Im Rahmen eines innovativen Plattform Projektes im Energiesektor suchen wir im Auftrag unseres Kunden nach Unterstützung als Security Risk & Compliance Specialist (m/w/d) - Remote & FFM oder Berlin. Die Tätigkeit erfolgt weitestgehend Remote und nach Absprache ca. 1 mal im Monat für paar Tage am Stück in Frankfurt oder Berlin.

Project Description

The team is building an internal platform for software product developers to accelerate the development and delivery of software products to tackle the massive challenges facing the energy sector. The Platform is a service oriented, cloud-native platform that is being built to provide application teams with self-service capabilities to develop, run and operate their software products. Platform provides services for application infrastructure, data, service lifecycle management, application build and delivery as well as services to operate their software products. The Platform is deployed as a hybrid cloud, encompassing both private cloud and select public clouds.

General Description

Information Security Risk and Compliance (ISRC) is a vital and independent function which focuses on embedding robust security and compliance practices throughout the product portfolio, platform management and architecture. ISRC consults designing and managing secure systems for the platform through leading security design, threat modeling, and compliance initiatives to ensure a resilient architectural foundation. Ensuring security operations processes enhance platform visibility and implement streamlined, effective security workflows for operational integrity. Additionally, ISRC consults with all product lines to integrate DevSecOps practices, emphasizing secure code analysis, supply chain security, and automated security testing to deliver robust, secure product development lifecycles. Through these efforts, ISRC ensures comprehensive security and compliance across the ecosystem to foster trust and reliability in all platform deliverables.

Objective:

Translate control objectives and compliance requirements into actionable technical controls and non-functional requirements (NFRs)

Tasks:

• Derive concrete best-practice technical controls from high‑level control objectives and frameworks (e.g., NIS2, ISO 27001).

• Convert compliance and risk requirements into clear NFRs for product lines and platform architecture.

• Maintain the NFR category “Security”, give recommendations on the definition-of-done of control implementation and testing implementation effectiveness

• Ensure controls strike the right balance between specificity and flexibility.

• Maintain consistency across product lines while

Objective:

Drive and encourage of security review and consulting processes

Tasks:

• Contribute to Product Release Specification (PRS) workflows by validating security‑related inputs.

• Enabling the product line security champions and architects to “spread the word” in their respective product lines and ensure they properly implement the requirements in alignment with all ISRC artifacts and governance structures

• Ensure NFRs and controls are properly reflected in PRS and related governance steps.

• Provide technical clarification during review cycles.

• Identify gaps or inconsistencies in security‑related design decisions.

Objective:

Provide technical guidance to Product Line Security Champions

Tasks:

• Encourage product line security roles translating abstract requirements into product‑specific implementations.

• Offer hands‑on technical guidance when deeper analysis is required.

• Ensure product lines remain the accountable implementation owner.

• Facilitate coordination across product lines on recurring control patterns.

Objective:

Ensure consistent adoption of controls and NFRs

Tasks:

• Collaborate with architects, product lines, and governance teams to ensure consistent control adoption.

• Monitor recurring issues and propose improvements to controls or NFR templates.

• Facilitating of communication and enablement activities for new or updated controls.

• Promote a shared understanding of security‑by‑design principles across teams.

Profile Requirements

The contractor must be a middle level professional with 3+ years of experience in security architecture, security engineering, cloud security, or related fields.

Must-have experience

• Experience in security architecture principles, secure design patterns, DevSecOps and frameworks.

• SME-Experience in at least one following security domains:

• Security Architecture and Design, Cloud Security,

• Identity and Access Management (IAM), Application Security,

• DevSecOps and Automation,

• Incident Response and Resilience,

• Cryptography and Data Protection

• Experience in translating technical security requirements into actionable designs and documentation

Must-have language skills

• fluent English in speech and writing (at least C1)

Preferred experience

• Experience to design and implement security and compliance controls for platforms.

• Experience with threat modeling methodologies and risk assessment.

• Experience with DevSecOps practices and tools for integrating security into platform development

• Experience with cloud posture management and detection tools (CSPM, KSP, Workload protection)

• Good command and understanding of security & compliance standards and frameworks including ISO/IEC 27001, CSA CCM, BSI Grundschutz, CSI, NIST CSF, NIST OSCAL, etc.

• Experience in sector-specific regulations (e.g. NIS2, CRA, KRITIS, BSI C5, …)

• Good understanding of CNCF-related ecosystems (e.g. Kubernetes, KeyCloak, Kyverno, Trivy, etc.)