Overview

As a Senior SecOps Engineer, you’ll monitor, analyse, risk assess and remediate the security of our digital programs using applicable security frameworks such as the Australian Government Information Security Manual ISM.

Key responsibilities include:

  • Apply cyber security framework principles, using risk-based methods to protect systems and data from cyber threats

  • Provide security services to Salsa clients

  • Assess Salsa’s internal processes, systems and tooling to provide a proactive approach to Salsa internal operations

  • Contribute to the success of our whole-of-government programs by providing ongoing security consultation, assessment, and proactive security services

  • Help Salsa scale our security services

The ideal person for this role will have an operational security background at enterprise scale, have technical expertise, be hands-on, love tech, be a great communicator, and have energy and vision to be a key part of Salsa delivering value to clients.

Responsibilities

The Senior SecOps Engineer is expected to interface with three groups — the Salsa Digital project team, Salsa client teams (such as the GovCMS and SDP program stakeholders) and Salsa executive management.

Responsibilities include:

  • Ramping up within complex, enterprise-grade, technical environments quickly

  • Aligning with regulatory frameworks — Becoming aware of regulatory requirements such as ISM/IRAP (for GovCMS) and whole-of-Victorian-government cyber security strategies (for example, VicGov Cloud Security GuidelinesExternal Link ) and the implication of these frameworks across people, process and technology

  • Identification of SecOps vulnerabilities and exposures — Proactive identification of gaps and/or exposures in security posture of technical solutions and considered recommendations to address

  • Determining SecOps opportunities via an understanding of present security pain points and exposures for each major program of work, driving the delivery of a backlog of security risk mitigation actions and initiatives across each program

  • Maintaining an active SRMP (Security Risk Mitigation Plan) and SSP (System Security Plan) for each major program of work and driving the actions to deliver on planned activities of the SRMP

  • Researching technical solution options to address security exposures and documenting and presenting these options to different stakeholders

  • Analysing the security implications of platform changes or technical issues, providing oversight to technical change management from a security perspective

  • Collaborating with other technical stakeholders to determine optimal technical solution pathways and producing appropriate documentation; providing a security perspective as required

  • Building and releasing solutions to address security risks

  • Being a go-to person for technical security advice to help explain technical approaches and general knowledge-share for SecOps approaches and considerations

  • Working with the Product Owner (platform) to help plan and communicate the product roadmap providing input into business imperative features from a security perspective

  • Maintaining knowledge of industry best practice SecOps tools, applications and solution approaches

  • Building authentic open relationships with stakeholders — Supporting a project/program culture with open communication, trust and respect

  • Representing Salsa’s strong open ethos and brand to establish new trusted relationships and nurture existing ones

Requirements

The following general behaviours and experience are required:

  • Enterprise-grade security experience in digital programs, ideally within government

  • Practical knowledge and experience of relevant security frameworks such as ISM/IRAP, WoVG technical policies and standards, and/or OWASP

  • Strong working knowledge of digital web technologies including application, devops, hosting and containerisation technologies (Kubernetes)

  • Strong problem solving skills

  • Ability to speak authoritatively on complex technical matters, in particular security principles, risks and solutions

  • Exceptional communication with customer and internal managers — Listening and providing answers

  • Ability to build good working relationships with all program stakeholders

  • Ability to gather and assimilate information

  • Ability to adapt and prioritise

  • Ability to think ahead and anticipate problems, issues and solutions

  • Experience working on projects/programs using agile methodologies

  • 2+ years as a SecOps or Security Engineer

  • 3+ years’ experience as Technical Lead/Architect or DevOps Engineer

  • Ideally an ability to transition seamlessly between SecOps Engineer and DevOps Engineer

A critical mass of the following specific technical skills are required:

  • Practical experience with complex technical solutions and achieving ISM/IRAP certification

  • Security consulting within digital domains using toolsets such as:

    • Web-serving architectures (nginx/apache/varnish)

    • CDN technologies (akamai, cloudflare, cloudfront, static, etc.)

    • Docker (docker-compose, image management)

    • Kubernetes cluster management (EKS, AKS, Lagoon, etc.)

    • CI (gitlab, circle, jenkins)

    • AWX, Ansible

    • ELK stack (elasticsearch, logstash, kibana)

    • AWS technologies (S3, EC2, RDS, Elasticache, SES, etc.)

    • PHP/CMS frameworks/platforms a plus (Drupal/Wordpress/Laravel)

  • Execution as a SecOps in complex regulatory environments

  • Demonstrated experience in current-state, future-state and transition-to-future-state of internal security systems and processes

Key performance indicators

The following KPIs are desired and presented here as a point of reference for discussion and negotiation with the Senior DevOps Engineer.

Technical knowledge and SecOps delivery

  • Demonstrated ability to speak authoritatively on complex technical security matters ranging across the full suite of technologies implemented on the platform (app, SecOps, DevOps and hosting)

  • Recognised by customers as a skilled technical leader in the security space (as measured by ratings on the program performance feedback survey)

  • Delivery of impactful SecOps results (as measured by increased security posture of platform and low frequency of security exposures raised by owners of the programs/platforms)

  • Contributor to Salsa technical thought leadership via any/all of blogs/vlogs, open source community contributions, authoritative technical whitepapers, etc.

Stakeholder communication & management

  • Built good working relationships and effectively communicate with customers (as measured by ratings on the program performance feedback survey)

  • Built good working relationships with internal and subcontractor stakeholders

Benefits

In becoming a Senior SecOps Engineer at Salsa Digital you can expect the following benefits:

  • Work with a team with incredible flexibility around working hours and working location

  • Work with a team of professionals in a flat organisational culture

  • An annual budget for education, health & wellness

  • Work with a team serious abouts its values, serious about open source

  • Attend professional conferences and events that support and improve your insights and knowledge to produce great work

  • A company culture that’s rigorous, transparent, accountable, continuously improving, commercial, innovative and values diversity — all of Salsa’s core values

About Salsa

Salsa is a Melbourne-based agency with a 15+ year legacy in open source. More about SalsaExternal Link

Salsa technical landscape

The articles below provide further context for the Senior SecOps Engineer role and Salsa’s involvement in major digital programs within government.

The Salsarian values

A big part of Salsa’s culture can be attributed to our seven key values we genuinely live by. More about our valuesExternal Link

Interested?

If this role excites you and would like to explore further then please reach out:

Paul Morriss

Director

paul@salsadigital.com.au

03 9910 403