Job Description

At the Howard Hughes Medical Institute (HHMI), creativity and excellence are fundamental to our success. As one of the world’s largest philanthropies, HHMI is a major force in advancing biomedical research and science education in the U.S. We have an opportunity for a Manager, Application System Security to join our headquarters in Chevy Chase, MD. Reporting to the Director, SaaS Update Management, the manager works closely with the functional departments to determine the appropriate security roles in the requested application.

The Manager of Application System Security is responsible for directing and overseeing the development and implementation of all level security and data access control for business critical applications such as but not limited to Okta, Workday, Concur and Ariba. This role will provide suggestions for improvement to tools and processes as necessary to move the Institute forward. The Manager of Application System Security also manages staff members and serves as primary liaison with Enterprise Program Management Office (EPMO)/Risk Manager, Internal Audit, External Auditors, and other departmental managers in recommending, developing, implementing, testing and maintaining security standards, policies and procedures. This role is accountable for properly provisioning and deactivating application access accordingly to user responsibilities and audit requirements. The Manager of Application Security must be a process-centric, detail oriented and communicative person, engaging with peers and business users as part of a collaborative team.

Responsibilities

• Act as Gatekeeper for security access requests (for delegations, admin rights, integrations, reporting, etc.)
• Consult with Functional Departments and EPMO/Risk Manager to provide direction with agile development methodologies for all SaaS application such as but not limited to Okta, Workday, Concur and Ariba
• Collaborate with the Risk Manager to resolve access or separation of duties issues identified during continuous monitoring or other compliance activities
• Analyze large data sets and unstructured data for the purpose of identifying trends and anomalies indicative of malicious activity, as well as demonstrated capability to learn and develop new techniques
• Research, develop, and keep abreast of tools, techniques and process improvement in support of security detection and analysis in accordance with current and emerging threat and attack vectors
• Ensure security principles and practices are adhered to. Be a voice of reason and authority around security process and standards
• Work with IT Quality Assurance team to conduct security testing that validates user permission, system access and security settings
• Plan and perform the activities of provisioning/de-provisioning of user access in all platforms and business critical applications including Microsoft SharePoint platform
• Develop and evaluate security procedures and features including changes in upgrades, patches, and fixes, and develop appropriate audit control reports to assist in monitoring security
• Provide direction, mentorship and coaching to Application Security team members
• Use IT standard request and workflow tools to track application access requests, approval status, changes, and make the history available to satisfy audit requirements
• Conduct regular security awareness training for IT and functional departments to improve best practices within HHMI
• Review 3^rd party audit reports released by HHMI Internal Audit and work with IT leadership to identify risks/concerns
• Manage the annual external IT audit review process with PwC and assist with mitigating risks to any findings or recommendations
• Develop and maintain relevant metrics that help IT and other stakeholders monitor performance

Required Skills

• Knowledge of SOC procedures and best practices
• Enthusiastic leader – Must be self-motivated and possess a team-building attitude
• Knowledge of vulnerability management solutions, risk assessments and compliance management.
• Knowledge of multi-factor authentication and identity management systems (i.e. Okta, Azure, Telesign, etc.)
• Workday, Concur and Ariba system operation, administrative activities and business process
• Ability to take high-level direction from upper-management and translate it into the appropriate implementation
• Expert knowledge in IT security controls and audit framework
• Excellent analytical ability, consultative, and communication skills
• Knowledge in SaaS system operation, administrative activities and business processes
• Ability to maintain confidentiality
• Excellent customer service skills
• Capacity to manage numerous initiatives and deliver results in timely fashion

Required Experience

• Bachelor’s degree in computer science or equivalent combination of education and experience preferred
• 6+ years of professional systems engineering/administration in Workday or other SaaS application
• 3+ years of managing an IT security function
• Certified Information Systems Security Professional (CISSP) or ISC2 Associate
• Certificate of Cloud Security Knowledge (CCSK)
• Technical depth and experience working in 12 x 7 centers with complex, high transaction, high availability environments
• SharePoint experience preferred