Security Engineer

London
Production
Full-time
R3 is a financial innovation firm that leads a consortium partnership with over 100 of the world’s leading financial institutions. We work together to design and deliver advanced distributed ledger technologies to the global financial markets.

R3 has employees based in over 11 (and counting!) countries across the globe, with our headquarters in London, alongside office locations in New York City and Singapore. Our vibrant and centrally located offices are filled with collaborative spaces, healthy (and some not so healthy!) snacks and state of the art work spaces and equipment.
The infrastructre security engineer is responsible for the design and implementation of technical controls to support R3's information security management system. Reporting to the information security manager, and part of a small team of information security specialists, you will ensure that the technical control environment supporting R3's twin missions of enterprise software vendor and operator of the Corda Network is appropriately designed, built and operated to address the information risks faced by R3. In particular you will be helping to develop the control environment for  the Corda Network, a publicly-available internet of Corda enterprise blockchain nodes. This is an exciting role, and not for the faint hearted. You'll be working to help define the control environment for a new technology stack and provide assurance for some demanding customers.
You'll have a technical security background in a financial, telecoms or critical infrastructure service provider, or maybe an enterprise-scale end-user security department. You'll be used to working in environments with comprehensive security control environments, but have the insight to bring a risk-based approach to a fast-moving company with a start-up culture. This is an opportunity to help "write the book" on building a the technical security controls to support enterprise blockchain deployments. If this sounds like you, read on. 

Responsibilities (the security engineer will .... )

    • Participate in risk management and threat modelling activities. The infrastructure security engineer will recommend and implement appropriate technical controls for R3 and the Corda Network as a result of these activities.
    • Carry regular vulnerability scanning of R3 infrastructure, perform more detailed vulnerability assessments as required and assist in the commissioning and support of external penetration testing and red team type activities where required.
    • As part of the wider security team, design and implement standardised preventative and detective technical security controls for R3's cloud and on premises infrastructure, including conformance to operating system and cloud environment benchmarks, network security controls and consistent logging and alerting. These controls will be integrated into the wider R3 security control environment and will be the foundation for R3's security operating capability.
    • Work with the wider security team to prepare for and undergo external service auditor assessments of the security control environments which you help to develop. R3 anticipates undergoing a SOC 2 assessment within a year. 

Qualifications (the must haves ....)

    • First and foremost, we want you to love what you do. You'll need to be a security evangelist within R3 and the community of Corda Network participants, both current and future.
    • You'll have five or more years’ experience in a information security role, with at least three of those in an engineering role. We'd love to see evidence of other experience too, you might have been a developer, network operations person, pen tester or researcher in a previous life.
    • We believe that we work better as a team, and hope you share that belief. You'll be working in a diverse group of people with a variety of skills and backgrounds, a high level of emotional intelligence will be assumed.
    • You'll need excellent communication skills, both verbal and written. You'll be happy explaining the control environment that you have helped to develop to R3's clients or service auditors. As one of the first full-time infrastructure security engineers at R3, you will also be expected to train those who follow in the controls that you have implemented.
    • R3's control environment is risk-driven. You'll have participated in threat modelling and risk analysis and assessment activities in previous roles. You'll be participating in these activities at R3 and recommending and implementing appropriate controls as a result of these. As such, you're going to need a pragmatic approach to the assessment and prioritisation of risk.
    • You will have relevant experience of developing and technical security controls in mission critical service delivery environments. Financial services experience would be ideal, but experience in other areas such as telecoms or other critical infrastructure may also be a good fit.
    • You'll need experience in working in both Microsoft Azure (or alternative public cloud) and on premises deployments. You'll understand the appropriate network security controls available in each environment an be able to specify and deploy those solutions as needed.
    • You'll have extensive Linux experience. You'll be developing and implementing secure benchmarks for our operating platform. You'll be familiar with implementing repeatable builds to these benchmarks. Experience with the CIS level 1 and 2 benchmarks (or the ability to explain your own OS and application hardening techniques) for Linux, and automating deployment on Azure is essential. You'll need to have been deploying infrastructure as code in your previous role. We use Terraform and Ansible for this. We'd love it if you had direct experience of these, but we're still interested if you've used other configuration management tools.
    • You'll need a thorough, whole-stack understanding of internet networking, and the tools an attacker would use. You should be happy messing with all kinds of internet protocols. We don't expect you to be developing new exploits for Corda (our enterprise software offering), but if you have any to hand, we'd be very interested to hear about them.
    • Hands on experience of vulnerability assessment tools from Tenable, Qualys or Rapid 7.
    • You'll need to be able to automate things. Working knowledge of at least one contemporary scripting language is essential.
    • Corda is written in Kotlin. You'll need a working knowledge of Kotlin or Java to get by. 
    • You will have an appreciation of the variety of technical products available to R3 including endpoint security, identity and access management, network security controls (firewalls, VPN), intrusion detection and security event management/log analysis tools.

Qualifications (the nice to haves...)

    • Relevant professional qualifications would be great. We have ISACA and ISC2 members already, so we'll obviously look favourably on professional certifications, so long as they're relevant and not vendor specific (you'll need to explain why they're relevant). We'd love an OSCP on board, but SANS GIAC certifications are also good. You'll need to demonstrate that any certifications you claim are valid and current (we will check).
    • It would be great if you've worked in an ISO 27001 certified organisation or one that has been subject to SOC 2 assessment.
    • Understanding of public key infrastructure would be very useful. We'd be particularly interested to hear from people who've worked in internal PKI teams or for commercial CAs. 
    • Experience with the management and protection of cryptographic key material, including the deployment, and operation of on-premises HSMs would be a plus.
    • An engineering or science degree would be great, but appropriate career experience is just as important. Be prepared to tell us all about that experience.
 
Benefits:
       Vibrant, centrally located offices (with snacks provided)
       Private Medical & Dental
       Retirement scheme & life insurance
       Enhanced parental leave & family friendly policies
       Competitive vacation allowance
       Working from home & flexible working (as needed and agreed)
       A competitive salary that reflects your experience and merit
       Discretionary Equity Based Incentive Plan
       Discretionary bonus (or commission based incentive plan)
       Employee Referral Program
 
Our Values:
Our values are our DNA.  They define what we stand for and guide how we work together internally and with our customers, partners, and shareholders.
Customers First
The success of our customers is paramount. We build strong relationships and strive to create the best possible experience for them.
Collaborative
We bring together all parts of the ecosystem and give our customers the tools and environment to work together to change their industries. 
Bold
We have the agility of a small company, but the confidence and ambition of the industry-defining titan we aspire to become.
Ownership
We demand excellence and take pride in our products and services.