Lenovo

Lenovo Infrastructure Solutions Group’s (ISG) Product Security Office (PSO) is seeking a Security Certification Program Manager to support Lenovo ISG’s Secure Development Lifecycle activities and directly contribute to maintaining a high-level of security in the products we provide to our customers. This is a new position, joining a growing product security team in securing an expanding product and services portfolio and supporting the business’ evolving security needs.

This is a dynamic product security role, with the successful candidate having a solid security knowledge base to draw from; a proven record of success in earning product, service, and/or organizational security certifications across all phases; the ability to multi-task across several projects concurrently, adapt, and develop deeper expertise as needed; and be comfortable taking ownership of projects to ensure effective delivery.

Primary responsibilities:  The ideal candidate for this security certification product manager role should have a successful record in driving product, service, and/or organizational security certifications, such as ISO 27001, across all phases including inception, scoping, gap analyses, consulting with internal teams, presenting findings, remediation, certification, external audit engagements, maintaining risk register/POA&Ms, and re-certification. Additionally, the ideal candidate will be able to multi-task, adapt, and service diverse security needs; own and prioritize initiatives; directly contribute to delivery; and help shape organizational direction of future certification and accreditation efforts.

Representative responsibilities include:

• Leading product, service, and/or organizational security certification activities across all phases
• Analyzing industry standards, guidance, legislation, etc. for applicability, to identify gaps, and to recommend actions and solutions
• Working with peers, security leadership, and cross-functional teams to align security execution with continually evolving business and market needs and expectations
• Maintaining an open, thoughtful, respectful, and collaborative team environment
• Researching, designing, developing, and educating others on security best practices, standards, requirements, tactics, procedures, training materials, etc.
• Assessing products, services, and organizational units for compliance with security requirements
• Coordinating and tracking finding remediation's in accordance with relevant industry standards
• Interfacing with cross-functional teams and technical resources to gather supporting evidence and prepare for third-party assessment engagements
• Creating security guidance, compliance, and standards documentation

Position Requirements

Basic Qualifications:

• Five-plus (5+) years of experience in security certification, security accreditation, compliance, or managing an ISO 27001 program
• Experience successfully designing and managing an ISO 27001, NIST RMF, FedRAMP, SOC II, or similar certification program is preferred
• Practical experience analyzing and documenting gap analyses between current-state environments and security standard compliant-state
• Maintain current knowledge of security standards and monitor advancements to ensure organizational adaptation and compliance
• Knowledge of secure software development fundamentals
• Practical experience managing and working with 3rd-party pre-assessment and certification firms
• Deep understand of industry and government security standards and compliance, including one or more of the following: ISO 27000-series, NIST Risk Management Framework (RMF), FISMA, FedRAMP, NIST SP 800-series, NIST Cybersecurity Framework, NIST Secure Software Development Framework, AICPA TSC, Building Security In Maturity Model (BSIMM), PCI-DSS, O-TTPS / ISO 20243, and similar
• Originating security processes, standards, and requirements
• Integrating security into pre-existing processes and technical environments
• Experience leading and coordinating cross-functional teams to achieve long term objectives such as third-party assessment engagements
• Strong collaboration skills over application sharing platforms and teleconferencing

Key Personal Traits:

• Self-motivated and results driven
• Able to cultivate collaborative relationships; navigate sometimes contentious situations; and successfully resolve conflicts – all with respect, equity, and professionalism
• Comfortable working toward what may be loosely defined objectives, clarifying and solidifying those objectives along the way
• A critical thinker and problem solver, who is naturally curious and a consummate learner
• A good communicator with strong verbal and written presence, capable of clearly explaining and documenting security needs
• Adept at multi-tasking and achieving results in what can be a high-pressure environment while adapting to fluid business demands
• Persistent, keeping end goals in mind, being mindful of opportunities as they present themselves, and appreciating that “not today” doesn’t mean “not ever”
• Comfortable managing upwards

Education and Certification Requirements:

• Bachelor’s degree in computer science, Information Security, Cybersecurity, Management Information Systems, or related degree; Master’s degree is preferred
• Security certifications: One or more of CISSP, CSSLP, CISM, CISA, or similar

Travel:

5% (travel typically not needed, but possible on occasion post-COVID)