Senior Specialist Offensive Security

Job Title: Senior Specialist Offensive Security

Division: Office of the Chief Information Security Officer

Reports To: Manager Offensive Security

Salary Range: $122,305 to $163,639

Work Location: 55 John Street, Toronto

Job Type: Permanent Full Time

Shift Information: Monday to Friday, 35 hours work week

JOB SUMMARY:

Performs, manages and reviews Penetration Tests and Red Team exercises as part of the Threat Management unit’s Offensive Security section. Provides recommendations and direction in remediating identified security weaknesses, as well as input into the evolution of the Threat Management unit’s ethical hacking capabilities in support of the execution of the Chief Information Security Officer’s (CISO) mandate, cyber vision and strategy.

To provide subject matter expertise, strategic advice, senior level guidance and operational support for Penetration Testing and Red Team exercises area within the Threat Management section.

MAJOR RESPONSIBILITIES:

• Offensive Security Expertise: Delivers expert capabilities and direction to conduct offensive security services.
• Infrastructure & Application Testing: Conducts authorized assessments of infrastructure and applications to proactively identify security weaknesses.
• Attack Simulation & Validation: Discovers and verifies weaknesses by leveraging attacker techniques to evaluate the difficulty and effectiveness of potential attacks from various threat actors.
• Risk-Based Recommendations: Provides comprehensive and actionable recommendations to counter the threat posed by identified security weaknesses, given the applicable threat landscape.
• Process & Tool Improvement: Contributes to the continuous improvement of security processes, tools, and techniques to counter threats faced by the organization. Researches and develops testing tools, techniques, and processes.
• Security Reporting & Metrics: Leads and delivers reporting and metrics, including Key Risk Indicators (KRIs).
• Vulnerability & Remediation Tracking: Develops and reports enterprise-level metrics for vulnerabilities and remediation progress.
• Stakeholder Education & Awareness: Understands, demonstrates, and educates stakeholders on the real-world impact of threats and vulnerability exploitation in a given environment.

QUALIFICATIONS/CERTIFICATIONS:

• Post-secondary degree in Business or Technology or a related discipline.
• Strong experience in penetration testing.
• Extensive penetration testing experience with operating systems, web applications and network infrastructure.
• Strong experience with using Penetration Testing Tools, e.g., NMap, Nessus, Metasploit, BurpSuite, Nikto, Tcpdump.
• Administrator level knowledge of Server Operating Systems specifically Unix and Windows.
• Intricate technical knowledge of TCP/IP Networking/Routing, Intranet/Internet Architectures and Segregation Technologies/VLANs, Firewalls, Intrusion Detection, Intrusion Prevention, SQL Databases.
• Ability to test web technologies, e.g., web applications, containers, container managers.
• Programming ability to create, read and modify exploit code to achieve system penetration. C, C++, Java, C#, scripting knowledge is an asset.
• Experience scaling security testing capabilities.
• Demonstrate a current and working knowledge of Information Security best practices, methodologies, and techniques.
• Preferred Certifications (any in the list): CISSP, CRISC, OSCP, CEH, GPEN.

SOFT SKILLS:

• Ability to work in transformative programs.
• Ability to lead efficient communication between all project stakeholders, including internal teams and clients.
• Ability to achieve business objectives through influencing and effectively working with key stakeholders.
• Excellent written & verbal communication skills (comfortable & confident communicating at all levels including business partners, leadership and vendors).
• Excellent problem-solving skills with capability to identify solutions to unusual and complex problems.
• Keen attention to detail and strong organizational skills.
• Highly organized, proactive, self-motivated team player who takes initiative and is able to work independently.
• Ability to work in a fast-paced environment managing multiple priorities with proven time management skills.
• Strong analytical skills and ability to prioritize and multitask.
• Ability to manage multiple initiatives while adhering to strict deadlines.
• Able to work extremely well under pressure while maintaining a high level of professionalism.
• Self-motivated person with desire to go above and beyond tasks.
• Transferable skills, like communication and decision-making, are equally important.
• Being able to think on your feet and show good judgment are especially valuable in this field. Security pros should always be ready to react to cyber-related incidents quickly.

ADDITIONAL COMMENTS/INFORMATION:

A normal work week is 35 hours; however, unforeseen situations may require extended hours of work with little or no prior notice. In case of a cyber incident or breach, rotation shift, continuous extended hours may be required with little or no prior notice.

*Subject to a police check, background check, psychological assessment and/or any other checks on a regular basis as the Office of the CISO handles highly sensitive and confidential information.

EQUITY, DIVERSITY AND INCLUSION:

The City is an equal opportunity employer, dedicated to creating a workplace culture of inclusiveness that reflects the diverse residents that we serve. Learn more about the City’s commitment to employment equity.

ACCOMMODATION:

The City of Toronto is committed to creating an accessible and inclusive organization. We are committed to providing barrier-free and accessible employment practices in compliance with the Accessibility for Ontarians with Disabilities Act (AODA). Should you require Code-protected accommodation through any stage of the recruitment process, please make them known when contacted and we will work with you to meet your needs. Disability-related accommodation during the application process is available upon request. Learn more about the City’s Hiring Policies and Accommodation Process.