Responsibilities

• Provide architectural leadership and direction to the teams responsible for platform and application development, with a focus on system wide security, data, operational efficiency, serviceability, and supervision of the secure SDLC.
• Develop, implement, and maintain application security standards, policies, procedures, and best practices that align with risk and control processes
• Define the product security roadmap and lead the process of translating business and technical requirements into robust application/product security solutions that ensure customer information assets are adequately protected with acceptable levels of control.
• Review and approve the architecture and design for various application development project projects, and ensure commitments from partners and stakeholders.
• Collaborate with various stakeholders, such as developers, architects, project managers, and business leaders, to ensure the security of applications and systems throughout their lifecycle.
• Provide senior management-level summary status and feedback to business stakeholders and product management on the security projects.
• Conduct research and development on security innovations, tools, and methodologies in information technology services and help define and document internal, technical, and service processes and procedures. Work on proof-of-concepts and projects to improve the application security tool stack.
• Establish an enterprise security stance through definition of policy, architecture, development, training and awareness, aligning business needs with technology and doing so in a manner which ensures that security is built in.
• Provide thought leadership and a clear, consistent architectural vision across the platform, distributed services, and operations.
• Stay up to date with the latest trends and developments in information and cyber security, and pursue relevant certifications and memberships in information security communities.
• Mentor and coach the developers on security best practices, tools, and techniques. Experience in building and leading a volunteer-based application security champions program from grassroots, and scaling it to multiple product teams is desirable.
• Demonstrate excellent communication, collaboration, and leadership skills, and the ability to influence and educate others on application security best practices and standards.

Qualifications

• Bachelor's degree in computer science, Engineering, or related field, or equivalent work experience.
• Minimum 10 years of software development experience with at least 5 years in security architecture, design, development, assessment, testing, and review across multiple domains and platforms.
• Expertise in architecting and reviewing security solutions for complex applications running in a cloud, multi-tenant environment.
• Experience in cloud platforms such as Google Cloud, AWS or Azure and how to leverage their security features and services.
• Experience in designing and developing large scale On-prem and SaaS applications using various programming languages APIs and frameworks.
• Secure development methodologies such as threat modeling, static source code reviews, dynamic application security assessments, penetration testing, and security best practices.
• Experience in implementation of latest standards and technologies in authentication, authorization, auditing, cryptography, PKI, federation, OAuth, MFA, OIDC, and data security at rest, in transit and in use.
• Strong knowledge of security principles, standards, and best practices, such as OWASP, NIST, ISO, etc.
• Experience with security tools and technologies, such as encryption, authentication, authorization, firewalls, web application firewalls, intrusion detection/prevention systems, vulnerability scanning, penetration testing, etc.
• Experience with secure coding practices, such as threat modeling, code review, static and dynamic analysis, etc.
• Experience with agile development methodologies and DevSecOps practices.
• Excellent communication, collaboration, and leadership skills.
• Desirable certifications such as CISSP, CSSLP, CEH, or similar are preferred.
• Experience in vulnerability management tools and programs is desirable.