VP , P4, Lead Cybersecurity Eng : Job Level - Vice President

The Security Design and Controls Team (SecDesign) team is part of the Cyber Data Risk & Resilience (CDRR) organization. The mission of the SecDesign team is to provide security architecture assessments of technology systems and processes to identify business risks and recommend remedial action based on established security standards or security best practices. The SecDesign Generalist is an internal consultant that is working on multiple security architecture and design assessments spanning multiple classes of technologies. It is an opportunity to get involved in multiple business units and technologies inherent to the mission of SecDesign. The Integrator works with team members (Technology, Business, Suppliers, Stakeholders and Partners) globally to perform SecDesign assessments. To be successful as an Integrator the candidate must have broad technology experience coupled with risk management, communication, and time management skills. The candidate will also be working with a global team of experts on modernizing the Firm's SDLC platform to enable deployment automation to private and public cloud endpoints and SaaS-based tooling. This role affords the opportunity to get in on the ground floor to help build the next generation of development and deployment tooling across a diverse set of tech stacks for the next decade.

A SecDesign Generalist has the following responsibilities:
1. Lead SecDesign security analysis of the architecture or solution with the requestor of the assessment.
2. Prioritize risks identified in relation to business risks.
3. Conduct assessment and provide technology risk/requirements to the requestor. Areas covered:
a. Authentication, Authorization, Auditing
b. Application Security - Session Security, Vulnerability/Pen Testing items, Input Validation
c. Secure data in transit, at rest and in use
d. Network Security Principles and best practices.
e. Cloud Security Principles and best practices
4. Periodically review security reference architecture (security blueprints) and conduct updates/enhancements.
5. Participate in various Operational and Technology Risk governance processes.
6. Assist in identifying new areas and opportunities of technology investment for the firm.
7. Provide peer review signoff on security analysis (FTE only)
8. Liaise with Risk Officers, Business stakeholders and senior management regarding identified risks and remediation deadlines.

Additional responsibilities for a country lead for their respective coverage regions:
9. Establish, manage and lead team in one (or more) countries carrying out day-to-day operations with minimal oversight
10. First point of contact for all escalations from their region for decision making
11. Provide senior coverage and direction on cases of note to ensure consistent and timely delivery in line with global standards
12. Liaise with Technology senior management across divisions and Risk Officers/ORD to align local divisional business needs with team operations
13. Plan, execute and own their location's strategy including appropriate FTC vendor identification and engagement. Soft Skills (Required)
1. Excellent communication skills: written, oral, presentation, listening.
2. Ability to influence through factual reasoning.
3. Time management: ability to handle multiple concurrent assessments, plan based deliverable management, strong follow up and tracking.
4. Strong focus on delivery when presented with short timelines and increased involvement from senior management.
5. Ability to adjust communication of technology risks vs business risks based on the audience.

Security Architecture Skills
1. Required - In depth knowledge of application, network, and platform security vulnerabilities. Ability to explain these vulnerabilities to developers.
2. Required - Experience in conducting Information Security, IT Security, Audit assessments. Presenting the outcomes of the assessment and obtaining buy in.
3. Required - Strong focus on reviewing technical designs and functional requirements to identify areas of Security weakness.
4. Required - Knowledge of Cloud Service Providers (AWS/Google/Azure) cloud, DevOps and CI/CD
5. Required - The candidate must have working experience in at least three of the following application/network security domains:
a. Authentication: SAML, SiteMinder, Kerberos, OpenId
b. Identity and Access Management
c. Data protection, data leakage prevention and secure data transfer and storage
d. App Security - validation checking, software attack methodologies.
e. Cryptography - encryption and hashing
6. Desired - Prior experience administering systems for version control (Bitbucket, Github), issue tracking (Jira), continuous integration (Jenkins, Github Actions), or release management.
7. Desired - Knowledge of standard network model and the risks that present at each layer, the functions of network equipment such as switches, routers, firewalls, proxies, VPNs, and load-balancers, and understanding of common network architectures.
8. Desired - The candidate must have working knowledge of the primary operating systems (Unix, Windows, z/OS, Mac OS), the configuration and management of that platform at an enterprise scale, the security risks to that platform, and how to mitigate those risks.
9. Desired - experience in testing tools, at least one of Veracode, Fortify, OunceLabs, AppScan, WebInspect, Burp.

Development Experience
1. Required - Even though the SecDesign Integrator role is not a development role, the candidate must have previous background in programming, design, and application architecture.
2. Required - In order to be a practical SecDesign Integrator the candidate must have experience implementing complex applications in an enterprise environment.
3. Required - working knowledge of programming and scripting languages: Java, JavaScript, C#, C/C++, Perl, Python, Ruby
4. Desired - In-depth knowledge of web technologies such as Web Browsers, Web Servers, Web Services

Other Areas of Expertise
1. Frameworks, protocols, and subsystems: J2EE, .NET, Spring, RPC, SOAP, MQSeries, JMS, RMI, JMX, Hibernate.
2. Knowledge of JSP /Servlet/EJB or ASP.NET, HTTP/HTTPS, Cookies, AJAX, JavaScript, Flex / Silverlight.
3. Database design and programming experience
4. Experience of liaising with 3rd Party Entities (exchanges, suppliers, regulators)
5. Experience in conducting and / or reviewing penetration tests, dynamic vulnerability assessments and static vulnerability assessments.
6. Understanding of geographic regulations and their impact on Security assessments
7. Previous experience in Financial Services is preferred.
8. CISSP or other industry qualification
9. Desired - experience working with global organizations.

Educational Requirements
- Bachelor's Degree (or equivalent) with minimum 7 years relevant work experience in high-paced, enterprise environment

WHAT YOU CAN EXPECT FROM MORGAN STANLEY:

We are committed to maintaining the first-class service and high standard of excellence that have defined Morgan Stanley for over 89 years. Our values - putting clients first, doing the right thing, leading with exceptional ideas, committing to diversity and inclusion, and giving back - aren’t just beliefs, they guide the decisions we make every day to do what's best for our clients, communities and more than 80,000 employees in 1,200 offices across 42 countries. At Morgan Stanley, you’ll find an opportunity to work alongside the best and the brightest, in an environment where you are supported and empowered. Our teams are relentless collaborators and creative thinkers, fueled by their diverse backgrounds and experiences. We are proud to support our employees and their families at every point along their work-life journey, offering some of the most attractive and comprehensive employee benefits and perks in the industry. There’s also ample opportunity to move about the business for those who show passion and grit in their work.

To learn more about our offices across the globe, please copy and paste https://www.morganstanley.com/about-us/global-offices​ into your browser.

Morgan Stanley is an equal opportunities employer. We work to provide a supportive and inclusive environment where all individuals can maximize their full potential. Our skilled and creative workforce is comprised of individuals drawn from a broad cross section of the global communities in which we operate and who reflect a variety of backgrounds, talents, perspectives, and experiences. Our strong commitment to a culture of inclusion is evident through our constant focus on recruiting, developing, and advancing individuals based on their skills and talents.