This is a key, Manager-level, position for Burberry’s IT team, and the *** Security hire specifically for the China region.
The key duties of this role are:
To provide SME input to support the secure delivery of projects in China (embed security requirements, manage risks, and enable security by design), lead strategic security initiatives within the region for continuous security benefit, and be the responsible person for coordinating internal assessments and ensuring the delivery of related improvements to support Chinese regulatory/compliance efforts e.g CBDT and MLPS. This role is based locally within our China offices (Shanghai), to represent the Global Security team for the region, and we require someone who understands local technologies and associated security challenges, and can enable improved communication between the local and global teams.
This role will be the initial security point of contact for China-related work within Burberry’s Customer and Digital tower (including ecommerce platforms, social media, digital campaigns etc), although the role is expected to expand to cover all China-related work across the broader business following a risk based approach.
With of the rapid development of Burberry applications and the need to balance localisation requirements within China, this role strongly focus on partnering with the local team while reporting to the central Security team
The ideal candidate will ideally have experience in penetration testing and security architecture, who can think outside of the box to evaluate solutions, while being clear in how they communicate both locally and into central teams.
KEY Responsibilities
Secure Delivery
Liaise with project stakeholders as an Information Security SME throughout the project lifecycle, and confidently communicate requirements. Embed security as a product quality factor in Digital products development, making security requirements visible on product backlogs Perform security risk assessments and threat modelling against new solutions to determine security control requirements and priorities. Track and report on security requirements throughout the project lifecycle; performing controls validation assessments where necessary. Develop security patterns/artefacts to support consistent security input to projects. Identify and document any residual risks and engage with the Information Security Risk team to ensure these are tracked and managed.
Regulatory/Compliance Support
Coordinating internal assessments/audits Ensuring requirements for certifications (i.e. MLPS, CBDT) are clearly understood and ensuring measures/controls are in place or are securely delivered. Ensuring required incident response procedures are in place, in collaboration with our Global ITSOC. Ensuring Personal Information Impact Assessments (PIIA) are conducted for China projects.
Strategy
Support the direction and influencing of the security strategy for Burberry China, providing the region with a clear program of security improvement for us to track against.
ROLE REQUIREMENTS
PERSONAL PROFILE
Mandatory:
Deep experience and knowledge of Information Security processes & technologies spanning networks, applications, cloud, and mobile device technologies Relevant academic or industry relevant qualifications in information security risk management or information security testing, such as CISSP/CCSP, CREST CRT/CTL, TigerScheme, OSCP etc. Familiarity with modern agile development and delivery practices I.e. SCRUM. Strong knowledge of CI/CD tooling used to create, manage, and deploy secure code – ideally with a proven record of working alongside developers to foster strong SSDLC behaviours. Strong familiarity with many of the most common AWS services (or other cloud vendors). Collaborative DevSecOps mindset to build security into product CI/CD release cycle. Facilitating iterative and continuous security improvements Experience with modern digital transformation technologies: microservices, APIs/ API gateways, serverless cloud technologies Knowledge of CIS Top 20 security controls and CIS baseline benchmarks Experience of application security requirement engineering with OWASP ASVS, OWASP API security, OWASP Top 10, CWE Top 25 - adapting as necessary using own experience/knowledge. Demonstrable security architecture background covering web applications, web services, service orientated architectures Strong verbal & written communication skills Strong interpersonal skills Strong analytical and problem-solving capabilities to develop security control options that address stakeholder concerns and organization risks Capable of working in a team or unsupervised to the same level of quality.
Desirable:
Experience of application threat modelling to derive functional / Non-functional security requirements for web applications, APIs, microservices, Cloud platforms Retail sector or ecommerce experience Commercial experience as Application Security Consultant Exposure to DevSecOps automation tools: iteration of application, infrastructure, compliance and threat modelling as code Exposure to software development version control software (VCS) and CI/CD pipeline process
Job Segment: Consulting, Manager, CyberSecurity, Information Security, Technology, Management
