RSM - Associate Director - RC SPRC CTR Cyber Testing

About RSM USI

The RSM USI supports RSM U.S. risk consulting, transaction advisory, technical accounting, financial consulting, technology, and management consulting, tax, and assurance engagement teams by providing access to highly skilled professionals for repeatable business processes over an extended business day. USI is a member of RSM International, the sixth largest global network of independent accounting, tax, and consulting firms. RSM's vision is to be the first-choice advisor to middle market leaders globally. You will work directly with clients, key decision makers and business owners across various industries and geographies to deliver a top-quality client experience. RSM is a diverse and inclusive place where you will work as part of a team while being valued as an individual, mentored as a future leader, and recognized for your accomplishments.

Risk Consulting helps clients across various industries by addressing the increasingly complex strategic, operational, compliance, and governance challenges faced by those responsible for managing or overseeing dynamic businesses. Risk Consulting major offerings includes AML & Regulatory Compliance; ERP Advisory; Automation and Analytics; Enterprise Risk Management; Internal Audit; SOX Advisory; Contract Compliance; Credit Reviews; Information & Technology Audits; Cybersecurity risk management; Third-party risk management; IT due diligence; SOC1 / SOC2; Security and Privacy Risk; Governance Risk and Compliance; PCI; Cyber Transformation; Manage Security Services; Secure Architecture Solutions; Cyber Testing; Digital Forensics and Incident Response; and Cyber Threat Intelligence.

Qualification and Entry Requirements:

- Bachelor or Master degree in computer science with a minimum of 10 years in cyber security domain

- Technical background in networking/system administration, security testing or related fields

- In-depth knowledge of TCP/IP

- Good knowledge of Perl, Python, Bash, or C experience

- Operating System Configuration and Security experience (Windows, HP-UX, Linux, Solaris, AIX, etc.)

- Configuration and Security experience with firewalls, switches, routers, VPNs

- Experience with security and architecture testing and development frameworks, such as the Open Web Application Security Project (OWASP), Open Source Security Testing Methodology Manual (OSSTMM), the Penetration Testing Execution Standard (PTES), Information Systems Security Assessment Framework (ISSAF), and NIST SP800-115

- Familiar with security testing techniques such as threat modeling, network discovery, port and service identification, vulnerability scanning, network sniffing, penetration testing, configuration reviews, firewall rule reviews, social engineering, wireless penetration testing, fuzzing, and password cracking and can perform these techniques from a variety of adversarial perspectives (white-, grey-, black-box)

- Commercial Application Security tools experience (Nessus, Nexpose, Qualys, Appdetective, Appscan, etc.)

- Open source and free tools experience (Kali Linux suite, Metasploit, nmap, airsnort, Wireshark, Burp Suite, Paros, etc.)

- One or more of the following testing certifications: Certified Ethical Hacker (CEH); GIAC Certified Penetration Tester (GPEN); Offensive Security Certified Professional (OSCP); or equivalent development or testing certification (ECSA, CEPT, CPTE, CPTS, etc)

- In addition, one or more of the following governance certifications is preferred: Certified Information Systems Security Professionals- (CISSP ); Certified Information Systems Auditor- (CISA ); Certified Information Security Manager- (CISM)

- Strong leadership and communication skills, technical knowledge, and the ability to write at a "publication" quality level in order to communicate findings and recommendations to the client's senior management

- Must possess a high degree of integrity and confidentiality, as well as the ability to adhere to both company policies and best practices

Technical Requirements:

- Web application penetration testing experience - familiarity with Burp, OWASP Top 10, etc

- Ability to recognize and validate significant findings past initial scanning/recon

- Web Services penetration testing (RESTful, CURL and SOAP)

- API penetration testing experience

- Conducts periodic scans of networks to find and detect vulnerabilities

- Lead scoping engagements by clearly articulating various penetration approaches and methodologies to audiences ranging from highly technical to executive personnel

- Report generation that clearly communicates testing and assessment details, results, and remediation recommendations to clients

- Develop scripts, tools, and methodologies to automate and streamline internal processes and engagements

- Conduct IT application testing, cybersecurity tool and systems analysis, system and network administration, and systems engineering support for the sustainment of information technology systems (mobile application testing, penetration testing, application, security, and hardware testing)

- Conduct cloud penetration testing engagements to assess specific workloads (i.e., AWS, GCP, Azure, containers, or other PaaS and SaaS instances) for vulnerabilities and subsequently attempt to exploit identified weakness after receiving permission from client stakeholders

- Provide recommendations to clients on specific security measures to monitor and protect sensitive data and systems from infiltration and cyber-attacks including response and recovery of a data security breach

- Maintain a firm grasp on the industry and anticipate trends and movements while balancing maturity and timing

- Performs client penetration testing to find any vulnerabilities or weaknesses that might be exploited by a malicious party, using open-source, custom, and commercial testing tools

- Expert knowledge of tools used for wireless, web application, and network security testing

- Working knowledge of CI/CD and SDLC deployment lifecycles and mechanisms

- Motivated self-starter who loves to solve challenging problems and feels comfortable working directly with customers

- Excellent oral, written communication, and presentation skills with an ability to present client security sessions and security workshops to C-Level Executives and non-technical audience

- Highly organized, detail-oriented, excellent time management skills, and able to effectively prioritize tasks in a fast-paced, high-volume, and evolving work environment

- Ability to approach customer and sales requests with a proactive and consultative manner; listen and understand user requests and needs and effectively deliver

- Comfortable managing multiple and changing priorities, and meeting deadlines in an entrepreneurial environment

- Nice to have: Mobile application penetration testing experience

- Nice to have: Cloud penetration testing experience (AWS and Azure)

Soft Skills Requirement:

- Ability to work independently under minimal supervision and within a team.

- Manage project tasks and deadlines within a multi-time zone remote culture.

- 5-10 years of customer-facing consulting experience

- Ability to communicate complex vulnerability results and demonstrate proof of concepts for diverse audiences.

- 5+ years of experience managing a diverse team of technical testers

- Proven experience improving technical quality of the team

- Report regularly to management on improvements and team challenges

- 7-10 years of experience working in a global environment with multiple time zones and adjusting to client needs in other countries

- Ability to train others and improve technical skills of a team