SVP - Application Security Tech Lead

Description:

The position is a cross-functional role that will be responsible for various Application Security program initiatives.  The position reports directly to the Application Security Program Director.  The successful candidate must be an individual who understands modern software development trends, understands engineering-led software security practices, and keeps up with the evolving cyber security threat landscape.

The successful candidate will liaise with internal groups and our regional partners to ensure that program deliverables are met.

Success in the role requires an innovative mind, a proven track record of delivering solutions that meet security needs, integrate application security into our DevOps pipeline, automate security as code and enable successful detection and response to any and all threats in our environment. The individual will work closely with SDLC program to contribute to defining application security testing standards and policies.  Responsibilities include defining testing services and methodologies (be they tool-based and/or manual) in the early SSDLC lifecycle.  The primary focus will address testing needs within development organizations striving for continuous deployment and using automated security tooling including SAST, DAST, SCA, ASPM, Secrets Scanning, etc.. Within his/her leadership role, this individual is expected to mentor team members, set direction and lead execution of services as a hand-on participant.

Key Responsibilities:

The candidate will be responsible for the aspects of the Application Security Program initiatives including but not limited to the following:

• Establish/manage multiple security programs that support the security testing requirements at the bank
• Forging and maintaining strong working relationships with development functions/teams, product delivery teams, project management, third party management, enterprise architecture, audit teams, etc.
• Participate in security and technology strategic planning to ensure identified risk governance is incorporated into the CISO enterprise strategy.
• In partnership with business sectors,  run delegate action groups to provide recommendations to strengthen  development processes and security testing
• Appropriately assess risk and provide software security advice when business decisions are made
• Interface with Application Security Program Team  to oversee Program Projects and Initiatives and make strategic recommendations to senior manager on standards and policy changes

Qualifications

• Experience or deep knowledge of key activities within software security group such Threat Modeling / Application Risk Assessment, Vulnerability Assessments, Governance and Metrics, Training, etc.
• Pre-requisites for this position are a Bachelor's Degree with 4 - 6 years' experience in web application development or application code review
• Experience must include experience as a technical lead or manager
• Knowledge of cloud computing concepts and DevOps tools (OpenShift, Kubernetes, Docker, Chef, etc)
• Experience using or testing cloud platforms (AWS, Google, Azure, etc)  and security in/of the cloud
• Understanding of security, web-based and infrastructure vulnerabilities is required 
• Experience in source code management, build and deployment technologies such as RLM, Ueploy, Jenkins, Artifactory, Maven, GitHub, etc
• Experience conducting vulnerability assessments and articulating security issues to technical and non-technical audience.
• Understanding of Snyk, Checkmarx, CDXGen, Dependency Track, Fortify, GitHub Adcance Security, Sonatype or Black Duck platform is a plus.
• Knowledge of tools and processes used to expose common vulnerabilities and implement countermeasures is expected.
• Excellent communication skills (written and verbal) and the ability to communicate with all levels of staff and management are also essential.
• Demonstrated knowledge of recognized security industry standards and leading practices (e.g., FFIEC, NIST, C2M2, ISO)
• Relevant professional certifications: GIAC, CISA, CISM, CRISC, CISSP or equivalent desiredEffective strategic planning and execution abilities with exceptional planning, organizaDemonstratvanced and functional understanding of Security industry operations, technologies and sses.

Education:

• Bachelor’s degree/University degree or equivalent experience
• Master’s degree preferred

------------------------------------------------------

Job Family Group:

------------------------------------------------------

Job Family:

------------------------------------------------------

Time Type:

------------------------------------------------------

Citi is an equal opportunity employer, and qualified candidates will receive consideration without regard to their race, color, religion, sex, sexual orientation, gender identity, national origin, disability, status as a protected veteran, or any other characteristic protected by law.

If you are a person with a disability and need a reasonable accommodation to use our search tools and/or apply for a career opportunity review Accessibility at Citi.

View Citi’s EEO Policy Statement and the Know Your Rights poster.