providing opportunities for you to be involved in meaningful and challenging work
• Support Your Aspirations with a commitment to learning and development that helps you achieve and build your experience with people who want you to succeed
• Value Your Input whereby leaders and managers will involve you in key decisions, listen to your thoughts and recognise the important contribution you make
• Balance Your Life through a work life partnership that focuses on making this an inclusive, diverse and friendly place to work and offers the flexibility and support that enables everyone to be at their best
  

How Do We Support Our Employees

All M&G plc employees will be supported in the workplace through our M&G Employee Assistance Programme (EAP). If you need counselling, confidential financial or legal advice. The service is available 24 hours a day, 365 days a year and offers access to qualified professionals who can provide specialist information, advice and support on many issues. It offers a broad range of services, including help with family issues, maintaining work/life balance and mental health support.

Role title: Threat and Vulnerability Analyst

Location: All M&G UK sites are considered

Work Level: Experienced Colleague

The Role

Lead the global vulnerability management capability both technically and in process. The role is key in supporting the information security risk management in the identification and management of risk and will be key in providing support and remediation strategies to Technology & Platform owner colleagues. Responsible for tracking security weaknesses and improvements and helping the organisation be protected. The role will require you to work closely not only with multiple internal stakeholders to assure and improve M&G’s risk posture, but to also ensure that the Service Provider M&G use to operate Threat and Vulnerability Management are delivering against their commitments.

Key Work Level Accountabilities

Experienced Colleague :

• Accountable for providing a quality service or product to customers and stakeholders, using skills/experience built through significant practical experience or training
• For team leaders, accountable for ensuring the team the role supports is delivering a quality service or product
• Works within established frameworks and procedures, with the freedom to interpret them to solve a range of problems
• Delivers outputs that are clearly defined, using discretion over how to achieve them
• Makes suggestions for improvements to the work of the team, based on previous experience and knowledge of similar situations
  

Key Responsibilities For This Role

• Support the threat intelligence lead in developing the roadmap for threat and vulnerability management.
• Analyse threat intelligence to ascertain impact to the M&G business
• Use threat intelligence information to inform vulnerability remediation decisions
• Manage the VM supplier to Identify, evaluate and prioritise potential weaknesses in infrastructure using both manual and automated methods.
• Support infrastructure teams and platform owners in the remediation management of identified vulnerabilities, influencing prioritisation and execution of risk management initiatives, and drive remediation of process and technology gaps.
• Define vulnerability assessment and penetration testing policies and standards in alignment with the Information Security strategy and security policy.
• Serve as the subject matter expert for the threat and vulnerability platform and metrics reporting
• Use of threat intelligence to enable the early detection of critical vulnerabilities and exposures relevant to safeguarding the company’s information assets.
• Provide in-depth analysis of vulnerabilities and impacts to key stakeholders with the support of the threat intelligence lead.
• Lead critical vulnerability identification and response exercises.
• Manage the third party vulnerability management service ensuring that SLAs and KPIs are achieved
• Support the Threat Intelligence Lead in being the point of contact with internal and external audit in relation to Threat and Vulnerability Management’s control obligations.
  

Interfacing With The Following Functions

• Vulnerability Management Service Supplier
• M&G Technology (CITO)
• Business unit risk and security stakeholders
• Internal Audit, Technology Group Risk and Controls (TGRC)
• Infrastructure Service Supplier and Security Operations Managed Service Security Providers (MSSP)
  

Governance & Controls

• Ensuring operational adherence to controls obligations
• Support the creation of, and production of MI to provide management with an understanding of the effectiveness of the Threat and Vulnerability Management service and the risk/compliance status of M&G plc.
• Working collaboratively with SOC Leadership to support Technology Group Risk and Control in responding to and engaging with internal and external auditors where required
  

Stakeholder Management

• Manage significant interdependencies, collaboration and stakeholder management across the M&G Plc organisation, managing complex relationships
• Build and maintain an active network of contacts, both internally in the M&G Prudential organisation, with 3rd Party Service Providers and externally in the security industry, actively participating in information exchanges on a formal and informal basis.
• Represent the Security Operations function at security and assurance committees as required
• Build strong relationships with the rest of the cyber security team and the wider business to collaborate on initiatives and raise awareness of the Cloud Security Posture position.
• Engage proactively with key business stakeholders internally and with outsourcers, to ensure consistent delivery of services .
  

Pursuing Goals

• Seeks learning opportunities beyond current requirements.
• Sets challenging goals and standards of excellence beyond current job.
• Actively pursues personal and technical self-development, and seeks challenging assignments.
• Page Break
  

Key Knowledge, Skills & Experience

Experience/Capabilities statements

• Experience in managing and configuring commercial vulnerability scanning technology.
• Experience in creating clear MI articulating complex risk profiles simply
• Experienced in setting up scanning profiles, conducting routine scans of security environments, overseeing remediation efforts.
• Experienced in agent and appliance based vulnerability assessments.
• Background in security threat analysis ability to determine risk level of identified threats and necessary urgency in remediation.
• Experience in the identification of Cyber Security Threats and understanding of TTPs to translate into key controls
• Experience in Security Operations Centre processes to link threat and vulnerability processes into the detection and response capabilities.
• Possess strong technical understanding of common network and system vulnerabilities. Understanding of networking principles (OSI Model, routing, TCP/IP).
• Experience of network infrastructure.
• Ability to present risks and propose countermeasures to senior technology executives (CISO, CIO).
• Experience of regulatory compliance and policy enforcement.
• Excellent communication and interpersonal skills.
• In depth knowledge of Tenable highly desirable.
• Desirable certifications: CEH, CISM, CompTIA Security, CompTIA A+, and MCITP
  

Personal Attribute/skills

• Skilled relationship management across multiple stakeholders and cultures
• Analytical mindset – to critically analyse plans and highlight critical paths, risks and gaps
• Strong influencing skills – to steer key stakeholders, such as platform and technology service owners
• Compelling communication skills – to connect with technical teams in the detail as well as senior stakeholders in clarity of status
• Strong teaming skills – building mutually beneficial relationships and developing a culture of “one team with common aligned goals”
• Highly organised, excellent prioritisation and planning skills.
• Prepared to challenge to ensure appropriate risk management decisions.
• You’re a team player who can help everyone pull together to achieve shared goals.
  

Qualifications

• Desirable : CEH, CISM, SANS Threat and Vulnerability Assessment
  

Recruiter: Frazer Wilson

Location: All UK M&G sites considered

Closing Date: 15/11/2021

We live by four behaviours at M&G and we ask all our employees to:

• Inspire Others - Support and encourage each other, creating an environment where everyone can contribute and succeed
• Embrace Change - Be open to change, willing to be challenged and able to adapt quickly and imaginatively to new ideas
• Deliver Results - Focus on outcomes, set high standards and deliver with energy and determination
• Keep it Simple - Cut through complexity and bureaucracy, be clear and decisive and never overcomplicate things