WithSecure delivers offensive-driven cyber security to defend organisations, society and people from real-world attacks and build resilience into their approach. Our people are a mix of technical and creative experts – diverse, talented, and passionate – working tirelessly to help us advance the industry with new ways of thinking. They lead their own development, in and out of the office.
We are recruiting for an experienced Security Consultant, with experience in architecture, design reviews, threat modelling and risk modelling. Ideally, with some hands-on technical pentesting experience too. This position is specifically for integration with one of WithSecure’s strategic clients.
The job/the details
We need a Consultant who is comfortable in both technical and architectural conversations. You should have plenty of hands-on experience to draw on and should have strong technical fundamentals, including networking, infrastructure & applications – both on-premise and in the cloud (including SaaS). Experience with major cloud providers (preferably AWS) and SDLC toolsets is essential, and solid experience with infrastructure-as-code solutions is a benefit too. You will also ideally have strong hands-on security skills, from conducting pentests and security assessments. You’ll be comfortable finding impactful vulnerabilities and explaining to clients how to fix them.
But you should also be familiar with the other side of the fence – with how solutions are designed, implemented and maintained throughout their lifecycle. Ideally, this experience will be from large enterprise clients (likely while working as a consultant for them) and you will be used to working with disparate, global teams, across both applications and infrastructure, quickly summarising risks, and thinking pragmatically about true business impact. Good communication skills are a must.
You will be working as part of a client’s security team, and offering offensive security-minded thoughts and input on key design decisions. This will include areas such as:
1. What authentication and authorisation controls are used? You should be familiar with technologies like OAuth and common identity providers, and be able to explain common bypasses or flaws in their implementation.
2. How is data storage and transfer conducted securely? This should take into consideration the sensitivity of the data, technical specifics, architectural considerations, and any client-specific requirements.
3. Best practice input validation techniques – both in broad terms (allow-list, not deny-list; validate don’t sanitise, etc.) and technically specific ones (specific programming language implementations).
4. Logging of security-relevant information, such as logging key user actions, logins, etc. as well as correct integration of log collection to centralised sources (e.g. SIEMs).
5. Supply chain risks. For example, modern organisations often leverage many 3rd party SaaS providers for key functionality. You should be able to confidently discuss – with both application teams and 3rd party vendors – common supply chain/3rd party considerations, such as single-tenancy vs. multi-tenancy, available authentication and authorisation controls, prior pentesting on the platform, and other core security considerations.
6. Familiarity with cloud platforms, such as AWS and Azure. Common services across these providers and how to securely host applications and workloads within them.
7. Ability to quickly get to grips with new or niche technologies – this might include new cloud services leveraging AI, messaging and message queue platforms, or non-standard protocols. You should be able to think like an attacker and identify possible weaknesses – and help the client harden against them.
You should be able to quickly understand industry-standard and client-specific design patterns across the range of topics above – such as using common libraries, known-secure configurations, etc. Where no such standards exist, you should be involved in helping create them – defining what good looks like.
For this specific client project, you will have an 80% utilisation target, meaning that 20% of your time will be spent on some of the following:
* Training (receiving, as well as delivering)
* Research
* Service Development
* Internal Security Assessments
The expectation is that the successful candidate will perform rotations on this client project for 12 months. During those 12 months, the candidate will still have opportunities to interact with and learn from WithSecure Consulting’s broader team, through non-utilisation projects, time in the office, and hearing about or reviewing projects other consultants are involved in. At the end of the 12 month period, the opportunity to transition into a broader Security Consultant role will be available.
This is an office-based role – however, a number of the team choose to work from home most of the time. WithSecure do not mandate that people come into the office; we trust our team to get their work done wherever. However, we like to see you and the team do regularly attend one of our two offices, whether to learn from each other, for training or client projects, or to socialise. Our offices are:
1. London
2. Manchester
What we need
We solve complex cyber-security problems daily and to do so requires an interesting and comprehensive set of skills. To be successful at WithSecure and help our clients with their challenges you’ll need the following:
* A passion for security
WithSecure’s consultants are passionate about what they do. They have a passion for computers, hacking, security and most importantly, solving problems. If this wasn’t your job, it would be your hobby. This passion is demonstrated in the technical excellence put into every project at WithSecure Consulting.
* Self-motivation
You’re not going to be told what to do all the time – we will support your progression, but it will be up to you. With an understanding of what is important to the business and our client, you will be given the opportunity to determine how your time is best spent. We are an output-driven business, this is to say that your output is what is ultimately important; we don’t micromanage.
You will be working with the industry’s top consultants. They are there to support you, provided that you demonstrate that you are doing your best.
* Communication skills
Communication skills are as important as your technical abilities. The ability to write excellent reports and documentation is a necessity, however you should also be able to summarise their contents effectively. In addition to written communication skills, you are expected to have good verbal communication skills.
You will have the ability to explain complex technical issues to a wide range of audiences which often include senior business stakeholders.
* Ability to thrive in fast-paced environments
Consulting is hard work, and pressure is high. WithSecure has high standards and high expectations of consultants. We work with some of the biggest and most interesting businesses in the word. This inevitably results in often stressful but particularly exciting and rewarding work.
An ideal candidate will have:
* 2 years of industry experience
* Relevant certifications – primarily one of CREST CRT, Cyber Scheme Team Member, OSCP
* Other subject-matter specific certifications on topics such as cloud security
We’re always considering motivated, proactive, problem-solvers at any level. So if you’re keen on cyber security and want to make a start in the industry, please feel free to also apply and we can consider you for an Associate Security Consultant position.
We are committed to creating a diverse and inclusive workplace that values and respects all people, regardless of their background, identity, or experience. We believe that diversity and inclusion are essential for our success as a company and for our customers’ satisfaction. We encourage applications from people of all backgrounds, abilities, and perspectives.
If you need any accommodations during the application or interview process, please let us know.
#J-18808-Ljbffr