Responsibilities:
- Define reusable security architecture patterns and guardrails for high-risk applications.
- Drive secure-by-design initiatives by integrating security early in the architecture lifecycle.
- Represent security architecture in design authority boards and technical review councils with risk-based controls.
- Evaluate application/infrastructure designs with IT stakeholders to define application controls aligned to enterprise standards.
- Define application-specific security control architectures and create design artifacts for business-critical systems.
- Develop reusable implementation guidance and design patterns.
- Partner with security leadership to enforce requirements and address risks in infrastructure and applications.
- Serve as a security architecture liaison to IT delivery/engineering; embed security in delivery and architecture reviews.
- Support business & IT initiatives across architecture, design, implementation, deployment, and operational transition.
- Research/evaluate/design/test new or updated security technologies.
- Advise on application development/acquisition projects to assess requirements/controls and drive remediation for gaps.
- Assess threats (incl. application threat modeling) and propose design changes to mitigate risks.
Qualifications (Required):
- BS + 9 years OR MS + 8 years OR PhD + 4 years in info security/IT Audit/Risk Mgmt/Security Architecture.
- Strong ability to assess and communicate security concepts to business/IT.
- In-depth SDLC knowledge.
- Application security principles (OWASP Top 10, SANS/CWE Top 25) and secure coding.
- Secure session management, token handling, authentication (OAuth, SAML, OpenID Connect).
- Cryptography, encryption protocols, PKI.
- Containerization (Docker, Kubernetes) and cloud (AWS, Azure, GCP).
- Code analysis and vulnerability scanning tools (e.g., SonarQube, Veracode, Burp Suite, Nessus).
- DevSecOps and CI/CD pipeline security.
- Identity security, least privilege, separation of duties, Zero Trust.
- Federation and encryption technologies; security architecture documentation/plans.
- Significant SOX/HIPAA experience with IT general controls.
- Knowledge of security/architecture frameworks (e.g., ISO, NIST) and strong stakeholder influence.