Responsibilities:
- Define reusable security architecture patterns and guardrails for high-risk applications.
- Drive secure-by-design initiatives early in the software architecture lifecycle.
- Advocate for risk-based security controls in design authority boards and technical review councils.
- Partner with IT customers to evaluate designs and define application controls aligned to enterprise standards.
- Produce application-specific security control architectures and design artifacts for business-critical systems.
- Create reusable implementation guidance and design patterns to scale.
- Develop strategies/plans with security leadership to enforce security requirements and address risks.
- Serve as security architecture liaison to IT delivery/engineering; embed security into delivery and architecture reviews.
- Support business & IT initiatives across architecture, design, implementation, deployment, and operational transition.
- Research, evaluate, design, test, and recommend new/updated security technologies.
- Advise on application development/acquisition to ensure security requirements and planned controls are implemented; drive remediation.
- Research and assess threats; recommend remedial actions.
- Foster security culture via education and effective security processes.
- Design application security architecture meeting best practices and regulatory compliance.
- Integrate security into SDLC with DevOps/operations; lead application threat modeling and propose mitigations.
Qualifications:
Required:
- Bachelorโs + 9 yrs OR Masterโs + 8 yrs OR PhD + 4 yrs in information security/security architecture, IT audit, or risk management.
- Strong ability to assess/communicate with business and IT stakeholders.
- Deep knowledge of SDLC and secure application development; OWASP Top 10, SANS/CWE Top 25, secure coding.
- Expertise in session management, token handling, and auth (OAuth, SAML, OpenID Connect).
- Knowledge of cryptography/encryption/PKI.
- Experience with Docker/Kubernetes and AWS/Azure/GCP.
- Familiarity with SonarQube/Veracode and Burp Suite/Nessus.
- DevSecOps and securing CI/CD pipelines.
- Self-starter; strong problem-solving/analytical skills.
- Cross-functional influence; strong communications.
- Cloud security/risk management, container/Kubernetes security, IAM, network security, auditing, secrets management, data protection, and CI/CD security.
- Identity security (least privilege, separation of duties, Zero Trust).
- Federation (WS-Fed, OAuth, OIDC, SAML) and encryption standards.
- Experience developing and documenting security architecture/strategies (strategic/tactical/project).
- Significant SOX & HIPAA experience with ITGC via audit/remediation/validation.
- Knowledge of ISO/NIST frameworks.