|Permanent||London, Paris, Valencia or Munich||here|
As the Head of Infosec you will support the CISO with the management of the Group Security function, including all information systems related to customers, product, factory, compliance, audit, physical, and staff security.
You will be responsible for driving the Group’s enterprise security and risk management vision, strategy and programme to ensure protection of information assets and technologies. You will lead in the creation of an accountable, information security-conscious culture and a system security architecture built on high-quality standards, as well as regular status monitoring and quality reporting activities.
- Consult, approve and/or validate existing business strategic directions and investment plans as they relate to the protection of systems and data
- Get the big information security risk management picture including third parties, service providers, and integrating with internal control, compliance, and risk management functions
- Setting strategic direction
- Ensuring the privacy and protection of Personally Identifiable Information (PII) of customers and employees
- Management of IT investigations, digital forensics, e-discovery, breach response, and reaction plan responsibilities
- Information Risk Management standards and practical application using recognised standards (ISO, NIST, etc.)
- Information Security Management System (ISMS) designed to ensure comprehensive and documented assurance relevant to the organisation
- Represent the Group as the authority for security and controls to clients and customers, partners, competitors, auditors, regulators and internal stakeholders
- Line management of sub-teams within the group security team
- Liaise with brands under Photobox Group to support security and compliance processes
- Support the creation of KPIs for OKR setting
- Ensure recurring processes are documented, recorded, and evidenced by relevant teams/staff
- Present to SMT/Exec on security-related concerns/developments on a regular basis
- Strong technical knowledge
- Excellent stakeholder management and communication skills with the ability to present and engage at C-Level
- Experience in Strategic consulting
- Significant InfoSec experience working as Lead/Head within a 1000+FTE Enterprise
- Strong knowledge of secure engineering principles
- Calm under pressure
- Significant experience in multiple areas of Technology and Security (wide knowledge set required)
- Applicants must have a valid EU work permit (we will not provide visa sponsorship)
- We do not wish to use recruitment agencies for this role.
Describe a time when you set a positive example that had a significant impact on peers or direct reports.
Describe a time when you motivated others through your commitment to delivering results.
Describe a time when you demonstrated to others the importance of taking accountability for business outcomes.
Define your involvement with PCI/DSS;
- Have you been involved in a PCI/DSS certification process
- What are your views of this standard?
- Current version vs original versions
- What is new/interesting in the latest version?
- Where does PCI/DSS work?
- Where doesn’t it work?
- What would you do better?
- Should PCI/DSS be a company wide standard for websites that handle customer data?
- Give a brief overview of your experiences with ISO standards and what your role has been in the management, audit or implimentation of this
- List 3 benefits of the ISO 27001 series to a business
- which of the standards that are currently in development are you most interested in and why?
Provide details of training that you have delivered recently
- what was the subject matter?
- how many people did you train?
- how did you prepare for this training? i.e. did you produce materials and handouts? Did you use visual aids? etc.
- If you could do this training session again, what would you do differently?
Describe a time when you had to translate an organisational strategy into concrete deliverables that resulted in positive business outcomes.
Describe a time when your team’s workload was unbalanced. How did you prioritise and delegate the work?
Describe a time where your team was operating independently and more team collaboration was needed. How did you address this and what was the outcome?
By the nature of the business, our servers host our customers images and personal information i.e. name, address, email address, etc.
The following are two possible scenarios:
- Photobox has discovered a data breach that has allowed millions of our customers images to be exposed online. These images were not available in the public domain and may contain photographs of children, elderly relatives and residential property
- Photobox has discovered a data breach that has allowed millions of our customers name, address, password and email address to be exposed online. There is no credit card or financial information within the data breach
Of these two scenarios, which do you deem to be the most serious and why?
- Which of the above constitutes PII data?
- Which of the above would you report to the ICO or relevant body?
- Would you contact the customers affected in both scenarios?
A vulnerability was discovered in an image server that allowed the download of users’ images from live servers. This was created by the dev team to help debug problems in production and factories. The key questions are:
- Who is using this today?
- Who knows about this?
- Has this vulnerability been exploited?
Bonus points for providing ‘GDPR implications’ mapping of this vulnerability/incident
Objective: Understand and contain issue(s) without any pushes to production
- You can use any technology you want (ideally ones you have experience with) and any Group Security team size
- Describe what you would do and how you would act (ideally in diagram format)
- Who would you talk to?
- What actions would you take to contain and remediate the issue(s)?
Resources and Technologies available:
- Techops, Webops, and Dev teams
- Slack, Jira, Confluence, ELK, Grafana, Nagios, Akamai, AWS, Cisco Firewalls
Describe a time when you had to give constructive feedback to a direct report that was not well received. How did you handle the situation?
Describe the steps you have taken to foster a positive team environment that encouraged your direct reports to do their best.
Describe a time when you transformed a struggling team member into a major contributor.
You have just joined a company and have been given the task of completing risk assessments.
You can use any method or tool to carry these out:
- What would be your preferred tool kit or method?
- What do you need to complete this task? i.e. staff resource, budget, business support
- What is your preferred method of reporting your findings?
Why else should you be interested?
Quite simply, you don’t like standing still. You are passionate about working on different and ambitious projects from Day 1 - otherwise you’d be bored! You thrive on working with people from different nationalities, different cultures and languages. You want to work within a successful and recognised company, but you also want the freedom to bring forward your own solutions and to make your own impact. You want to work somewhere where people really do know each other by name and where they genuinely want to help and challenge each other to learn, be better and more innovative every day. Most importantly, you want to work in a business where spreading joy is the mission and where we all have fun making it happen.
Photobox Group Security mission and principles
Our mission is to secure the magic moments created by our customers, across all our brands. Our operating principles define what we focus on and how we make decisions. We hold ourselves accountable against these principles.
- We are enablers for the organisation, not blockers
- We drive transparency and accountability in risk management
- We minimise vulnerabilities
- We hack ourselves first
- We educate and empower our internal stakeholders and developers
- We contribute to adding financial value
Why join Photobox Group Security?
PhotoBox Group Security is a trusted, high-energy, empowered, and proactive team. If you are looking for a place to make a difference, learn a lot, be part of a highly productive team, and are able to work collaboratively with all parts of the business, this is the place for you.
We have a great culture, with a very horizonal structure. We expect you to be knowledgeable, trustworthy, empowered, friendly, focused, and responsible.
How to apply
In order to provide a fair and objective recruitment process, before we invite you for face-to-face interviews, we ask you to submit your answers to theoretical and practical challenges. This helps us to identify your suitability and experience level.
Each challenge should take no longer than 10 - 15 minutes to complete, however, in order to highlight your key skills, you may take longer than the suggested time if you wish.
Please see below SOME OF THE CHALLENGES we might ask you to do (we customise these based on your experience and CV)