Threat Modeling Associate - SMBC
New York, NY 10172
About the Job
SMBC Group is a top-tier global financial group. Headquartered in Tokyo and with a 400-year history, SMBC Group offers a diverse range of financial services, including banking, leasing, securities, credit cards, and consumer finance. The Group has more than 130 offices and 80,000 employees worldwide in nearly 40 countries. Sumitomo Mitsui Financial Group, Inc. (SMFG) is the holding company of SMBC Group, which is one of the three largest banking groups in Japan. SMFG’s shares trade on the Tokyo, Nagoya, and New York (NYSE: SMFG) stock exchanges.
In the Americas, SMBC Group has a presence in the US, Canada, Mexico, Brazil, Chile, Colombia, and Peru. Backed by the capital strength of SMBC Group and the value of its relationships in Asia, the Group offers a range of commercial and investment banking services to its corporate, institutional, and municipal clients. It connects a diverse client base to local markets and the organization’s extensive global network. The Group’s operating companies in the Americas include Sumitomo Mitsui Banking Corp. (SMBC), SMBC Nikko Securities America, Inc., SMBC Capital Markets, Inc., SMBC MANUBANK, JRI America, Inc., SMBC Leasing and Finance, Inc., Banco Sumitomo Mitsui Brasileiro S.A., and Sumitomo Mitsui Finance and Leasing Co., Ltd.
The anticipated salary range for this role is between $97,000.00 and $154,000.00. The specific salary offered to an applicant will be based on their individual qualifications, experiences, and an analysis of the current compensation paid in their geography and the market for similar roles at the time of hire. The role may also be eligible for an annual discretionary incentive award. In addition to cash compensation, SMBC offers a competitive portfolio of benefits to its employees.
Role Description
Reporting to the VP Cyber Resilience, this role resides in the Cyber Resilience (COR) team within the SMBC Americas Division Information Security Office. CR’s mission is to support affiliate companies managing activities related to Cyber Resilience in accordance with applicable regulations, firm policies, and industry best practices for Information Security and Operational Resilience.
The Threat Modeling Architect Associate will execute day-to-day activities core to the Threat Modeling program, creating a visual representation of assets, controls, threat agents, trust zones, attack paths, and a list of potential attacks a threat agent may perform as well as related reporting documents and issue management. Additionally, responsibilities include supporting other information technology, data management, cybersecurity, and operational resilience activities across businesses.
Role Objectives
The ideal candidate will be familiar with audit and assessment techniques as well as disciplines such as Architecture and the Software Development Lifecycle (SDLC). Familiarity with Red Team activities such as penetration testing, vulnerability scanning, vulnerability remediation, cloud environments and enterprise systems and software a plus.
Responsibilities
• Executes on enterprise Threat Modeling Assessment program.
• Perform threat modeling to identify use cases, threat agents, attack vectors and patterns, design patterns, and compensating controls needed to mitigate risk.
• Builds Threat Models of enterprise services to identify and refine the attack surface. Performs threat modeling on important business services (IBS) and crisis systems to achieve Operational Resilience objectives. Performs threat modeling with software development lifecycle (SDLC) and in partnership with technology development and security teams.
• Implement, use and maintain threat modeling technology applications and evidence created in the threat modeling process.
• Acts as a Cyber Resilience champion of the Threat Modeling Assessment program.
• Participate in SDLC process and architecture approval routines related to cyber threat modeling.
• Creates and delivers reports that capture identified risks, controls, assets, trust zones and enhancement requirements.
• Partners with stakeholders on Threat Modeling Assessment Issues to create action plans identified during fieldwork.
• Ability to concurrently perform multiple Threat Modeling engagements.
• Determines alignment of Cyber Resilience controls in practice with those from authoritative sources such as NIST SP 800-53 and ISO 27002 to provide holistic insight into current capabilities and risk themes as well as best practices.
• Develops a deep knowledge of SMBC critical services and dependencies on technology, people, processes and third parties.
• Understands the impact of cyber risks as it relates to both firm and industry wide impacts to technical and security dependencies and single points of failure to enhance mitigation activities.
• Educates and provides subject matter expertise to support the business on cyber hygiene activities and enhancements based on business related impacts.
Qualifications and Skills
• Deep understanding of enterprise architecture and security architectural elements as they relate to risks and controls. Ability to accurately capture and enhance architectural diagrams.
• Well-versed in Cyber Resilience to include technology, incident response and cyber risk practices with the ability to connect and align with the firm’s processes and frameworks.
• 5+ years of direct work experience within the financial services industry with elements of security architecture and cyber threats.
• Working knowledge of business and cyber risk management process and controls, industry practices, and frameworks (e.g., NIST 800-53, ISO 27000 family).
• Broad knowledge of cloud technologies (Related certifications a plus).
• Detail oriented, with proven ability to question the status quo and apply resilience activities to enhance capabilities, as appropriate.
• Strong organizational skills, with proven ability to successfully manage multiple, concurrent priorities and team members as the program is built out.
• Ability to communicate and work effectively in a matrixed environment and across various organizational levels, where flexibility, collaboration, and adaptability are important at all levels.
• Strong analytical skills and attention to detail.
• Able to communicate technical issues to a non-technical executive audience.
• Foundational knowledge of banking laws and regulations. (FFIEC, BCBS, FCA, PRA, BoE, etc.)
• Maintain a business cyber threat mindset to understand underlying risks and weaknesses to properly assist in mitigation and enhancement activities.
• Strong desire to continually deliver a quality and meaningful work product in a timely and efficient manner.
• BA/BS in Computer Engineering, Computer Science, Information Systems, Cyber Security, Business Administration, or demonstrated relevant industry background and/or military experience.
• CCSP Certified Cloud Security Professional (CCSP), Certified Information Systems Auditor (CISA), Certified Information Systems Security Professional (CISSP), Microsoft Certified: Cybersecurity Architect Expert (MS SC-100 Exam), Certified Network Defense Architect (CNDA), CREST Registered Technical Security Architect (CRTSA), Global Information Assurance Certifications Defensible Security Architect (GDSA from GIAC) certifications preferred.
Additional Requirements
SMBC’s employees participate in a hybrid workforce model that provides employees with an opportunity to work from home, as well as, from an SMBC office. SMBC requires that employees live within a reasonable commuting distance of their office location. Prospective candidates will learn more about their specific hybrid work schedule during their interview process.
We are an equal employment opportunity employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, gender, national origin, disability status, protected veteran status or any other characteristic protected by law. SMBC provides reasonable accommodations for employees and applicants with disabilities consistent with applicable law. If you need a reasonable accommodation during the application process, please let us know at accommodations@smbcgroup.com.