Every day, the people of TSYS® and NetSpend® improve lives and businesses around the globe through payments. We make it possible for millions of people to move money between buyers and sellers using our payments solutions including credit, debit, prepaid and merchant services. We are “People-Centered Payments”, and our team has the unique opportunity to help create a world in which payments make people’s lives easier and better. This is both a tremendous honor and an important responsibility for those who accept the challenge. If you are looking to make a valuable difference for people everywhere — and for yourself — we may have the right place for you.
Summary of This Role
Manages the development, deployment and execution of controls and defenses to ensure the security of company technology and information systems. Analyzes business needs and establishes priorities for protection of critical systems and operational policies. Establishes and implements appropriate information security standards and criteria for hardware, software, firmware, email and web firewall, access, vendors and third party solutions, and encryption requirements. Evaluates potential business impacts from security breaches and resolves security incidents while providing guidance to business decision-makers. Maintains access to information security technologies.
What Part Will You Play?
- Maintains a comprehensive and in depth, component level understanding of all IT systems, data flows, applications, technologies, security controls, threats, weaknesses and countermeasures within the company’s global and the Financial and Credit Card Industry. Maintains a corresponding understanding of standards (i.e., Payment Card Industry, Card Association, Data Protection). Directs information security governance, risk management and compliance programs which include security assessments and on-site reviews, security gap remediation, security incident support, audit support functions, business process and project consultancy and security education and awareness. Delivers advanced configuration and security management. Directs remediation and escalates to meet deadlines and prevent fines and penalties. Directs practices to validate reporting accuracy. Directs and improves all aspects of the organization’s global 24 x 7 cyber Threat Management Center (TMC). Detects, responds and contains internal and external cyber attacks across the enterprise. Ensures activities are recorded for post mortems, compliance and/or legal evidence. Defines and maintains the Corporate Security Incident Response Plan (CSIRP) for the organization.
- Provides the authoritative sign-off of new solutions and technology in the global architecture review, international design review, firewall approval and other change and project governance processes. Ensures that security risks are appropriately controlled and IT services remain in compliance with internal and regulatory security policies and standards. Negotiates with solution designers, vendors and clients to ensure that each initiative meets agreed policy, standards and risk acceptance profiles. Directs the team that responds to crisis or urgent situations to mitigate immediate and potential cybersecurity threats.
- Consults with key stakeholders on client and internal requirements, projects and proposals, Payment Card Industry (PCI) interpretations, audit responses and new business opportunities. Consults, directs and advises internally on information security laws and regulations. Analyzes requirements, performs assessments and testing to create solutions and action plans to mitigate and prioritize risks. Simplifies complex and challenging concepts for stakeholders, documenting and presenting the required control frameworks and gaining acceptance. Validates implementation against alignment with approved design.
- Designs and develops secure IT solutions and control frameworks using network segmentation, gateway security, specialist security tools (e.g., event monitoring, data loss, vulnerability and malware protection, code review, app firewall). Researches, evaluates and recommends information security hardware and software, and creates business cases for security investments. Takes a technical lead for security incidents providing review and advice on impact assessment, cause and effect analysis, etc. Directs emergency mitigation and containment controls. Communicates with clients and vendors at a technical level and updates senior management. Leads post security incident investigations, undertaking detailed forensic analysis of IT systems using specialist tools and training. Maintains internal forensic and investigative tools capability. Delivers solutions having serious impact to overall success of company goals. Analyzes and responds to threat trends and new business opportunities. Establishes roadmaps and security assessments schedules. Leads steering committee sessions. Directs required vulnerability scanning and security penetration testing for applicable public-facing IT systems.
- Engages and consults with executive and senior leaders to align security programs with strategic business goals and tactical initiatives. Reduces risk and cost by ensuring security is integral to strategic IT and business decisions and client projects. Represents and serves as information security advocate. Represents information security at internal and external industry events, client forums and compliance forums. Directs the Information Security Review Program (ISRP) which includes the technical review of security controls for processes, solutions and technologies for third party assurance, corporate compliance and internal and external data security obligations. Works with the business to close security gaps. Identifies, escalates and reports critical risks and exposures pertaining to legal, data security and governance.
- Directs and leads complex security and internal fraud incident response investigations, and coordinates resources the company, client, vendors and business partners. Coordinates and directs internal and external specialist forensic investigators. Prepares, presents and delivers executive level updates, keeping key decision makers appraised of developments and actions required. Ensures mitigation and remedial actions are identified and driven to completion.
- Directs communication with internal counterparts to set priorities for enhanced security and risk reporting. Directs security officer interactions with business units and partners. Guides security broadcasts and information security audit related communications and interactions. Analyzes vendor heatmaps, confirms information security position, liaises with key business partners. Delivers periodic executive leadership reporting on key initiatives, risks and security concerns.
- Directs processes for governing the submission, processing, maintenance, and submission to external assessors, and for the retention of PCI compliance evidence across all divisions and business segments in accordance with PCI evidence standards, records retention policies, and corporate security policies. Analyzes and correlates information security metadata collected during assessment processes to develop data security metrics and vulnerability trending. Briefs Chief Information Security Officer, executive risk management committees and the Board of Directors on the enterprise status of PCI compliance. Directs compliance reporting and vulnerability metrics to management across the enterprise utilizing various information delivery systems. Escalates critical compliance issues to executives. Provides and directs data security compliance consultation to various business units across the enterprise to ensure that new products and services, client offerings, and the implementation of technical projects comply with PCI data security standards.
- Provides expert support and guidance and acts as the enterprise contact for the PCI Security Standards Council (PCI SSC). Manages PCI SSC required training and certification across the enterprise. Correlates enterprise feedback to the PCI SSC on standards and reporting requirements. Represents the company’s position and feedback for PCI SSC special interest groups, information supplements, and industry guidance documents. Actively participates in and presents security topics at PCI conferences. May serve on the PCI SSC Board of Advisors. Drives continual improvement to secure the enterprise.
- Not an exhaustive list; other duties as assigned.
What Are We Looking For in This Role?
- Bachelor’s Degree
- Relevant Experience or Degree in: related field of study from an accredited university is required; however, relevant experience in lieu of a degree may be considered.
- Typically a minimum of 10 years
- related professional experience including a minimum of 5-6 years experience in a managerial position.
- Master’s Degree
- related field of study from an accredited university.
- Prior TSYS, payment or technology industry experience is preferred.
What Are Our Desired Skills and Capabilities?
TSYS is an equal opportunity employer (EOE) committed to employing a diverse workforce and sustaining an inclusive culture. For more information about your rights, click here.
Qualified individuals with disabilities may be entitled to reasonable accommodations to assist in their pursuit of employment with TSYS. This includes assistance in completing the job application (online or otherwise) and reasonable accommodations during the hiring process. For assistance with reasonable accommodations needed to apply for a job, please contact the TSYS Pay and Benefits Center between 8 a.m. and 7 p.m. Eastern Monday-Friday at +1.706.644.8747 or +1.877.644.8747 or email at PayandBenefits@tsys.com.
Outside of US Applicants:
TSYS is committed to diversity and equal opportunities for everyone. We are committed to ensuring that all job applicants and team members are treated equally, without discrimination because of gender, sexual orientation, marital or civil partner status, gender reassignment, race, colour, nationality, ethnic or national origin, religion or belief, disability, age or any other characteristic prohibited by law. For more information, please refer to our Code of Business Conduct and Ethics, found here.