Responsibilities:
- Define reusable application security architecture patterns and guardrails.
- Drive secure-by-design by integrating security early in the software architecture lifecycle.
- Advocate risk-based security controls in design authority and technical review forums.
- Partner with IT application architects/engineers to evaluate designs and define aligned application controls.
- Produce application-specific security control architectures and design artifacts for business-critical systems.
- Create reusable implementation guidance and design patterns.
- Develop strategies/plans to enforce security requirements and remediate infrastructure/application risks.
- Liaise with IT delivery/engineering to embed security principles into delivery and architecture reviews.
- Support security aspects of initiatives across architecture, design, implementation, deployment, and operational transition.
- Research/evaluate/test new or updated security technologies and plan implementations.
- Advise in application development/acquisition projects to ensure security requirements/controls are implemented; drive remediation.
- Assess new threats and recommend remedial actions.
- Foster security culture via education and effective security processes.
- Adhere to corporate policies impacting code of conduct, GxP compliance, data security, and SDLC.
- Design security architecture for applications and ensure best practices/regulatory compliance.
- Integrate security into SDLC with DevOps/operations teams.
- Lead application threat modeling and propose design changes to mitigate risks.
Qualifications (Required):
- Bachelorโs (9 yrs) OR Masterโs (8 yrs) OR PhD (4 yrs) in information security or related (IT Audit, Risk Management, Security Architecture).
- Strong ability to assess/communicate security concepts with business and IT stakeholders.
- In-depth SDLC knowledge and secure application development.
- Application security knowledge (OWASP Top 10, SANS/CWE Top 25) and secure coding practices.
- Secure session management, token handling, authentication (OAuth, SAML, OpenID Connect).
- Cryptography, encryption protocols, and PKI.
- Containerization and cloud platforms (Docker, Kubernetes; AWS/Azure/GCP).
- Code analysis and vulnerability scanning tools (e.g., SonarQube, Veracode; Burp Suite, Nessus).
- DevSecOps and securing CI/CD pipelines.
- Self-starter; strong problem-solving/analytics; cross-functional influence.
- Cloud security/risk management including IAM, network security, auditing, secrets/data protection.
- Identity Security (least privilege, separation of duties, Zero Trust).
- Federation and encryption technologies.
- Experience developing/documenting security architecture plans.
- Significant SOX/HIPAA experience with ITGC (audit/remediation/CSV).
- Strong security frameworks knowledge (e.g., ISO, NIST) and communications/influencing skills.