Wealth Management, AWM Technology Risk, Doha, Associate

ENGINEERING

What We Do

At Goldman Sachs, our Engineers don’t just make things – we make things possible.  Change the world by connecting people and capital with ideas.  Solve the most challenging and pressing engineering problems for our clients.  Join our engineering teams that build massively scalable software and systems, architect low latency infrastructure solutions, proactively guard against cyber threats, and leverage machine learning alongside financial engineering to continuously turn data into action.  Create new businesses, transform finance, and explore a world of opportunity at the speed of markets.

 

Engineering, which is comprised of our Technology Division and global strategists groups, is at the critical center of our business, and our dynamic environment requires innovative strategic thinking and immediate, real solutions.  Want to push the limit of digital possibilities?  Start here.

 

Who We Look For

Goldman Sachs Engineers are innovators and problem-solvers, building solutions in risk management, big data, mobile and more. We look for creative collaborators who evolve, adapt to change and thrive in a fast-paced global environment.

 

RESPONSIBILITIES AND QUALIFICATIONS

The Goldman Sachs Asset & Wealth Management Division (AWM) provides asset management, wealth management, and banking expertise to institutions worldwide. AWM partners with various teams across the firm to help individuals and institutions navigate changing markets and take control of their financial health.

The AWM Technology Risk function is an information security group embedded within AWM responsible for the oversight of Information Security and Cybersecurity risks across AWM business and technology, and supplements the firm’s Technology Risk programs to meet the additional unique needs of the AWM business. Our mission is to enable the business needs while balancing controls. The AWM Technology Risk Group is responsible for the following services:

• Governance - Ensure that our risk posture remains in a managed state and helping to meet the different information security, privacy, regulatory, audit, and firm-wide tech risk commitments.
• Client Due Diligence – This client-facing service is a revenue protection function supporting due diligence requests from existing clients and prospects.
• Application Security & Advisory – Operate as the cybersecurity POC (point of contact) for key AWM initiatives

In the Tech Risk Advisory role for AWM Technology Risk, you will be part of a team that manages the technology risk portfolio and roadmap of key business initiatives like product launches, strategic projects, and acquisition due diligence. The function requires participating throughout the project lifecycle and working with a broad range of risk partners across the firm to ensure that application security & infrastructure security controls and best practices are baked into the project requirements and prioritized appropriately. The goal is to be the security solution architect and SME for product launches, key initiatives, and all other cybersecurity-related matters across the AWM business.

In this position, you will have a tremendous impact and bring innovative ideas on how to take our Technology Risk team to the next level. This technical role enables the business and helps engineering teams find creative and commercial ways to address risks and requirements across the technology landscape. This position also necessitates maintaining awareness of the evolving cybersecurity threat landscape and relevant mitigating controls. There will also be an opportunity to research evolving security trends, frameworks, and products to help our internal clients and advise/consult to our external portfolio companies, partners, managers, clients, and investments. 

You will be responsible for assessing and managing the portfolio of risks for divisionally aligned products. You are expected to learn about the business products you support and provide technical design consultancy services as needed. Your team will be responsible for ensuring management of all assessments, including, Design / Architecture Reviews, Manual Code Reviews, Penetration Testing, and Continuous Monitoring / Scanning. The ideal candidate should possess the aptitude to build coalitions across teams/product owners, educate and help counterparts on secure operation and development practices and work collaboratively to drive down risk.

JOB TITLE: Technology Risk Advisory Architect

 

SKILLS AND EXPERIENCE WE ARE LOOKING FOR

• 5-8 years of technology experience in one or more of the following areas: Information Security, Technology Governance, Operational Risk, Technology Audit, Technology Infrastructure or Application Development (focusing on application security)
• Ability to guide product and application teams to architect and design their products securely
• Knowledge of most common Application Security vulnerabilities – e.g., OWASP Top 10 and cloud security gaps.
• Prior experience in performing Threat Modelling or Secure Design Reviews.
• Perform risk assessments to identify gaps in compliance to information security (application and infrastructure
• Familiarity with common cloud services, recommended security best practices and secure deployment patterns - AWS is preferred.
• Familiarity with Security standards such as OWASP Testing Guide, OWASP ASVS, NIST and Sans top 20.
• Common security controls and how they apply to different designs and systems including but not limited to secure authentication, access controls, encryption (at rest/ in transit), IDS/IPS, DLP, malware etc.
• Experience with acquisition due diligence and integration.
• Understanding of core cryptography concepts (Encryption, Hashing, HMAC, digital signatures) and how they are applied and attacked in web applications (e.g. TLS attacks, CBC attacks).
• Familiarity in performing code review of popular web application programming languages (Java, Javascript, C++, C#, Python, Perl, optionally Objective-C, etc.).
• Familiarity with common web stack technologies (e.g. HTTP, HTML5, AJAX, REST, etc.) and platforms (e.g. DropWizard, AngularJS, Tomcat, .Net, Sybase, MS SQL, MongoDB, etc.).
• Ability to analyze protocols (OAuth, SAML, OIDC), flows and interactions in a system design to evaluate gaps.
• Ability to identify threats, abuse cases, and gaps in the design before it is implemented.
• Good written and oral communication to be able to articulate risks to both technical and management stakeholders.

Preferred Qualifications

• Experience in crafting custom proof of concept application exploits using testing tools/frameworks or scripting exploits in Python, Perl, JavaScript, Shell scripting, etc.
• Knowledge of network, application and operating system security risks.
• BS. in Computer Science, System/Computer Engineering, Cyber-Security, or Information Security.
• Security Certifications and Trainings preferred, but not required.
• Experience or trainings in related disciplines e.g. computer science, computer security, software development, system design, open source frameworks, encryption schemes, etc.