Find More Than 10K+
United Kingdom Jobs

Lead Offensive Security Engineer

Why Digital & Tech at M&S

We're changing the way we do things, and putting industry leading innovation at the heart of how we operate; we need a stellar engineering team to make it happen. You'll be joining one of the most iconic brands in the UK on its most exciting cycle yet. We're more integrated and product led in our tech teams than ever before: learning, changing, and adapting constantly, with millions of people benefiting from your work every single day.

The Role

The Lead Offensive Security Engineer is in the front line of protection against threats directed at, and exploitation of vulnerabilities present at M&S. The Lead Offensive Security Engineer is also responsible for providing guidance and expertise to wider T&VM team This team is the focal point for the management and execution of T&VM process and coordination of relevant parties to mitigate against threats and vulnerabilities.

What You’ll Do Every Day

• Protect company and its customers from materially impactful events to its Business, Brand and Customer e.g., catastrophic events, significant financial losses, and highly embarrassing events.
• Ability to work collaboratively and independently on specialist engagements.
• Own and triage Marks and Spencer’s bug bounty program.
• Respond and test bug bounty submissions.
• Act as subject matter expert on bug bounty programme and ethical hacking.
• Able to interact with application specialists but can convert weakness in code to clear language to improve.
• Leading penetration testing service, scoping engagements, security testing delivery and red teaming exercises.
• Red and blue team engagements and the simulation of TTPs of threat actors to test our security controls.
• Security use case design and assist provider in implementation of new content for protection.
• Act as a liaison between industry peers, government agencies and other specialists.
• Utilize commercial intelligence providers to gain insight into existing activities in the hacker and fraudster communities, as well as planned activities and emerging motivations.
• Coordinate with the M&S Global Security Operations Centre and third-party providers to assess threat and vulnerabilities.
• During high-impact threat and vulnerability mitigations, the TY&VM lead will be required to support the T&VM Manager and may be required to brief senior management directly and interact with the crisis management team.
• Work with business units, IT functions and external providers to ensure that processes are mutually understood and agreed on, and that responsibilities are clear and accepted.
• Act as a liaison throughout M&S (including, lines of business, public relations, legal counsel, and customer contact centres).
• Ensure generation, maintenance, and protection of required documentation, reporting and traceability.
• Identify and respond to threats: Incorporating industry intelligence to enable proactive threat detection, containment, and response.
• Work with the InfoSec Managers, Leads and Service Delivery Managers to deliver activities within the continuous programme of improvement relating to application, infrastructure, and all critical services.
• The T&VM lead will be expected to work with other leads to ensure that the information is shared where desirable.
• Provide specialized security support for other events that fall outside the IT security incident realm, such as fraud attempts based on electronic channels or high-impact outages due to reasons other than security.
• Support the manager to Chair T&VM meetings, calls, maintain actions and escalate any issues.
• Support the manager to Report and Maintain Key Risk, Performance and Success Indicators for the team.
• Utilize commercial intelligence providers to gain insight into existing activities in the hacker and fraudster communities, as well as planned activities and emerging motivations.
• Advise the InfoSec Management team of significant emerging threats and identified vulnerabilities and recommend tactical and operational steps to counteract these threats and mitigate vulnerabilities.
• Deliver Management Reporting on a regular and ad-hoc basis.
• Effectively communicate with internal stakeholders (technical and non-technical) and suppliers to provide updates on threats, vulnerabilities and/or to deliver key projects.
• Make and drive recommendations to improve operational effectiveness.
• Measure, manage and mitigate Information Security risk to an acceptable level and demonstrate compliance.

You Should Apply If

• Demonstrable experience of delivering transformational changes to culture and processes related to offensive security.
• Advantage to have an OSCP, GXPN, GPEN
• Experience using the Mitre Att&ck framework for adversary simulations.
• Understand and able to demonstrate knowledge of the OWASP top 10.
• Skills and understanding in SQL injection, Cross-Site Scripting (XSS) Remote Code Execution (RCE).
• Proficiency in preparation of reports, dashboards, and documentation
• Demonstrable experience of training and developing colleagues
• Strong experience of T&VM, including within a DevSecOps operating model
• Knowledge and demonstrable experience of Information security technologies and methodologies
• Experience of vulnerability and threat assessment, including penetration testing and threat modelling
• Experience of Web-based application security
• Experience of Cloud systems and their Architecture (Azure, AWS)
• Demonstrable experience of working effectively with managed suppliers and vendors
• Awareness of Agile environments and practices
• Awareness of various operating system flavours including but not limited to Windows, Linux, Unix
• Awareness of Database technologies (SQL, Oracle, DB2, Mongo) and associated threats
• Awareness of security controls in widely used technologies e.g., MS Office 365
• Experience of Incident Management and Response tools – e, g, Remedy, ServiceNow
• A great communicator with strong negotiation, influencing, planning and prioritisation skills

Working for Us Means

• Hybrid Working
• Industry leading pension of up to 12% M&S contribution
• Bonus up to 40%
• 20% discount on M&S products
• Up to 2 weeks working abroad
• Learning days once a month, Tech/Ed days once a quarter and Hackathon every other quarter
• A range of wellbeing support (including free counselling and a virtual GP for you and immediate family)
• 25% off gym memberships, access to online fitness classes and discounts for complementary health services, such as nutrition and lifestyle coaching

#LI-LS1

M&S is ready to push boundaries to lead the retail industry into a greener, speedier, more inspiring digital era. That’s why we’re revolutionising how we work and offering our most exciting opportunities yet. There’s never been a better time to be part of our team. Marks & Spencer aims to be an inclusive organisation, trusted and admired by our colleagues, customers and suppliers. Join us and make an immediate impact.

We are committed to an active Inclusion, Diversity and Equal Opportunities Policy, which starts with our recruitment and selection process, and we are happy to talk flexible working.

If you consider yourself to require reasonable adjustments to any part of our recruitment process, we invite you to share those requirements with us when completing your application. We will make every effort to ensure your needs are met to provide a fair and transparent process of assessment.