Senior Security Consultant - Offensive Security

Join our team and what we’ll accomplish together

We live in and work in a rapidly evolving digital world where cyber security is critical. Protecting information and ensuring the reliability of network and services is paramount. The TELUS Health CSO team strives to always be steps ahead, tackling the toughest cyber security challenges head-on with top talent and cutting-edge technology. 

Reporting to the Manager of the Offensive Security team, we are seeking an experienced Senior Security Consultant to join the team, mentor other consultants, and support our Vulnerability Management Program. This work will combine aspects of 3rd party consulting with in-house security advisory, penetration testing, application security, and vulnerability management. You’ll get the opportunity to leverage enterprise grade tools and also develop in house security tooling and integrations. As TELUS Health is comprised of many mergers and acquisitions the goal is thorough security validation at scale across many disparate systems, networks and technology stacks. Not only will you assist in identifying gaps, you’ll also be a key contributor to our remediation efforts. When applicable, you’ll help automate and create new processes to avoid the same issues in the future. 

The TELUS Health CSO team is committed to providing excellence in securing our internal and customers’ data and systems, ensuring world-class reliability of security networks and systems, and improving our overall cyber security posture. We manage our cyber risks and provide industry leading cyber governance, assurance and oversight to secure our data. 

You’ll partner with industry leaders to meet the cyber security needs of both TELUS Health and our customers to meet the demands of an increasingly complex and ever-changing cyber security landscape. We are passionate about learning and growing as individuals and as a team, all of which enables us to thrive in a dynamic environment.

What you’ll do

Please note, we understand that this role does span/merge across many traditional security testing specializations. We welcome security testing specialists and generalists alike for this role, we simply require the willingness to grow and learn. 

• Reinforce TELUS Health's Customers First values in ensuring positive security outcomes for external customers and internal stakeholders 
• Provide deep cyber security technical knowledge and support to business and development operations teams
• Lead projects and client engagements and write reports and prepare presentations, making use of your communication skills to explain technical findings to non-technical crowds 
• Help build the core Vulnerability Management Program working with various data sources and stakeholders from different lines of business. 
• You’ll get the opportunity to design and implement a wide range of testing scenarios that emulate different threat actor sophistications across different assets. A few examples below that will fall within the team: 
  
  • Conduct penetration tests using OSINT, PTES, OSSTMM methodologies
  • Enhance the security data pipeline to streamline vulnerability remediation workflows, including automated vulnerability scanning, risk prioritization, remediation tracking, and metrics reporting to ensure timely resolution of security findings
  • An assumed breach scenario and applying the MITRE ATT&CK framework to assess our ability to detect and respond to a wide range of adversarial TTPs 
  • Application security assessments using OWASP Web/Mobile application Security Testing Guide to verify an application’s security posture related to the associated OWASP (M)ASVS Level 
  • Review 3rd party penetration tests to validate the findings and ensure that the mitigations are properly implemented
  • Set up attacker infrastructure for C2 communications 
  • Contribute to Offensive Security Tactics, Techniques and Procedures and aid the SecOps team with the Incident Response playbook definition 
  • Contribute to our “shift left” application security strategy by automating testing and reporting into the SDLC pipeline 
  • Write clear reports that summarize findings, detail and prioritize remediation strategies 
• Guide and mentor others in offensive security practices

What you bring 

• 5+ years in a combination of vulnerability scanning, penetration testing, red teaming, application (web, mobile) security testing 
• 7 + years of demonstrable technical security and privacy experience in IT and networks, ideally in a professional role or consultative capacity 
• Demonstrate aptitude to automate aspects of our testing process (Python, Powershell, Javascript, Perl, Bash, Ruby, etc.) 
• Flexibility and comfortable with ambiguity, you enjoy working with others to “figure it out” when needed strong interpersonal and influencing skills to build relationships with key stakeholders 
• You’ll have experience working at least a few combinations of the following: 
  
  • MITRE ATT&CK 
  • OWASP ASVS and WSTG 
  • MASVS, MASTG 
  • PTES, OSSTMM 
• Ideally you will possess two or more of the following certifications (or any credible security testing certifications): 
  
  • Penetration Testing 
    
    • CREST CRT, OSCP, OSCE, OSEP, GPEN, eCPT, eCPTX, HTB CPTS, OSWP, PNPT 
  • Red Teaming 
    
    • CRTP, CRTO (1 and/or 2), CRTE 
  • Application Security 
    
    • BurpSuite Certified Practitioner, OSWE, GWAPT, eWPT 
  • Mobile Application Security 
    
    • GMOB, EMAPT 
  • Cloud Security
  • CCSP, CARTP, CAWASP, PACSP 
• Must possess or be able to obtain at least Government of Canada Reliability Status clearance

Great-to-haves

• Previous experience in IT administration or software development 
• Background in exploit development and research 
• Contributions to open-source projects or the security community

Advanced knowledge of English is required because you will most of the time interact in English with external parties (clients, suppliers, candidates, external partners, etc.); interact in English with internal parties (colleagues, internal partners, stakeholders, etc.); and work with IT tools whose interface is only accessible in English as part of this position's main responsibilities given its national scope.