Expert in DevSecOps

DESCRIPTION OF THE TASKS

The following tasks shall be covered by the service contract: Advise and Support as a subject Matter Expert in the field of DevSecOps. On top of this task, the candidate will contribute to: Security services development: Participate in the efforts towards developing and improving the service in its growing scope and coverage among DG CONNECT;

Perform analysis, design and implementation of the workflows and organisational processes for the functioning of the Security Team, the service delivery to DG CONNECT and the interaction with the related services within or outside of the DG; Analyse the requirements resulting from the IT security policy framework in force and from the IT security threat landscape, taking into account the expectations of the business owners; Assessment of the level of the implementation of security processes on the corporate level, contribution to defining associated indicators and dashboards and contribution to reporting; Contribution to the initiatives facilitating the adoption and implementation of the processes and methodologies among the stakeholders (presentations, targeted consultancy sessions, case-specific hands- on assistance sessions); Interfacing with IT security stakeholders, monitoring and advice in the implementation of security processes and measures (including the DevSecOps pipelines and associated processes).

Security Advisory and Support

Initiation and follow up of IT security risk assessment and security plans of information systems; Advice regarding IT security related issues, including vulnerability management; Reporting on a regular basis to the hierarchy regarding IT security, shortfalls identified and ideas for improvement.

Training and awareness raising

Initiation and promotion of specific IT security related awareness-raising and training programmes; Promote Cyber Aware programme and the related educational material.

Key Responsibilities

• Lead cybersecurity advisory services, including security by design, vulnerability management, security testing, incident management, and continuous improvement.

• Engage with business/systems owners and hierarchy, delivering strategic insights on cybersecurity risks and mitigation strategies.

• Perform IT Security Risk Management and Treatment, including identification of assets, business impact assessments, risk identification, risk calculations and implementation of defined treatment measures

• Draft IT security plans and follow implementation actions

• Develop and implement IT security services, including architecture design, GRC compliance strategies, and policy development.

• Contribute to the design and execution of cybersecurity frameworks in alignment with NIST CSF, ISO 27001, CIS Controls, and NIS2 Directive.

• Perform cybersecurity risk assessments, incident management, and continuous improvement activities.

• Contribute to the implementation of GRC and Policy Compliance in ServiceNow environments.

• Deliver cybersecurity awareness sessions to improve security culture across diverse stakeholder groups.

• Lead and integrate DevSecOps practices into security architecture, ensuring security is embedded in every phase of the software development lifecycle.

• Design and implement secure CI/CD pipelines, automate security testing, and promote security as code principles.

• Support on the data goverance and data security in collaboration with the Data Protection Coordinator

• Work with third-party suppliers to ensure penetration testing, vulnerability assessments, IAM and operational resilience testing meet relevant standards.

• Collaborate with the business to embed security-by-design into processes of buidling new systems

• Apply industry-standard threat modeling methodologies to analyze system architectures, detect security weaknesses, and enhance overall risk management strategies.

LEVEL OF EDUCATION

As stated in the Article 2.6.3.1. of DIGIT-TM II Service requirements, a minimum educational qualification for lot 3 is: Level of education corresponding to Level 7 of the European Qualification Framework which typically corresponds to a master degree.

KNOWLEDGE AND SKILLS

Following skills and knowledge are required for the performance of the above listed tasks:

• Minimum 7 years experience in Cybersecurity Strategy: define objectives and build roadmaps.

• Minimum 7 years experience in architecting Cloud, Application or Network solutions.

• Minimum 7 years experience risk identification and Risk management Methodologies, such as ITSRM², ISO27005.

• Minimum 5 Governance, Risk and Compliance (GRC) and tools such as ServiceNow.

• Good knowledge about the European cyber regulations, such as GDPR, NIS2, cybersecurity strategy, EU Cybersecurity Act.

• Good knowledge of framework: ISO27001, ISO 27005, NIST SCF, NIST 800-53, CIS Controls…

• Previous experience as Business development manager or product manager.

• Experience in managing risk from a 3rd party service provider, including cloud vendors.

• Strong drafting and communication skills in English both orally and in writing (level C1);

• Self-motivated and autonomous, with ability to manage and follow up on multiple tasks simultaneously;

• Proven ability to communicate complex cybersecurity issues effectively to senior management, supporting informed decision-making and strategic risk management.

• Expertise in creating executive-level cybersecurity reports, highlighting key risk indicators, compliance status, and security performance metrics.

• Strong analytical skills, ability to approach problems from multiple angles and find creative solutions;

• Ability to produce mature executive summaries, presentations and to engage with stakeholders at any levels, from operational staff to senior management;

• Proven capacity to analyse complex information, to consider options in a clear and structured way, to propose and implement recommendations and to make sound decisions;

• Ability to work effectively both with team members and with customers;

• Ability to work under pressure and with tight deadlines, to make timely decisions, to reprioritize tasks responding to changes in a rapidly evolving work environment;

• Ability to develop and set up processes and structures across various fields of activities; Strong ability to learn and apply new/emerging technologies.

SPECIFIC EXPERTISE

Following specific expertise is mandatory for the performance of tasks:

• Client operating systems, Windows, Linux

• Experience with large, enterprise-level multi-user Information Systems, network and application security

• Good knowledge with DevOps container or serverless /orchestration tools (ie: Docker, Ansible, Containers, Kubernetes, etc.)

• Experience with Fortify, SonarQube, GitLab etc

• Good knowledge with cloud security architecture and security requirements

• Good knowledge with Threat Modelling in cloud environment

• Good knowledge with Cloud governance and compliance: AWS, Azure, and SaaS

• Good knowledge with Security and Privacy by design, in the cloud.

• Good knowledge with Monitoring tools (Splunk, Dynatrace, etc.)

• Good knowledge in the Cloud (Aws, Azure, Google, etc.)

• Good knowledge with designing cloud security architecture best practices.

• Good knowledge with Designing and implementing the organization's cloud usage practices, including rules and standards

• Good knowledge with applying cloud service providers security practices, compliance.

• Knowledge on Enterprise Architectures methodology: such as TOGAF or SABSA

• Experience with Digital Transformation activities

• at least 4 years of specific expertise in providing cybersecurity advisory to international organizations.

• at least 5 years of specific expertise in in a relevant position within Cybersecurity security, risk management, IT consultancy or IT audit.

CERTIFICATIONS & STANDARDS

Following certificates & standards are required for the performance of tasks:

Minimum mandatory number of months of experience per area of expertise

Information Security Certifications such as CISM = 40

Risk Management certification, such as CRISC, ISO 27005 RM = 40

Cloud Security certification such as CCSP, GCLD, = 30

Cybersecurity Certification: Ethical Hacker C|EH, GCIH = 30

ISO27005 12 Governance Framework, such as COBIT = 12

Following certificates & standards would be advantageous for the performance of tasks:

Minimum mandatory number of months of experience per area of expertise

Network Security certification, Such as CCNP, CCSP = 48