Secure by design specialist

Job Description

ROLE PURPOSE

The Secure by Design Specialist is the primary architect of security resilience within the organization, serving as the bridge between technical engineering, risk governance, and the customer.

This role is responsible for driving the "Shift-Left" strategy, ensuring that security is a fundamental component of the product lifecycle from inception rather than an afterthought, ultimately protecting our customers' data and trust.
A core pillar of this role is Threat Modeling, proactively identifying and mitigating potential attack vectors before any infrastructure is deployed or code is written.

The specialist evaluates internal architectures and performs rigorous technical due diligence on all third-party integrations and vendor ecosystems to ensure that external dependencies do not compromise the Vodacom estate or the customer experience.

Crucially, the role ensures absolute alignment with Vodafone CHARM (Cyber Health and Resilience Measure) controls, Group standards, and security policies, fostering a "security-first" culture across the Digital IT, M-PESA, and Network divisions. The objective is to ensure that every deployment is resilient by default, cost-effective, and meets the highest global Cyber Security benchmarks to provide a secure environment for every customer.

Additional tasks involve monitoring and securing the CI/CD pipeline, conducting comprehensive security audits, responding to and investigating security incidents, and establishing/enforcing stringent security protocols.

Furthermore, the Secure by Design Specialist will provide security expertise to development and operations teams, fostering a culture of security awareness and adherence to best practices.

Staying current on the latest cyber threats and security technologies is essential for effectively protecting the organisation's assets.

Key accountabilities

• Capacity to lead the security evaluation of system designs, network topologies, and application logic. Orchestrate the integration of security controls into early-stage project requirements in strict adherence to Vodafone CHARM, group standards, OWASP top ten and internal policies.
• Candidate should be able to conduct deep-dive technical security assessments of third-party APIs, SDKs, and cloud services. Evaluate vendor security maturity through technical audits against the CHARM framework and evidence-based reviews of their security controls.
• Candidates should be able to integrate "Secure-by-Design" specifications and CHARM control requirements into RFPs and project initiation documents as well translate complex Group security policies into actionable technical requirements for developers and vendors.
• Facilitate advanced threat modeling sessions (STRIDE/PASTA) for high-impact projects to proactively identify risks and oversee the remediation of design-level vulnerabilities to ensure the final product meets Vodacom’s resilience standards.
• Establish secure integration patterns for all internal and external data exchanges. Oversee the security of the API lifecycle, ensuring robust authentication and authorization (Zero Trust) across the ecosystem.Drive a culture of security ownership among developers and operations teams by conducting specialized workshops, "Security Champion" programs, and technical training on secure coding and design.
• Collaborate with the SOC or the defence team to ensure that new designs include sufficient logging, monitoring, and telemetry to support rapid incident detection and forensic investigation.
• Knowledge of containerization and orchestration solutions, including Docker, Kubernetes, and OpenShift, is important. An appreciation of the security aspects of containerization, such as image scanning and runtime security, is highly valued.
• Candidates should have exposure to CI/CD pipeline tools like Jenkins, GitHub Actions, CircleCI, and Travis CI and experience integrating security into CI/CD pipelines.
• knowledge of Infrastructure as Code (IaC) using tools like Terraform, CloudFormation, Ansible, Chef, and Puppet is necessary, with a desirable understanding of security practices in IaC environments.

• Extensive exposure to security tools and technologies is required. This includes Static Application Security Testing (SAST) tools like SonarQube and Checkmarx, Dynamic Application Security Testing (DAST) tools like OWASP ZAP and Burp Suite, Software Composition Analysis (SCA) tools like WhiteSource (Mend.io) and Snyk, and Runtime Application Self-Protection (RASP) tools.
• A solid appreciation of network security, including firewalls, VPNs, Intrusion Detection Systems (IDS), and Intrusion Prevention Systems (IPS), is essential. An understanding of network protocols and security, such as TCP/IP, HTTP/HTTPS, Network zoning model and SSL/TLS, is also important.
• An understanding of threat modelling and vulnerability management is required, as well as experience using tools like the Microsoft Threat Modeling Tool, OWASP Threat Dragon, and vulnerability scanners like Nessus and Qualys.
• The ability to implement application monitoring and logging tools like Splunk, the ELK Stack (Elasticsearch, Logstash, Kibana), Prometheus, and Grafana is necessary. Knowledge of integrating with Security Information and Event Management (SIEM) tools is also desirable.
• Some exposure to Identity and Access Management (IAM) tools like Okta, Auth0, AWS IAM, and Azure AD is preferred. Knowledge of Role-Based Access Control (RBAC) and Multi-Factor Authentication (MFA) is critical.
• An understanding of databases, including relational databases like Oracle, MySQL, PostgreSQL, and SQL Server, is preferred and NoSQL database as well such as MongoDB and Kassandra DB. This includes the ability to construct efficient queries, optimize database performance, and ensure data integrity and security.
• Additionally, a good understanding of secure development and assessment of application programmable interfaces (APIs) is a critical skill. This involves knowledge of RESTful and SOAP APIs, implementing secure API authentication and authorization mechanisms, and conducting regular security assessments to identify and mitigate potential vulnerabilities