Responsibilities:
- Define reusable security architecture patterns and guardrails for consistent secure implementation across high-risk applications.
- Drive secure-by-design initiatives by integrating security early in the software architecture lifecycle.
- Advocate for risk-based security controls in design authority and technical review forums.
- Partner with IT customers to evaluate application/infrastructure designs and define application controls aligned with enterprise standards.
- Define application-specific security control architectures and create design artifacts for business-critical systems.
- Produce reusable implementation guidance and design patterns to scale efforts.
- Develop strategies and plans to enforce security requirements and address identified risks in infrastructure and applications.
- Serve as a security architecture liaison to IT delivery and engineering teams; embed security principles in delivery and architecture reviews.
- Support business & IT initiatives across architecture, design, implementation, deployment, and operational transition of secure technology solutions.
- Research, evaluate, test, recommend, and plan implementation of new/updated information security technologies.
- Advise on application development/acquisition projects to assess security requirements/controls and ensure planned implementation; drive remediation for compliance/security gaps.
- Research and assess new information security threats and recommend remedial actions.
- Foster security culture via education and effective security processes.
- Ensure adherence to applicable policies and the software development lifecycle.
- Design application security architecture aligned to best practices and regulatory compliance.
- Integrate security into SDLC with software development, DevOps, and operations teams.
- Lead application threat modeling and propose design changes to mitigate risks.
Qualifications (Required):
- BS/9 yrs OR MS/8 yrs OR PhD/4 yrs in information security or related (IT Audit, Risk Management, Security Architecture).
- Strong ability to assess and communicate security concepts to business and IT stakeholders.
- In-depth SDLC knowledge and application development alternatives.
- Proven secure technology implementation.
- Application security principles (OWASP Top 10, SANS/CWE Top 25, secure coding).
- Secure session management, token handling, and authentication (OAuth, SAML, OpenID Connect).
- Cryptographic practices, encryption protocols, and PKI management.
- Containerization (Docker, Kubernetes) and cloud platforms (AWS, Azure, GCP).
- Code analysis and vulnerability scanning tools (e.g., SonarQube, Veracode, Burp Suite, Nessus).
- DevSecOps, including CI/CD pipeline security.
- Self-starter; manage multiple projects independently.
- Problem-solving/analytical skills to identify risks and propose solutions.
- Cross-functional collaboration and influence.
- Cloud and security domains (virtualization, microservices, serverless; IAM, network security, auditing, secrets management, data protection; CI/CD security).
- Identity security (least privilege, separation of duties, Zero Trust).
- Federation and encryption technologies (WS-Fed, OAuth, OIDC, SAML; encryption standards/protocols).
- Experience developing/documenting security architecture plans.
- Significant SOX and HIPAA experience with IT general controls (ITGC).
- Strong understanding of security/architecture trends and market solutions.
- Excellent communication and stakeholder influence.
- Security frameworks (ISO, NIST) and ability to balance academic/pragmatic approaches.