Cyber Security Risk / Quantitative Risk Modelling Expert / Threat Modeler Expert

Job Description

About Atos

Atos is a global leader in digital transformation with over 110,000 employees in 73 countries and annual revenue of over € 11 billion. European number one in Cloud, Cybersecurity and High-Performance Computing, the Group provides end-to-end Orchestrated Hybrid Cloud, Big Data, Business Applications and Digital Workplace solutions. The group is the Worldwide Information Technology Partner for the Olympic & Paralympic Games and operates under the brands Atos, Atos Syntel, and Unify. Atos is a SE (Societas Europaea), listed on the CAC40 Paris stock index.

The purpose of Atos is to help design the future of the information technology space. Its expertise and services support the development of knowledge, education as well as multicultural and pluralistic approaches to research that contribute to scientific and technological excellence. Across the world, the group enables its customers, employees and collaborators, and members of societies at large to live, work and develop sustainably and confidently in the information technology space.

Your role in Atos - Job Description

Cyber Security Risk Expert / Quantitative Risk Modelling Expert / Threat Modeler Expert is a strong analytical business oriented and simultaneously to some extent technical position which will support the various on-site or remote information security, cybersecurity risk assessments, risk or threat modelling exercises dependent on scope of work defined by customer. You may also support analytically technical audits with penetration testing part related to customer on-premise or cloud network or infrastructure environment to present finding not only as vulnerabilities (weaknesses) but also as risks with measured impact on company’s objectives (if customer requires so). As Cyber Security Risk Expert you will work alone or with Atos or customer CISO, CIO, COO or other stakeholders including top management to properly analyze cyber security risk to the customer’s company engaging its cybersecurity risk teams, audit or penetration testers, IT&N architects, development teams, security incident response and security monitoring teams, cyber threat intelligence teams, threat modeling team, cyber security technology teams, selected roles like (risk leader for the given business line). You may also assist the rest of the team in building strong, collaborative partnerships with internal key risk partners and, as required, external risk quantification industry partners.

One of the preferred methodology knowledge you should have practical knowledge is Factor Analysis of Information Risk (FAIR) where you as analyst (individual contributor) will assist in the development and execution of a FAIR-Based Risk Quantification at the customer risk organization in one or more of the following areas: Scenario/Data/Model Development, Internal Engagement Leadership, or Analysis Execution.

This role will require a combination of facilitation, analysis, technical, information security, and business skills and candidates will be expected to contribute risk quantification and risk management thought leadership to customer’s risk team. Preference will be given to candidates who either have deep experience in the business of Banking, Insurance, Public and Health, Manufacturing, extensive red team skills and who wish to model risk, or who have a strong background in applied risk measurement and metrics theory.

You are a member of an ambitious international team that works in a strategic growth area for the best organizations in the sectors of Financial Services; Manufacturing, Retail & Transport; Public & Health; Telecommunication, Media and Utilities. Together you will distinguish yourselves through commitment and auditing and recommendation quality. As a member of a global team you operate independent or in collaboration with other entities and regions within Consulting or Atos itself. You will work both on large and smaller dedicated risk assessments or supporting network, infrastructure domain of security audit and compliance projects regarding ISO 27001, NIST, NIS Directive, ISF, OWASP, PCI-DSS, PTES and other industry standards specific audit based on your IT technical knowledge. This is to show the customer that compliance is the first on the way to bring value from respective risk analysis.

Exemplary key responsibilities (dependent on the project scope) may be:

• Providing comprehensive cyber security risk assessment and reporting services to customers, sometimes as part of pre-audit, or aligned with cyber security risk assessment maturity level at customer’s organization,
• Assessment and mitigation cyber security threats/risks, validation system security requirements definition and analysis, elaboration application security documentation; assistance with the implementation of security procedures; verification of information system security requirements, performing of information system certification and accreditation, planning, testing, assessing and liaison activities. Reviewing security architectural documentation standards. Able to apply information assurance / cyber security standards, directives, guidance and policies to an architectural/risk-based framework. Provide architectural / risk-based analysis of information assurance / cyber security features and relate existing system to future needs and trends and requirements.
• With regard to FAIR methodology:
  • Formulation, execution and management of standardized and custom FAIR risk quantification analyses, Enterprise risk quantification requirements identification and management,
  • Development, application and maintenance of FAIR-based models, standard analysis scenarios and risk quantification tools/techniques
  • Formulation, execution and management of risk quantification data strategies and associated technical platform development
  • Identifying vulnerabilities in applications and infrastructure and translating them into risks to customer’s business
• Elaborating or implementing other than FAIR, or customer-specific quantitative cyber security risk assessment methodology to customer’s risk organization unit, including vendor cyber security risk assessment, including the whole cyber risk management documentation like: cyber risk policy, methodology or procedures supported with respective tools.
• Providing advisory or risk opinion on risk identification and treatment
• Work based on international standards using state-of-the-art tools Vose Software, FAIR, AIE approach, etc.
• Identification of internal and external primary/secondary loss, threat event and susceptibility data/information
• Formulation of the bid, execution and management of a dedicated risk quantification engagement
• Facilitation of risk quantification meetings and working group sessions both for Atos and customer’s teams

What Are We Looking For / Essential skills and competencies:

• Master's degree in Computer Science, Engineering, Risk assessment, Insurance, or related field or equivalent work experience.
• More than 5 years’ experience in significant risk quantification and/or risk management projects with proven ability to effectively apply risk assessment in business context, especially in cybersecurity investment decisions or cyber insurance decisions of customers,
• Familiarity with/experience using FAIR Institute, Operational Risk/Operational Loss/LOB experience at a Financial Institution, Application Information Economics (AIE), OWASP, NIST, OCTAVE, PCI DSS Risk Assessment Guidelines
• Penetration Testing/Hunting Team experience
• Threat Modeling and/or Rapid Threat Assessment development experience
• Prior audit and/or compliance experience
• Holder one of the following certificates: FAIR, AIE Analyst level 1/2, RIMAP, CISSP, CRISC, CISA, CRMA, CGEIT, CISM, ISO 27001, CISRA (Certified Information Security Risk Assessor), CPISI (Certified Payment Card Industry Security Implementer) certification or equivalent.
• Practical knowledge of ModelRisk, Tamara, @Risk, FAIR or other quantitative risk assessment software,
• Strong subject matter expertise in risk quantification, management, governance and development of risk limits, risk models
• Big picture/strategic and conceptual thinker with ability to connect the dots while also consistently executing at the tactical level with speed and accuracy,
• High level critical thinking/analytical skills, capability of analyzing, simplifying and expressing complex problems; ability to synthesize disparate information in order to provide strategic and tactical insights, solutions or recommendations
• Strong and demonstrated facilitation, collaboration and relationship-building experience
  Information Security & Technology professional with extensive information security expertise
• Excellent customer service and communication (oral / written) skills required.
• Must be able to work independently or with a team, under minimum supervision, reporting to Project Manager of given assignment or Line Manager.
• Fluent English is a must, Intermediate or Fluent German or French is a great plus
• International mobility to serve our global clients and work with our global clients (50-100%) Europe or other continents. You accept readiness to travel up to 80-100% on average 60% also there are remote projects dependent on the assignment, mainly Europe but other continents are also possible.
• EU work permit is a must, US visa is a plus
• UK Security Clearance or UK citizenship – is a big plus
• Location - anywhere in Poland close to an international airport.

We take care of your personal data privacy. More information about processing your personal data within recruitment process you can find on our website: https://atos.net/pl/polska/gdpr .