The National Rural Electric Cooperative Association (NRECA), with offices in Arlington, VA and Lincoln, NE is the trade association for over 900 consumer-owned electric cooperatives serving more than 42 million people. NRECA is committed to harnessing the strength of America's electric cooperatives into a single powerful voice. NRECA has won the following awards over the past few years:
* Top Workplace by the Washington Post * 100 Best Places to Work - ComputerWorld Magazine * 50 Best Places to Work - The Washingtonian * CARE Award Recipient - Recognizing organizations that promote a positive work-life balance * Best Place to Work Award Recipient - Lincoln, NE * Gold Well Workplace - Wellness Councils of America * State of NE Governor's Wellness Award - Grower Level
At NRECA, we work with people who are leaders in their fields. They are down-to-earth, hardworking professionals committed to helping our members serve their communities. Our work is interesting, constantly evolving, and requires new skills to meet the evolving needs of a dynamic industry. In this collegial, inclusive work environment, united around the compelling purpose and history of electric cooperatives, we thrive. And topping it off, NRECA cares about each person's overall well-being, encouraging health, financial security, and a sustainable work/life balance. EEO/AA- M/F/Disability/Protected Veteran Status/Genetic Data
Summary Engineer, Cyber Security P.3
Position Summary: Provides expert research, support and guidance to other architects, developers, technical staff and business owners to ensure that NRECA adequately safeguards its data and information systems based upon a detailed technical understanding across multiple security Domains. Creates and implements, in collaboration within IT and with business areas, a foundation and framework of Information Security infrastructures, processes, methods and standards. Works as subject matter expert to all information technology teams on vulnerability management, threat management, application security and contributes to any project requiring complex cyber security support.
Essential Duties and Responsibilities:
Conducts security vulnerability assessments using tools such as tenable Nessus or IBM Appscan to evaluate attack vectors, identifies vulnerabilities and collaborate with team leads to develop remediation plans.
Participates in the building of tools and automation that enables operational efficiency for security services defined by the information security program using Shell Scripting, Python and Windows PowerShell.
Builds and maintains dashboards that present actionable vulnerability data to IT teams and IT leadership in an intuitive manner.
Builds and delivers reports for IT staff and leadership for the tracking of vulnerability remediation SLAs and NRECA's current threat landscape.
Performs risk assessments to leveraging vulnerabilities data to determine business risk.
Maintains technology infrastructure used to deliver vulnerability scanning, and web application assessment capabilities.
Assists with the build out and maintenance of infrastructure utilized for Red Team engagements.
Performs network and web application penetration testing and assist with remediation of identified vulnerabilities.
Performs validation testing of security vulnerabilities that have been remediated and evidence the results for closure.
Utilizes dynamic and static code analysis tools to assist application teams in applying application security best practices.
Performs periodic threat modeling to help improve enterprise security posture.
Effectively communicates findings and strategies to client stakeholders including technical staff, executive leadership, and legal counsel.
Maintains ongoing proficiency in network and application exploitation, tools, techniques, countermeasures, and trends in computer network vulnerabilities and network security.
Assists in applying security controls (PCI-DSS, SOX, HIPAA, ISO, CSC) as well as web application security topics such as OWASP top 10, CWE top 25, and authentication infrastructure (SAML, OAuth).
Works closely with business and Information Technology Units to identify and understand applicable security requirements that relate to business and regulatory drivers.
Responsible for the proper security and disposal of any confidential information that he or she may possess in the course of performing this position's job duties, in accordance with NRECA's Personnel & Administrative Policy and HIPPA Privacy and Security Policies & Procedures Manuals.
Direct Reports to this Position: None
Requirements and Qualifications
Formal Education Required: Bachelor's Degree in Computer Science, Information Systems, Systems and Technology, Business Administration, or related field. Master's degree preferred.
Experience and Certifications Required:
5+ years' progressive experience in the following areas: Application security, vulnerability management, penetration testing, risk management as well as solid experience working in IT environments.
Experience with Linux/Unix and Windows systems, in shell scripting or automation of tasks using Perl, Python, or Powershell, utilizing Penetration Testing Software, Commercial & open source applications in an Enterprise; like Kali Linux, Cobalt Strike, Vulnerability Scanners, Empire, Beef, MSF, Responder, Burp Suite, etc., enterprise vulnerability scanning tools such as Tenable Security Center, in Web Application Security Testing, Penetration Testing and/or Red Teaming and with static and dynamic code analysis tools.
Technical certification such as: Security+, PenTest+, GIAC Penetration Tester (GPEN), Offensive Security Certified Professional (OSCP) and/or Certified Information Systems Security Professional (CISSP), required. Offensive Security Certified Professional (OSCP) preferred.
Knowledge, Skills and Abilities Required:
Knowledge of vulnerability management and scanning best practices such as CVE database and the CVSS System used for scoring vulnerabilities as demonstrated by prior work experience.
Knowledge of network and application security principles such as OWASP Testing Guidelines, OWASP Application Security knowledge framework and ATT&CK framework as demonstrated by prior work experience.
Knowledge of tactics, techniques, and procedures used by internal and external threat actors for red team operations as demonstrated by prior work experience.
Ability to build channels of collaboration for vulnerability management and foster knowledge sharing amongst various IT teams as demonstrated by prior work experience.
Ability to communicate, both verbally and in writing, with a diverse membership, employees and/or vendors in a clear and precise manner as demonstrated by prior work experience.
Interpersonal skills, member service orientation and ability to work in a team environment as demonstrated by prior work experience. Must be energetic, goal oriented and innovative.
Ability to use Microsoft Office tools (Excel, Word, Outlook, Power Point) in the day-to-day essential duties of the job as demonstrated by prior work experience.
Ability to operate various office equipment such as personal computer, copier, printer, fax machine, 10-key adding machine, and multiple line telephone as demonstrated by prior work experience.
Ability to provide service excellence by building relationships, being resourceful, responsive and respectful as demonstrated by prior work experience.
Essential Physical Requirements:
The worker is required to have close visual acuity to perform an activity such as: preparing and analyzing data and figures; transcribing; viewing a computer terminal; extensive reading.
Exerting up to 20 pounds of force occasionally, and/or up to 10 pounds of force frequently, and/or a negligible amount of force constantly to move objects. If the use of arm and/or leg controls requires exertion of forces greater than that for sedentary work and the worker sits most of the time, the job is rated for light work.
Disclaimer Statement: The preceding job description has been written to reflect management's assignment of essential functions. It does not prescribe or restrict the tasks that may be assigned.