Head of InfoSec

Contract Type Location Apply
Permanent London, Paris, Valencia or Munich here
The Role

As the Head of Infosec you will support the CISO with the management of the Group Security function, including all information systems related to customers, product, factory, compliance, audit, physical, and staff security.

You will be responsible for driving the Group’s enterprise security and risk management vision, strategy and programme to ensure protection of information assets and technologies. You will lead in the creation of an accountable, information security-conscious culture and a system security architecture built on high-quality standards, as well as regular status monitoring and quality reporting activities.

What will you do?
  • Consult, approve and/or validate existing business strategic directions and investment plans as they relate to the protection of systems and data
  • Get the big information security risk management picture including third parties, service providers, and integrating with internal control, compliance, and risk management functions
  • Setting strategic direction
  • Ensuring the privacy and protection of Personally Identifiable Information (PII) of customers and employees
  • Management of IT investigations, digital forensics, e-discovery, breach response, and reaction plan responsibilities
  • Information Risk Management standards and practical application using recognised standards (ISO, NIST, etc.)
  • Information Security Management System (ISMS) designed to ensure comprehensive and documented assurance relevant to the organisation
  • Represent the Group as the authority for security and controls to clients and customers, partners, competitors, auditors, regulators and internal stakeholders
  • Line management of sub-teams within the group security team
  • Liaise with brands under Photobox Group to support security and compliance processes
  • Support the creation of KPIs for OKR setting
  • Ensure recurring processes are documented, recorded, and evidenced by relevant teams/staff
  • Present to SMT/Exec on security-related concerns/developments on a regular basis
Who are you?
  • Strong technical knowledge
  • Excellent stakeholder management and communication skills with the ability to present and engage at C-Level
  • Experience in Strategic consulting
  • Significant InfoSec experience working as Lead/Head within a 1000+FTE Enterprise
  • Strong knowledge of secure engineering principles
  • Calm under pressure
Tech Stack
  • Significant experience in multiple areas of Technology and Security (wide knowledge set required)
  • Applicants must have a valid EU work permit (we will not provide visa sponsorship)
  • We do not wish to use recruitment agencies for this role.

Challenges (required)

#1: Role Model
MA-RM-01
Describe a time when you set a positive example that had a significant impact on peers or direct reports.
MA-RM-02
Describe a time when you motivated others through your commitment to delivering results.
MA-RM-03
Describe a time when you demonstrated to others the importance of taking accountability for business outcomes.
#2: PCI DSS

Define your involvement with PCI/DSS;

  • Have you been involved in a PCI/DSS certification process
  • What are your views of this standard?
    • Current version vs original versions
    • What is new/interesting in the latest version?
  • Where does PCI/DSS work?
    • Where doesn’t it work?
    • What would you do better?
  • Should PCI/DSS be a company wide standard for websites that handle customer data?
#3: ISO Standards
  • Give a brief overview of your experiences with ISO standards and what your role has been in the management, audit or implimentation of this
  • List 3 benefits of the ISO 27001 series to a business
  • which of the standards that are currently in development are you most interested in and why?
#4: Training - Creation and Delivery

Provide details of training that you have delivered recently

  • what was the subject matter?
  • how many people did you train?
  • how did you prepare for this training? i.e. did you produce materials and handouts? Did you use visual aids? etc.
  • If you could do this training session again, what would you do differently?
#5: Programming Experience

How much programming experience do you have?

  • What languages can you program in?
  • What is your favorite language and why?
  • How do you use those skills in real-work (business) situations
#6: Vulnerabilities Discovered

What kind of vulnerabilities have you discovered in real-word applications?

  • How did you find them?
  • How did you report them?
  • Did you write tests/PoCs that the developers could use to replicate the issue?
  • Did you received a bug-bounty payment for them?

Challenges (optional)

#1: Deliver Results Through Teamwork
MA-DR-01
Describe a time when you had to translate an organisational strategy into concrete deliverables that resulted in positive business outcomes.
MA-DR-02
Describe a time when your team’s workload was unbalanced. How did you prioritise and delegate the work?
MA-DR-03
Describe a time where your team was operating independently and more team collaboration was needed. How did you address this and what was the outcome?
#2: PII Data Breach

By the nature of the business, our servers host our customers images and personal information i.e. name, address, email address, etc.

The following are two possible scenarios:

  • Photobox has discovered a data breach that has allowed millions of our customers images to be exposed online. These images were not available in the public domain and may contain photographs of children, elderly relatives and residential property
  • Photobox has discovered a data breach that has allowed millions of our customers name, address, password and email address to be exposed online. There is no credit card or financial information within the data breach

Of these two scenarios, which do you deem to be the most serious and why?

Key Questions

  • Which of the above constitutes PII data?
  • Which of the above would you report to the ICO or relevant body?
  • Would you contact the customers affected in both scenarios?
#3: Risk Rating

How would you define a system for risk rating?

Have you used one in the past?

  • What worked
  • what didn’t work?
  • How did that solution scale?
#4: Image Download

A vulnerability was discovered in an image server that allowed the download of users’ images from live servers. This was created by the dev team to help debug problems in production and factories. The key questions are:

  • Who is using this today?
  • Who knows about this?
  • Has this vulnerability been exploited?

Bonus points for providing ‘GDPR implications’ mapping of this vulnerability/incident

Objective: Understand and contain issue(s) without any pushes to production

  • You can use any technology you want (ideally ones you have experience with) and any Group Security team size
  • Describe what you would do and how you would act (ideally in diagram format)
  • Who would you talk to?
  • What actions would you take to contain and remediate the issue(s)?

Resources and Technologies available:

  • Techops, Webops, and Dev teams
  • Slack, Jira, Confluence, ELK, Grafana, Nagios, Akamai, AWS, Cisco Firewalls
#5: Open Source vs Proprietary Software

Write a business, technical and moral case:

  • for open source vs proprietary software
  • for proprietary software vs open source
#6: Develop and Attract Talent
MA-TA-01
Describe a time when you had to give constructive feedback to a direct report that was not well received. How did you handle the situation?
MA-TA-02
Describe the steps you have taken to foster a positive team environment that encouraged your direct reports to do their best.
MA-TA-03
Describe a time when you transformed a struggling team member into a major contributor.
#7: Risk Assessment

You have just joined a company and have been given the task of completing risk assessments.

You can use any method or tool to carry these out:

  • What would be your preferred tool kit or method?
  • What do you need to complete this task? i.e. staff resource, budget, business support
  • What is your preferred method of reporting your findings?
#8: Risk Dashboard

Create a Risk Dashboard for the CEO with information they will find useful.

Why else should you be interested?

Quite simply, you don’t like standing still. You are passionate about working on different and ambitious projects from Day 1 - otherwise you’d be bored! You thrive on working with people from different nationalities, different cultures and languages. You want to work within a successful and recognised company, but you also want the freedom to bring forward your own solutions and to make your own impact. You want to work somewhere where people really do know each other by name and where they genuinely want to help and challenge each other to learn, be better and more innovative every day. Most importantly, you want to work in a business where spreading joy is the mission and where we all have fun making it happen.

Photobox Group Security mission and principles

Our mission is to secure the magic moments created by our customers, across all our brands. Our operating principles define what we focus on and how we make decisions. We hold ourselves accountable against these principles.

  1. We are enablers for the organisation, not blockers
  2. We drive transparency and accountability in risk management
  3. We minimise vulnerabilities
  4. We hack ourselves first
  5. We educate and empower our internal stakeholders and developers
  6. We contribute to adding financial value

Why join Photobox Group Security?

PhotoBox Group Security is a trusted, high-energy, empowered, and proactive team. If you are looking for a place to make a difference, learn a lot, be part of a highly productive team, and are able to work collaboratively with all parts of the business, this is the place for you.

We have a great culture, with a very horizonal structure. We expect you to be knowledgeable, trustworthy, empowered, friendly, focused, and responsible.

How to apply

In order to provide a fair and objective recruitment process, before we invite you for face-to-face interviews, we ask you to submit your answers to theoretical and practical challenges. This helps us to identify your suitability and experience level.

Each challenge should take no longer than 10 - 15 minutes to complete, however, in order to highlight your key skills, you may take longer than the suggested time if you wish.

Please see below SOME OF THE CHALLENGES we might ask you to do (we customise these based on your experience and CV)

About us

Photobox Group is Europe’s leading digital consumer service for personalised products and gifts and parent of the Photobox, Moonpig, Hofmann and posterXXL brands.

Creative Commons License

© 2018, Photobox Group Security. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Contact

Photobox Group Security
Unit 7, Metal Box Factory
30 Great Guildford Street
London
SE1 0HS
England