SMBC Group is a top-tier global financial group. Headquartered in Tokyo and with a 400-year history, SMBC Group offers a diverse range of financial services, including banking, leasing, securities, credit cards, and consumer finance. The Group has more than 130 offices and 80,000 employees worldwide in nearly 40 countries. Sumitomo Mitsui Financial Group, Inc. (SMFG) is the holding company of SMBC Group, which is one of the three largest banking groups in Japan. SMFG’s shares trade on the Tokyo, Nagoya, and New York (NYSE: SMFG) stock exchanges.

In the Americas, SMBC Group has a presence in the US, Canada, Mexico, Brazil, Chile, Colombia, and Peru. Backed by the capital strength of SMBC Group and the value of its relationships in Asia, the Group offers a range of commercial and investment banking services to its corporate, institutional, and municipal clients. It connects a diverse client base to local markets and the organization’s extensive global network. The Group’s operating companies in the Americas include Sumitomo Mitsui Banking Corp. (SMBC), SMBC Nikko Securities America, Inc., SMBC Capital Markets, Inc., SMBC MANUBANK, JRI America, Inc., SMBC Leasing and Finance, Inc., Banco Sumitomo Mitsui Brasileiro S.A., and Sumitomo Mitsui Finance and Leasing Co., Ltd.

The anticipated salary range for this role is between $103,000.00 and $117,000.00. The specific salary offered to an applicant will be based on their individual qualifications, experiences, and an analysis of the current compensation paid in their geography and the market for similar roles at the time of hire. The role may also be eligible for an annual discretionary incentive award. In addition to cash compensation, SMBC offers a competitive portfolio of benefits to its employees.

Role Description

The Security Testing Engineer will be responsible for executing within our Cyber Resilience Exercise program designed to increase cyber resilience capabilities and preparedness across various businesses, group companies, and functions of the bank. You will be responsible web application and network penetration testing; and issue management. In this role you will support partnerships for exercises such as cyber scenario exercising and cyber incident management.

Reporting into the Information Security, Cyber & Operational Resilience office, the Security Testing Engineer supports the 1st Line of Defense (LOD) Information Security Group Department Americas Division’s (GPDAD) and 14 group companies managing activities related to Cyber Resilience security testing in accordance with applicable regulations, Head Office policies and industry practices for Information Security and Operational Resilience.

Role Objectives

• Analyze IT (Information Technology) infrastructure, systems, and applications for susceptibility to various security exploits and threats. Recommend best practices to mitigate vulnerabilities and partner with IT colleagues to implement fixes. Develop and manage processes for validating and testing security policy, such as routine scans, application exploit tests, social engineering simulations, and network penetration testing.

• Create reports based on findings, identify remediation steps, and disseminate them to stakeholders.

• Perform in-depth analysis and testing on new systems, vendor connections, applications, and implemented vulnerability patches.

• Manage and update testing and validation infrastructure, vendors, and practices. Maintain documentation for testing practices and validation policy.

• Support the development of security policy and practices to provide a holistic and proactive posture against vulnerabilities and exploits.

• Partner in and understand the impacts and plans associated with resilience of cyber threats and risks.

• Works with business/function/entity to increase awareness of Cyber Resilience. Provides input to IT, cybersecurity, and operational resiliency risk trainings bank wide.

• Partner with IT infrastructure and development teams to identify systems and applications for potential exploits and conduct testing and validation of code to ensure it conforms to security standards.

• Understands changes related to regulatory, new product/initiative, processes, controls, events, issues, etc., in the IT, data management, and cybersecurity domains that may impact the operational risk profile of the bank.

• Provides reporting to Information Security and business senior management.

• Engage with end-user security training team to develop curriculum and focus training on the most impactful practices and policies and update according to trending threats and exploits.

• Work with business units to understand their current processes and advise on adjustments that could be made to improve overall security. Analyze requests for exceptions where needed and suggest appropriate structuring to balance both security and operational efficiency.

Qualifications and Skills

• Demonstrate an advanced understanding of cyber security concepts with knowledge of vulnerabilities and how they function, security and defensive posturing best practices, and threat assessment and remediation techniques.

• Should either hold or be working towards professional certification in cyber security penetration testing.

• Display knowledge of tools and frameworks used to conduct penetration testing, application code validation, and systems to enable real-time threat monitoring.

• Possess knowledge of common network and data exchange protocols, hardware operating systems, and security infrastructure.

• Show communication skills needed to effectively convey security policies and rational to business units.

• Exhibit ability to coordinate the efforts of multiple teams and stakeholders during penetration tests, implementing vulnerability patches, and in response to security incidents.

• 1-3 years of direct work experience within the financial services industry with focus on DAST, SAST, IAST, Network or Web Application Penetration

• Working knowledge of technology and cyber risk management process and controls, industry practices, and frameworks (e.g., NIST (National Institute of Standards and Technology) 800-53, ISO 27001).

• Detail oriented, with proven ability to question the status quo and apply resilience activities to enhance capabilities, as appropriate.

• Strong organizational skills, with proven ability to successfully manage multiple, concurrent priorities.

• Ability to communicate and work effectively in a matrixed environment and across various organizational levels, where flexibility, collaboration, and adaptability are important at all levels.

• Foundational knowledge of banking laws and regulations. (FFIEC, NYDFS, BCBS, FCA, PRA, BoE, etc.)

• Maintain a technical cyber threat mindset to understand underlying risks and weaknesses to properly assist in mitigating and enhancement activities.

• Desire to continually deliver a quality and meaningful work product in a timely and efficient manner.

• BA/BS in Computer Engineering, Computer Science, Information Systems, Cyber Security, Business Administration, or demonstrated relevant industry background and/or military experience.

• CISSP, CCRP (Certified Cyber Resilience Professional), CEH (Certified Ethical Hacker), GIAC, or other Cyber Incident Response or Penetration Testing certifications preferred.

Additional Requirements

SMBC’s employees participate in a Hybrid workforce model that provides employees with an opportunity to work from home, as well as, from an SMBC office. SMBC requires that employees live within a reasonable commuting distance of their office location. Prospective candidates will learn more about their specific hybrid work schedule during their interview process. Hybrid work may not be permitted for certain roles, including, for example, certain FINRA-registered roles for which in-office attendance for the entire workweek is required.

We are an equal employment opportunity employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, gender, national origin, disability status, protected veteran status or any other characteristic protected by law. SMBC provides reasonable accommodations for employees and applicants with disabilities consistent with applicable law. If you need a reasonable accommodation during the application process, please let us know at accommodations@smbcgroup.com.