Cyber Security Architect

Job Description

At H&M Group, we are constantly striving to empower our colleagues in protecting our customers, our business and our colleagues against cyber threats. We are now building a team of experienced Cyber Security Architects that will enable our business operation to become secure and resilient.

Company Description

At H&M Group, we believe in making great design available to everyone. It’s essential in everything we do. Our family of brands — H&M, COS, Monki, Weekday, & Other Stories, H&M Home, ARKET, Afound and Itsapark — offer customers around the world a wealth of fashion, beauty, accessories and homeware, as well as modern menus with fresh and local produce at some of the brands’ in-store eateries.

But design is so much more than just products; it’s about clever design processes, efficient product flows, creating experiences that enrich, and smart solutions that benefit all our customers.

Sustainability is always at the core of our business. Not only because we like to do what’s right — but it’s also beneficial for our business. We will continue to push for change and lead the way towards a more inclusive and sustainable fashion future.

Do you want to join us? We will trust you with great responsibility right from the start, reward a passionate mindset and encourage an entrepreneurial spirit. When you start a career with H&M Group, there’s no limit to where it can take you.

About the product area 

Cyber security is important for H&M, and we have recently formed the new Cyber Security domain to define and instill a strong cyber security approach across the entire organization. As part of the investment into growing our internal cyber security capability, we are forming a Cyber Security Architecture area that reports to Chief Technology Risk Information Officer. The Cyber Security domain also has teams devoted to Security Engineering, Cyber Defense, Security Advisory and Assessment, Governance, Risk & Compliance, Security Culture and Awareness and regional teams to meet country specific security regulations.

What you will do

The main objective for the Cyber Security Architect is to enable secure and resilient business operations by defining and overseeing the implementation, adoption and effectiveness of security solutions.

To create Business enablement you will:

• Contextualize corporate strategic vision and direction; conduct analysis, identify opportunities, understand constraints and define strategic activities related to the Cyber Security domain
• Analyse, design, develop and maintain roadmaps and implementation plans to enable future state security capabilities in support of driving targeted business outcomes; ensure organizational resilience, stability and operational excellence
• Evaluate and drive continuous improvement and simplification to enhance end-to-end business value. Work across the organisation to lower the total cost of ownership, developing investment plans to reduce technical debt
• Develop control mechanisms to support H&M in managing Cyber risks in-line with business risk appetite

To create Architecture enablement, you will:

• Develop conceptual and logical architecture designs
• Create artefacts that provide target state guidance and enable structured transformation, including:
  • Security principles and guardrails
  • Capability models and descriptions
  • Pattern and anti-pattern descriptions
  • Future state blueprints
• Facilitate and orchestrate the delivery of targeted business outcomes, including:
  • Drafting, documenting and proposing Architecture Decision Records
  • Anchoring and ratifying Architecture Decisions
  • Communicating decisions to impacted stakeholders
  • Monitoring the adoption, implementation and effectiveness of Architecture Decision Records
  • Lifecycle managing Architecture Decision Records so that they remain relevant and fit for purpose 
• Maintaining a registry of security solutions relevant to their domain, including missing or overlapping solutions
• Monitoring security capability maturity posture

To create Change enablement, you will:

• Identify interdependencies and use ‘holistic thinking’ to ensure cross-team perspective when designing and implementing solutions
• Act as a facilitator of complex technical topics that require cross-functional consultation
• Communicate security best practice knowledge to the engineering and delivery community to embed security into platforms and products

The persons we are seeking will most likely master multiple security areas, but have deeper and more specialized skills and experience in one of the following: Device security, Application security, Data security, Cloud security, Network security, Secure development and IAM

Just like us you believe in a non-hierarchical culture of collaboration, transparency, and trust.  You are a great communicator with information security skills within an international and diverse context. 

Collaboration is key in our new organization and you will work close together with your colleagues as well as executing your tasks autonomously.

Skills and opportunities 

We work in a constant changing environment and no day is like the other. Therefore, we believe you thrive from working in a not yet formalized environment where anything and everything can happen. This is a great opportunity to contribute with your wide IT and Information Security background as well as experience from lifting the security competence in an agile organization.

On top of your security knowledge and skills, you have true people skills that will allow you to support teams with empathy and drive long-lasting behavior change. You have the ability to take responsibility, work proactively and continuously improve activities in complex, quickly transforming environments.

Your interest in the IT and Information security world will totally blow us away, and your skills as an Architect is unmatched.

You are probably currently working with Cyber security within the retail, manufacturing or e-com industry and have done so for the last 8-10 years. You have a strong analytical ability with a strong overview of the outcome of every communication initiative. Degrees are great, but we believe your skillset compliments and enhances your educational background.

Mandatory requirements, both competence and tools:

• Knowledge and awareness sharing within the security team concerning Security Architecture, Zero Trust Security Principles, Azure and Google Cloud Security Components
• Certified with either or, or a combination of: CISSP, CISSP-ISSAP, CCSA, SABSA, AZ-305, AZ-900, SANS GIAC, CISM, CISA

Qualifying requirements:

• Experience of e-commerce technologies is a merit
• Experience of retail business is a merit
• Experience of other data privacy laws is a merit
• Experience of working in an agile organization

• You are open minded, trustworthy and a self-motivated team player
• You have an entrepreneurial spirit, have great personal ownership, work proactively and continuously improve activities in complex, quickly transforming environments
• English, oral and written fluently
• Swedish, oral and written is meriting

What we offer!

Besides the obvious perks such as staff discount card, flexible work life, learning communities, wellness benefits, parental benefits etc. You are joining a unique value driven culture, a large tech network and community where you can be yourself. There are endless opportunities to experiment and grow in any direction that you want and when you grow, we grow. Being a major player gives us countless opportunities to make a real impact and shape the future.

Practical info

Apply now for this truly inspiring position where your work will contribute to the right security mindset through the whole organization!

This is a fulltime position with placement in Stockholm with a possibility to work part time remote.

We will review and interview on-going so please apply with CV and Cover Letter as soon as possible, but no later than 30th of June 2023. 

For questions about the position and/or recruitment process, please contact Björn Lundgren, Bjorn.Lundgren@hm.com but please note that we do not consider application sent in via email.