The Senior Security Engineer is responsible for the confidentiality, integrity, and availability of all security systems and network infrastructure owned or operated by National Geographic Society. Information security responsibilities include Firewall/IDS/IPS, VPN, SIEM, antivirus/malware, vulnerability management, encryption, DLP, CASB and cloud security in SaaS/PaaS/IaaS environments. Network engineering responsibilities include “secure by design” configuration and deployment of core and border routers, wired/wireless access for staff, guests, and special events, as well as coordination with network/infrastructure administrators for daily operational management and tier-2 troubleshooting/resolution as needed.
Additional responsibilities include management of technical controls for compliance programs such as PCI-DSS and GDPR including routine environment audits, gap analysis and remediation, process documentation, and submission of completed documents to appropriate regulatory oversight organizations. Participates in supporting network access and authorization infrastructures and services including NAC, SSO, MFA, as well as endpoint device security and user security awareness training. Coordinates activities of managed security providers and cloud-based services, including threat intelligence, social media and brand protection, and incident response.
Works with solutions architects, system administrators, consultants, and vendors to build, configure, test and implement security solutions that meet the enterprise’s business needs and are aligned and consistent with corporate security policies, enterprise IT strategies and plans. This role will take ownership of incident tickets and service requests and work with end-users and IT staff for resolution/fulfillment. Additional responsibilities include working with network, server and application administrators on secure application and workflow design, wireless scanning and rogue access point detection, and testing/hardening existing systems via penetration test exercises. Additionally, the position will participate in on-call support rotations for non-business hours.
Infrastructure Security (30%)
- Administration and engineering of all network security hardware and software including firewalls, intrusion detection/prevention, information/event log management/analysis, antivirus/malware, access control.
- Design, implementation, and management of security configurations at the host, service, storage, and database layers for both on-premise and cloud-based environments, including server/device hardening, configuration file management, encryption, auditing and monitoring.
- Participation in Internet edge security including traffic analysis, DDOS, secure DNS, partnerships with ISP and CDN.
- Participation in security architecture development including network, host, and application stack design as well as secured data flow.
- Participation in system performance analysis, system instrumentation/management, and change management activities.
Vulnerability Management & Incident Response (20%)
- Administration and engineering of vulnerability management programs including scanning, patching/remediation, and penetration testing.
- Participation in user-centric security programs including password cracking, phish testing, and security awareness training.
- Participation in formal and ad-hoc computer emergency response and incident response teams, including tabletop exercises and disaster recovery testing.
Network Engineering & Administration (20%)
- Design and implementation of core routers and Internet routers.
- Design and implementation of access layer configurations including closet switches, wireless networking, and secure network access control for authorized endpoints.
- Tier-2 troubleshooting/resolution and backup network administration of switches/routers/etc as needed.
Endpoint & Applications Security (10%)
- Design, implementation, and management of workstation and mobile security including encryption, security templates/scripts, antivirus/malware, host firewall and intrusion detection/prevention, application control policies, data loss prevention, and remote wipe/anti-theft controls.
- Design, implementation, and management of on-premise and cloud/SaaS application security including application patching and hardening, access control and identity management, security assessments and audits.
Third Party & Remote Access Management (10%)
- Design, implementation, and management of all secure data connections to third parties including network design, encryption, access control, and auditing.
- Participation in designing and delivering secure remote access to employees via VPN, including client/clientless access and multi-factor authentication.
Privacy/Audit/Compliance (10%)
- Engineering and management of encryption programs at both hardware and data layers including hard disk encryption, database/file/message encryption, key management, PKI and SSL/TLS certificate management.
- Management of regulatory compliance programs including PCI-DSS and GDPR.
- Participation in all routine and ad-hoc activities related to system and data integrity.
- Minimum of five years’ experience with network security administration as well as implementation of appropriate data/host-based security layers within a heterogeneous computing environment.
- Minimum of five years’ experience with network engineering and administration of enterprise campus networks including access/core/border layers, wireless, and remote office connectivity.
- Comfortable working in cloud-first / consumerized technology environments and integrating Apple products into enterprise security programs and networks.
- Experience with responding to security breaches and other outages including proactive risk mitigation, incident response, and forensics.
- Background with Linux and open source tools, as well as active security community participation.
- In-depth knowledge/experience with enterprise security systems administration and engineering, particularly with products from Palo Alto Networks, Cisco, and other major vendors.
- Strong experience with securing, configuring, and integrating infrastructure products from Aruba, Brocade/Extreme, VMWare, NetApp, Dell, as well as Amazon Web Services and Google Cloud Platform.
- Strong experience with securing endpoint devices including Windows, Mac OS X, Chrome, iOS, Android as well as IoT.
- Familiarity with cloud-based security tools and service providers including Okta, Cisco Cloudlock, Vera, and Rapid7.
- Ability to function in a dynamic environment subject to changes in schedules and priorities.
- Ability to participate in multiple projects concurrently from inception to completion with limited management supervision. Excellent oral and written communication skills.
- Ability to interact positively and productively with teams across organizational lines.
- Strong customer service, troubleshooting and problem solving a must. ITIL v3 certification and/or experience with IT Service Management a plus.
National Geographic's headquarters is located in the heart of Washington, D.C. In addition to a unique and dynamic work environment, National Geographic offers its employees a comprehensive benefits package, including health and dental benefits, generous vacation and leave time, a 401(k) plan, and flexible work options. National Geographic is an Equal Opportunity Employer