Cyber Security Architect

Job Description
At H&M Group, we are constantly striving to empower our colleagues in protecting our customers, out business and our colleagues against cyber threats. We are now building a team of experienced Cyber Security Architects that will enable our business operation to become secure and resilient.

Company Description
At H&M Group, we believe in making great design available to everyone. It’s essential in everything we do. Our family of brands — H&M, COS, Monki, Weekday, & Other Stories, H&M Home, ARKET, Afound and Itsapark — offer customers around the world a wealth of fashion, beauty, accessories and homeware, as well as modern menus with fresh and local produce at some of the brands’ in-store eateries.
But design is so much more than just products; it’s about clever design processes, efficient product flows, creating experiences that enrich, and smart solutions that benefit all our customers.
Sustainability is always at the core of our business. Not only because we like to do what’s right — but it’s also beneficial for our business. We will continue to push for change and lead the way towards a more inclusive and sustainable fashion future.
Do you want to join us? We will trust you with great responsibility right from the start, reward a passionate mindset and encourage an entrepreneurial spirit. When you start a career with H&M Group, there’s no limit to where it can take you.
About the product area
Cyber security is important for H&M, and we have recently formed the new Cyber Security domain to define and instill a strong cyber security approach across the entire organization. As part of the investment into growing our internal cyber security capability, we are forming a Cyber Security Architecture area that reports to Chief Technology Risk Information Officer. The Cyber Security domain also has teams devoted to Security Engineering, Cyber Defense, Security Advisory and Assessment, Governance, Risk & Compliance, Security Culture and Awareness and regional teams to meet country specific security regulations.
What you will do
The main objective for the Cyber Security Architect is to enable secure and resilient business operations by defining and overseeing the implementation, adoption and effectiveness of security solutions.
To create Business enablement you will:
Contextualize corporate strategic vision and direction; conduct analysis, identify opportunities, understand constraints and define strategic activities related to the Cyber Security domain
Analyse, design, develop and maintain roadmaps and implementation plans to enable future state security capabilities in support of driving targeted business outcomes; ensure organizational resilience, stability and operational excellence
Evaluate and drive continuous improvement and simplification to enhance end-to-end business value. Work across the organisation to lower the total cost of ownership, developing investment plans to reduce technical debt
Develop control mechanisms to support H&M in managing Cyber risks in-line with business risk appetite


To create Architecture enablement, you will:
Develop conceptual and logical architecture designs
Create artefacts that provide target state guidance and enable structured transformation, including:
Security principles and guardrails
Capability models and descriptions
Pattern and anti-pattern descriptions
Future state blueprints
Facilitate and orchestrate the delivery of targeted business outcomes, including:
Drafting, documenting and proposing Architecture Decision Records
Anchoring and ratifying Architecture Decisions
Communicating decisions to impacted stakeholders
Monitoring the adoption, implementation and effectiveness of Architecture Decision Records
Lifecycle managing Architecture Decision Records so that they remain relevant and fit for purpose
Maintaining a registry of security solutions relevant to their domain, including missing or overlapping solutions
Monitoring security capability maturity posture



To create Change enablement, you will:
Identify interdependencies and use ‘holistic thinking’ to ensure cross-team perspective when designing and implementing solutions
Act as a facilitator of complex technical topics that require cross-functional consultation
Communicate security best practice knowledge to the engineering and delivery community to embed security into platforms and products



The persons we are seeking will most likely master multiple security areas, but have deeper and more specialized skills and experience in one of the following: Device security, Application security, Data security, Cloud security, Network security, Secure development and IAM
Just like us you believe in a non-hierarchical culture of collaboration, transparency, and trust. You are a great communicator with information security skills within an international and diverse context.
Skills and opportunities
We work in a constant changing environment and no day is like the other. Therefore, we believe you thrive from working in a not yet formalized environment where anything and everything can happen. This is a great opportunity to contribute with your wide IT and Information Security background as well as experience from lifting the security competence in an agile organization.
On top of your security knowledge and skills, you have true people skills that will allow you to support teams with empathy and drive long-lasting behavior change. You have the ability to take responsibility, work proactively and continuously improve activities in complex, quickly transforming environments.
Your interest in the IT and Information security world will totally blow us away, and your skills as an Architect is unmatched.
You are probably currently working with Cyber security within the retail, manufacturing or e-com industry and have done so for the last 8-10 years. You have a strong analytical ability with a strong overview of the outcome of every communication initiative. Degrees are great, but we believe your skillset compliments and enhances your educational background.
Mandatory requirements, both competence and tools:
Knowledge and awareness sharing within the security team concerning Security Architecture, Zero Trust Security Principles, Azure and Google Cloud Security Components
Certified with either or, or a combination of: CISSP, CISSP-ISSAP, CCSA, SABSA, AZ-305, AZ-900, SANS GIAC, CISM, CISA