Cyber Security Investigator and Threat Hunter

Group IT's role in Swedbank is to provide the bank with a stable IT operation that is up and running 24 hours per day. Together with Business Areas and Group functions we transform Swedbank into a modern bank both in terms of digitalization as well as way of working. Group IT provides services that are reliable and secure, and that meet customer expectations. We are approximately 600 employees located in Stockholm, Tallinn, Vilnius and Riga.

Swedbank is the bank for the many. As an employer we favour inclusion, support workforce diversity and are leading in gender equality. We welcome all applicants regardless of gender, ethnicity, religion or other conviction, age, gender identity or expression, sexual preference, or disability. To find out more about Swedbank as an employer, visit swedbank.com/work-with-us

About the job You are the last line of defense before money gets stolen, systems fall victim to sabotage or general mayhem causes the financial system to collapse. You get cases too difficult to handle for anyone else. You hunt for intrusions wherever they are hiding. You push tools beyond their limits, and build your own where they fall short. You gather and share intelligence and experience with your peers at other banks and cryptically named agencies and organizations. You pick apart the kill chain to its core. You protect us every single day. And you make us better, over and over again.

You are part of a large team of security experts. Our cyber security investigators and hunters have your back when the going gets tough and provide full access to their expertise. Our red team puts you on your toes in purple team exercises. Our information security architects keep everyone else on their toes to ensure the bank stays secure. Our information security officers define the policies and frameworks to help the business remain secure. Our identity & security, workplace security, network security and other security teams provide the capabilities so incidents don't occur in the first place.

The work requires interacting and collaborating both cross border and across organizational dimensions, within the bank as well as externally.
Since cyber criminals do not keep business hours the job includes on-call duties on a scheduled and rotating basis. The frequency is less than one week per month.

What you need to succeed You:

Exhibit extraordinary integrity and escalate risk issues where the risk/reward tradeoffs are not appropriate
Have a strong personal responsibility
Have at least 5 years experience with security incident response and/or IT security
Are a coach and educator towards the SOC and other security and business teams within the bank and wider security community
You are comfortable with presenting your work to your peers
You can keep several tasks running in parallel, able to work whenever there's no clear ruling available while making the right priority decisions, under stressful conditions and are able to perform under pressure to deadlines
You are passionate about what you do; show initiative, and are a strong team player, preferably with cross-border experience
Have very good verbal and written communication skills in English

You excel in at least two of the areas listed below and are well versed in at least one additional area:

Computer forensics
Log analysis, with a deep knowledge of log contents, their meaning, SIEM and UEBA tools and how to search for and identify suspicious patterns in them
Windows security incl. Powershell scripting
Linux and Linux security incl. scripting
Networking and network security (incl. WiFi), such as routing/switching, firewalls, IDS/IPS and network traffic analysis
Threat hunting
Malware analysis and reverse engineering
Software development (e.g. Java and Python) and API threat analysis, incl. custom tool development
Cloud security (private and public)
Threat intelligence
Big data analysis, statistics, R

Bonus areas we interested in are:

GIAC Cyber Defense or Incident Response And Forensics certification
IACIS certifications, CFR, ISC2 certifications, CEH, CCNA Cyber Ops
PCI DSS
Mobile forensics
Degree in mathematics with a focus on statistics

What you may have worked with previously Security incident response
CERT/CSIRT/Cyberdefense center
Security Operations Center
Threat intelligence

Potential next steps in your career after this job IT Security Architect
Information security manager
Chief Information Security Officer

Why work with us? Jan Willekens, the head of the department, explains:
"As a major bank in the Nordics and Baltic region we are at the forefront of the arms race with crime syndicates and nation states. We are exposed to the most advanced attacks from the best opponents. They innovate, and we innovate. And we defend ourselves successfully. We do this in an environment where the team has a lot of freedom to steer their work, within a context of clear priorities defined in a structured manner. When working with incident response sometimes the floodgates open while it is very quiet at other times. This provides for plenty of time for projects which improve the team and deliver our roadmap. This includes meeting your peers at conferences, participate in exercises, obtain certifications, etc., but also act as requirements owner to the rest of the IT organization. Keeping up to date and developing skills is crucial in our business. We can't afford to lag behind our opponents."

We kindly ask you to send in your application in English!

We may begin the selection under the application period, so we welcome your application as soon as possible.

Nothing of interest for you – recommend the job to a friend!