Eli Lilly and Company logo

Sr. Principal Security Engineer, Application Security Strategy & Architecture

Eli Lilly and Company
June 29, 2026
Remote friendly (Indianapolis, IN)
United States
IT
What You’ll Be Doing
- Lead security strategy and architecture for Lilly’s Application Security (AppSec) program as a senior technical leader within Security Architecture & Engineering (SAE).
- Provide architectural direction, lead security tool evaluation/selection, drive AppSec transformation initiatives, and advise on program-level execution risk.

Key Responsibilities
- AppSec Strategy & Architecture: Define/maintain Secure SDLC architecture (SAST, DAST, SCA, secrets management, software supply chain). Partner to identify program-level risks/dependencies. Translate regulatory/compliance/audit requirements into implementable architecture.
- Tool Evaluation & Selection: Lead structured evaluations for SAST/DAST/SCA/pen testing/AI security tools; define criteria, run POCs, assess vendors, and recommend to leadership.
- Enterprise Platform Security Transformation: Own AppSec security architecture for platform migrations; assess control gaps (e.g., SAST/secrets/CI-CD), define remediation, embed requirements in sequencing/cutover, and set readiness/go-no-go criteria.
- AppSec Execution Support: Guide AppSec engineers, conduct security reviews, support threat modeling, and contribute to Secure SDLC standards/vulnerability management policy.

Your Basic Qualifications
- Bachelor’s degree in CS/InfoSec/Software Engineering or related.
- 5+ years in application security, security architecture, or related.
- Experience leading large-scale security/identity/platform migrations.
- Hands-on GitHub Enterprise (GitHub Actions, CI/CD security, IAM patterns).
- Experience evaluating/selecting enterprise security tooling (SAST/DAST/SCA).
- Threat modeling and fundamentals (OWASP Top 10, CWE, secure coding).

What You Should Bring (Preferred)
- Deep GitHub identity model knowledge (EMU, SAML/OIDC, PAT governance, Actions security).
- AppSec tooling ecosystem knowledge (e.g., Checkmarx or equivalent SAST).
- Secrets management, software supply chain security, AI-augmented security evaluation.
- Cloud/security architecture knowledge (AWS preferred) and containerized workloads.

Location & Work Flexibility
- Indianapolis, IN corporate center. Hybrid: 3 days onsite / 2 days remote; fully remote candidates may be considered.

Compensation & Benefits (as stated)
- Anticipated pay: $126,000–$224,400; may be eligible for company bonus.
- 401(k), pension, vacation; medical/dental/vision/prescription; flexible benefits; life insurance; time off/leave; well-being benefits (e.g., EAP, fitness, clubs).