Introduction
At IBM, work is more than a job – it’s a calling: To build. To design. To code. To consult. To think along with clients and sell. To make markets. To invent. To collaborate. Not just to do something better, but to attempt things you’ve never thought possible. Are you ready to lead in this new era of technology and solve some of the world’s most challenging problems? If so, lets talk.

Your Role and Responsibilities
A Security Services Specialist is responsible for evaluating vendors’ cybersecurity practices to identify risks, ensure compliance with standards, review security documentation, and recommend mitigations. They collaborate with stakeholders, monitor third-party activities, and report on risk status.

Required Technical and Professional Expertise
1. Software Development Lifecycle (SDLC) Knowledge
– Familiarity with how software is designed, developed, tested, deployed, and maintained.
2. Regulatory and Compliance Knowledge
– NIST Cybersecurity Framework (CSF)
– Executive Order 14028 (Improving the Nation’s Cybersecurity)
– SPDX or CycloneDX for SBOM formats
3. Risk Management
– Ability to identify and assess risks associated with software components, including vulnerabilities in
third-party libraries.
– Third party cyber risk assessments
4. Communication and Collaboration
– Skills in collaborating with developers, third parties and stakeholders to ensure compliance and
resolve issues.
Technical Expertise:
1. Software Composition Analysis (SCA) Tools
2. Programming and Scripting Languages
– Knowledge of languages like Python, Java, JavaScript, or C++ to trace dependencies and identify
vulnerabilities.
3. Dependency and Package Management
– Experience with package managers (e.g., npm, Maven, Pip, Gradle) and dependency trees.
4. Vulnerability Databases
– Familiarity with CVE (Common Vulnerabilities and Exposures), NVD (National Vulnerability
Database), or OSV (Open Source Vulnerabilities).
5. SBOM Standards and Tools
– SPDX (Software Package Data Exchange)
– CycloneDX
– Experience with tools that generate or analyze SBOMs (Dependency Track)
6. Open Source Software (OSS) Licensing
– Ability to analyze licensing terms and identify compliance issues in OSS components.
7. Security Frameworks
– Knowledge of security best practices (e.g., OWASP Top 10, secure coding standards).

Preferred Technical and Professional Expertise
Cloud and Container Security
– Familiarity with cloud-native and containerized environments (e.g., Docker, Kubernetes).
Database and Data Analysis
– Capability to query and analyze data from SBOM reports or vulnerability scans.
Continuous Integration/Continuous Deployment (CI/CD)
– Understanding of CI/CD pipelines and how SBOMs integrate into DevSecOps workflows