What You’ll Be Doing
- Lead strategy and architecture across Lilly’s Application Security (AppSec) program as a senior technical leader within Security Architecture & Engineering (SAE).
- Provide architectural direction, lead tool evaluation and selection, drive security transformation initiatives, and advise on program-level execution risk.
- Define program-level reference architectures and translate regulatory/compliance requirements into patterns engineers can execute.
Key Responsibilities
- AppSec Strategy & Architecture: Define and maintain Secure SDLC architecture (SAST, DAST, SCA, secrets management, software supply chain); partner to identify program risks/dependencies; translate regulatory/audit requirements into implementable architecture.
- Tool Evaluation & Selection: Lead structured evaluations across SAST/DAST/SCA/pen testing/AI-augmented tools; define criteria, run proofs of concept, assess vendor fit/scale, and recommend to leadership; advise on emerging capabilities.
- Enterprise Platform Security Transformation: Own security architecture during platform transformations; assess migration impact on AppSec controls (gaps in SAST/secrets scanning/CI/CD) and define remediation; embed requirements into sequencing/cutover; define readiness criteria and go/no-go decisions.
- AppSec Execution Support: Guide complex implementations; conduct security reviews; support threat modeling; contribute to Secure SDLC standards and vulnerability management policy.
Your Basic Qualifications
- Bachelor’s in CS/InfoSec/Software Engineering or related field.
- 5+ years in application security, security architecture, or related.
- Large-scale security/identity/platform migration experience.
- Hands-on GitHub Enterprise (GitHub Actions, CI/CD security controls, IAM patterns).
- Experience evaluating/selecting SAST/DAST/SCA tooling.
- Threat modeling and AppSec fundamentals (OWASP Top 10, CWE, secure coding).
What You Should Bring
- Deep GitHub identity/IAM knowledge (EMU, SAML/OIDC, PAT governance, Actions security).
- AppSec migration impact assessment; strong AppSec fundamentals and vulnerability management.
- Familiarity with AppSec tools (e.g., SAST like Checkmarx or equivalent; DAST/SCA/secrets scanning).
- Ability to create architectural documentation and present risk/recommendations to senior leadership.
- Secrets management and software supply chain security patterns; awareness of AI-augmented security tools.
- Working knowledge of cloud (AWS preferred) and containers.
- Operate as a senior individual contributor (architectural leadership without direct management authority).
Location & Work Flexibility
- Corporate Center (Indianapolis, IN); hybrid (3 days onsite/2 days remote); fully remote may be considered.