Senior Security Architect

Business Unit

Regular, Full time

Closing Date: May 1, 2025

The Ontario Securities Commission (OSC) is the statutory body responsible for regulating Ontario’s capital markets in accordance with the mandate established in the provincial Securities Act and the Commodity Futures Act. The mandate of the OSC is to provide protection to investors from unfair, improper or fraudulent practices, to foster fair, efficient and competitive capital markets and confidence in the capital markets, to foster capital formation, and to contribute to the stability of the financial system and the reduction of systemic risk. This mandate is performed through policy, operational, and enforcement activities. The OSC also contributes to national and global securities regulation development.

We offer a diverse, fair, and flexible work environment and take pride in our challenging and rewarding work.

Securities regulators from each of the 10 provinces and 3 territories of Canada have teamed up to form the Canadian Securities Administrators (CSA). The Canadian Securities Administrators (CSA) is a voluntary umbrella organization of Canada’s provincial and territorial securities regulators whose objective is to improve, coordinate and harmonize regulation of the Canadian capital markets.

The CSA operates, through various agreements, a number of shared information technology systems that serve securities regulatory purposes and functions. These CSA National Systems are the primary interface between regulated entities and each provincial and territorial regulator. In addition, many of the systems provide information to other market participants including institutional investors and the public.

The operations, maintenance, and enhancement of the CSA National Systems are managed by the CSA IT Systems Office which is co-located within the premises of the Ontario Securities Commission.  A program is underway to replace the existing CSA National Systems.

Reporting to the Chief Technology Officer (CTO), the Senior Security Architect is responsible for setting the direction for the CSA ITSO’s Enterprise Architecture (EA) unit’s security strategy, continuously assessing threat levels and ensuring that key security protocols, practices and initiatives are adhered to consistently under all of the CSA’s jurisdictions. The Senior Security Architect oversees the design of longer-term strategies and plans, developing standards, control measures and tools that align with the EA’s security strategy and architecture to ensure there are no data compromises or security breaches.

The Senior Security Architect manages interactions with multiple vendors to ensure they deliver according to contract obligations and drive the success of outsourced services. This involves overseeing vendor performance, addressing issues, and ensuring adherence to agreed-upon security standards. The role also requires managing the vendor's management team to align with CSA’s security objectives and facilitate effective collaboration.

The Senior Security Architect plays a key role in the EA’s governance and process, assessing risk and solution integrity to identify and recommend corrective measures, updates and improvements and staying abreast of leading practices and new trends.

As a subject matter expert in security frameworks and regulations and in risk assessment, the Senior Security Architect provides technical leadership and advice to the Security Architecture team, to Security Analysts and to other members of the EA’s cross-functional project team to reduce security threats and mitigate risk across the CSA.

Key Duties and Responsibilities                                                          

Security Architecture and Governance

• Develop, review, update and implement security controls, standards, policies and procedures ensuring alignment with NIST CSF, CIS controls, ISO 27001 etc. required to protect the CSA and maintain the integrity of all data systems, ensuring alignment with the overall EA strategy and architecture, across all of the CSA functions and jurisdictions
• Collaborate with CSA ITSO team and CSA Jurisdictional Staff to review, revise and introduce new security procedures, controls and participate on projects/committees, and relevant improvement initiatives
• Oversee the design of strategic security measures and their implementation throughout development lifecycles and establish their operational footprint across enterprise architecture domains
• Lead and define information security compliance framework and align with the CSA operations team to ensure its implementation
• Identify current and emerging security threats, and design security architecture elements that mitigate threats while ensuring alignment to set standards, frameworks, and the overall business and technology strategy
• Leverage communication channels within the CSA to increase awareness and understanding of security responsibilities across the organization and potential changes to security processes, gaining cooperation, and acceptance
• Leading CSA’s long-term cybersecurity strategy, emphasizing secure supplier relationships and scalable solutions

Leadership and Advisory

• Build business cases and provide recommendations and advisory input for change and evaluate enterprise architecture solutions and potential implementation of strategic plans based on risk and cost
• Advise cross-functional teams in developing and improving policies and procedures and design of security frameworks through subject matter expertise
• Remain informed on trends and issues in the security industry to serve as a trusted advisor, lead education and awareness on matters related to security frameworks, and risk assessment and providing technical support where needed
• Support the CTO in the preparation for information security committee meetings and represent the CSA and the EA unit in discussion as required
• Align with relevant jurisdictions and legal bodies to ensure that all security frameworks are compliant with regulatory and data confidentiality requirements
• Collaborate with regulators and CSA committees to understand when divisions/departments may face security attacks understanding potential impacts and consequences
• Coordinate and participate in an annual table-top exercise with stakeholders.

Vendor Management

• Manage ongoing relationships with IT vendors to ensure security solutions align with the current CSA security architecture.
• Ensure vendors fulfill their contractual obligations and manage vendor deliverables.
• Collaborate with procurement and legal teams to incorporate robust security clauses into supplier contracts and service level agreements (SLAs).
• Review supplier SOC reports, PCI compliance reports, etc., to ensure the compliance of CSA systems and suppliers supporting CSA systems.
• Oversee the vendor selection process by assessing vendors and solutions and providing selection recommendations.

Risk Management

• Ensure vulnerabilities and threat guidelines, policies, procedures and standards are in line and consistent with the CSA’s and the EA’s broader strategy
• Define key risk indicators (KRIs) and key performance indicators (KPIs) as it pertains to security frameworks and provide recommendations to the CTO and to the governance team to ensure continuous improvement, adequacy, and adherence to the current security strategy and architecture
• Conduct regular reviews of systems and manage reporting on system health, including monitoring and compiling monthly performance metrics, for executive reporting
• Manage security reviews on all types of applications (design, source codes, etc.) and analyze reports in order to highlight findings and threat discoveries, and to suggest optimization of security monitoring tools
• Conduct security reviews & threat risk assessments continuously both for new and existing solutions to understand the overall risk management framework at the CSA, ensuring currency of the risk posture
• Support the CTO with enterprise risk management requests, ensuring compliance with regulatory requirements and provide projects with Security posture analysis/position
• Plan and lead security assessments through third-party vulnerability testing, risk analysis, and both internal and external security audits as required

Incident Response

• Support incident response activity in the event of a security incident
• Review RCA report and provide recommendations on the controls required to mitigate recurrence of the incidents
• Coordinate with cyber insurer and forensics team to review results and recommendations

DevSecOps Integration

• Work with suppliers to embed security into their development processes, including CI/CD pipelines with tools for Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), and Software Composition Analysis (SCA)
• Automate security checks and compliance testing through supplier-provided solutions, ensuring seamless integration with CSA systems

• Ensure suppliers design and implement secure cloud architectures on platforms such as Azure and AWS, incorporating best practices for identity management, encryption, and monitoring
• Validate Infrastructure as Code (IaC) templates provided by suppliers to meet security requirements

Qualifications

• University degree in Computer Science or Engineering or in a related field
• Minimum 8 years’ experience in Security Architecture or Risk Management role, preferably 5 of which in the financial industry
• CRISC, CISM, CISSP, CISA or equivalent certification is considered an asset
• Remain up to date on IT governance frameworks, security programs and roadmaps
• Strong negotiation and communication skills, and ability to perform cost/risk/benefits analysis
• Strong written skills
• Previous public sector experience
• Ability to synthesize complex information and provide risk to business lens
• Demonstrable experience with solution modelling, conducting security reviews, implementing information security recommendations, analyzing technical controls and applying security control standards
• Strong understanding of various security controls, their strengths and weaknesses, and how best to apply them successfully to mitigate threats.
• Effectively manage positive relationships with internal and external stakeholders
• Knowledge of secure application development practices and how they can be used effectively
• Exceptional knowledge of application, network, and operating system security, security architectures and the application of privacy and security controls (i.e., authentication, authorization, auditing, encryption etc.)

Grow your career and make a difference working at the OSC.

* OSC Employees: please apply in Workday using the Browse Jobs feature within your Jobs Hub *

We thank all applicants for their interest in the Ontario Securities Commission. We will contact those selected for an interview.

The OSC is committed to diversity and providing an inclusive workplace and providing accommodation in accordance with the Accessibility for Ontarians with Disabilities Act and the Human Rights Code. It is our priority to ensure employment opportunities are visible and barrier-free to all under-represented groups including but not limited to, Indigenous, Black and racialized groups, people with disabilities, women and people from the 2SLGBTQI+ community, to achieve an employee demographic profile reflective of the demographic profile of Ontarians.

The OSC is a proud partner with the following organizations: Ascend Canada, BlackNorth Initiative, Canadian Centre for Diversity and Inclusion, and Pride at Work Canada

If you require an accommodation during the recruitment process, please let us know by contacting our confidential inbox HRRecruitment@osc.gov.on.ca.  
 

Visit Accessibility at the OSC to review the OSC’s policies on accessibility and accommodation in the workplace.