Manager, Cloud DevSecOps Security - TELUS Health Cybersecurity
Edmonton, AB, CA Calgary, AB, CA Toronto, ON, CA Vancouver, British Columbia, CA Victoria, British Columbia, CA
Join our team
We live in and work in a rapidly evolving digital world where cyber security is critical. Protecting information and ensuring the reliability of network and services is paramount. The TELUS Health CSO team strives to always be steps ahead, tackling the toughest cyber security challenges head-on with top talent and cutting-edge technology.
The TELUS Health CSO team is committed to providing excellence in securing our internal and customers’ data and systems, ensuring world-class reliability of security networks and systems, and improving our overall cyber security posture. We manage our cyber risks and provide industry leading cyber governance, assurance and oversight to secure our data globally.
We partner with industry leaders to meet the cyber security needs of both TELUS Health and our customers to meet the demands of an increasingly complex and ever-changing cyber security landscape. We are passionate about learning and growing as individuals and as a team, all of which enables us to thrive in a dynamic, fast-paced environment.
Here's the impact you'll make and what we’ll accomplish together
Do you enjoy working on high-scale, complex, and high visibility projects and programs? If yes, consider the following opportunity:
You’ll join the TELUS Health CSO team as a Manager, Cloud & DevSecOps Security. This role is responsible for defining and integrating security into all aspects of product development and cloud adoption and operation. You will be responsible for evangelising, educating, designing and integrating security across products within a hybrid multi-cloud (AWS, Azure, GCP) environment spanning traditional and agile product development practices. This role will establish a team of experts that interfaces across CSO, technology and product teams to define and integrate security into product teams and cloud enablement.
This role will establish a central team of expert practitioners able to work across cloud and application security domains, with the objective of integrating security directly into existing pipelines and practices. Given the number and diversity of product teams, this team will depend heavily upon the fostering of security expertise within product teams (security champions) that this team will lead and organise.
Your role will be critical to ensure TELUS Health is able to safely adopt and exploit the opportunities provided by cloud services and agile product development. You will need to ensure the right balance of centrally mandated CSO controls and policies, with controls integrated into local pipelines and practices, ensuring an effective level of visibility, governance, prevention, detection, response and recovery is in place to manage cyber risk and meet our client and regulatory obligations.
What you'll do
This role is a people leader position tasked with the establishment of a function consisting of experienced security practitioners who will drive security engineering within multiple teams across TELUS Health. The focus of the team is on securing modern digital practices across:
Cloud security - The integration of security into cloud operations
DevSecOps - The integration of security into product development and operation.
Common tasks:
Define, recruit and onboard expert resources as required to deliver the cloud & devsecops practice.
Collaborate across the CSO team including security architecture, security operations, offensive security and security assurance to define operating models, tooling and processes.
Work as an extended part of cloud/product teams to understand their processes, requirements and technologies to integrate security into the operation and management of environments. services and product development.
Establish key security “champions” in each cloud/product team and maintain a community of individuals supported with training and education to deliver sustainable improvements across a large number of teams.
Maintain in-depth and current knowledge of cloud and application security capabilities and make sound judgements on the mix of central vs federated security controls.
Monitor progress, manage risk, and communicate with key stakeholders on progress and expected outcomes, and propose and take corrective action as appropriate.
Identify areas to implement continuous improvement of security and operational functions to support Information Security.
Cloud Security:
Apply security into the cloud control plane spanning IaaS, PaaS and SaaS services, ensuring our cloud exposure and posture is visible, under governance and a secure baseline is in place.
Define and deliver security capabilities into the data plane, ensuring our workloads, containers, serverless and use of cloud services has the preventative, detective and response capabilities need in order to prevent, detect and respond to cyber attacks effectively.
Extend CSO services through appropriate integration into cloud environments, ensuring a full view of vulnerabilities spanning cloud configuration to workload vulnerabilities exists, and ensuring monitoring, triage and incident response activities encompass products operating in the cloud.
Deliver reporting, assessments and metrics of cloud security posture, ensuring appropriate prioritisation of exposures by risk and threat.
Ensure cloud teams have the right level of security expertise to operate their aspects of the security operating model.
Define and implement tooling to support secure operation of the cloud including validation of InfrastructureAsCode, container security, API security, serverless security, secrets management, CWPP, CSPM etc.
Define repeatable patterns for cloud design and integrate these into cloud and product teams such as VPC design, Internet access and identity integration to deliver consistent security across standardised models.
Work with the SecOps team to define response playbooks for cloud incidents, and seek out automation for common events to ensure sustainable T1/T2 operation.
Work with the SecOps team to define the runbooks for cloud security tooling operated by the CSO team, ensuring sustainable security operation in the cloud.
DevSecOps:
Work across product teams to integrate security into the SDLC / CICD pipeline through consideration of security at each step. Extension of security into the design, developer environment (IDE), software composition analysis. static assessment and dynamic assessment as part of the local CICD pipeline.
Drive consistency of control and solution across the tooling applied within each product team. Whilst a single solution will not always be desirable, seek out consolidation where possible and ensure all solutions have consistent levels of security.
Identify, justify and promote the use of shared security services or patterns (e.g. Web Application Firewalls) that can deliver consistent security protection without impeding local product agility or effectiveness.
Ensure product development teams have the right level of security expertise to operate their aspects of the security operating model.
Work with the SecOps team to define response playbooks for application security incidents, and seek out automation for common events to ensure sustainable T1/T2 operation.
Work with the SecOps team to define the runbooks for application security tooling operated by the CSO team, ensuring sustainable security operation across TH’s portfolio of applications.
What you bring
University degree or equivalent industry experience.
Strong communication, presentation, and relationship skills, especially the ability to articulate technical topics.
Knowledge of security and industry standards (e.g., ISO, NIST, ITIL, etc).
CISSP, CCSP, CRISC or similar cloud certification are preferred.
Experience of building a team of experts, establishing a successful charter and influencing/collaborating across a wide range of federated parties.
Extensive cloud security experience with appropriate certification spanning GCP and either AWS or Azure.
Experience working on enterprise cloud services deployments (SaaS, PaaS, IaaS) and understand security challenges involved in cloud migration, adoption and operation.
Experience deploying and migrating to/from private cloud environments
Experience with virtual machine management, container orchestration, API management and secure use of serverless technologies
Knowledge of application security, software development with security concepts and integration into the development pipelines.
Experience across SCA, SAST and DAST
Integration experience across pipelines and orchestration tools such as Jenkins, source repositories (e.g. GitHub, bitBucket etc), Integrated Development Environments, and testing tools.
Experienced with agile delivery teams and environment.
Experienced working in a DevOps / SRE operation
Experience with application security capabilities including Web Application Firewalls, DDoS mitigation, Bot prevention, and associated threat management controls.
Familiarity with pipelines, automation and scripting.
Performed threat modeling and design reviews assessing security implications and requirements introducing new technologies.
Performed security design/architecture reviews, code reviews, and penetration tests of large applications, systems and/or networks.
Nice to haves
Professional security certifications: Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Cloud Security Professional (CCSP), and others.
Industry-recognized certifications would be an asset. (i.e., OCSP, GICSP, CISSP, CISM, and CISA).
Experience within a regulated business environment
An insatiable appetite for modern and emerging technologies and tools
#Li-remote