Director of Application Security

About The Position

Requirements

• 8+ years of experience in Information Security, with at least 3+ years in a senior or leadership role establishing and running a modern Application Security program
• Proven ability to define, communicate, and execute a multi-year Application Security strategy and roadmap
• Demonstrated experience managing or mentoring security engineers and growing technical teams
• Deep technical understanding of application security architectures, secure development lifecycles (SDLC), and modern security automation/DevSecOps practices
• Expertise in common application vulnerabilities and threat modeling methodologies
• Demonstrated experience managing security in a regulated environment (e.g., healthcare, finance), with deep knowledge of compliance frameworks like HIPAA, HITRUST, PCI
• Strong background with cloud technologies (AWS, GCP, or Azure), containerization (Docker/Kubernetes), and serverless architectures
• Exceptional leadership, communication, and interpersonal skills, with the ability to influence technical and non-technical stakeholders up to the executive level

Nice To Haves

• Bachelor’s or Master's degree in Computer Science, Cybersecurity, or a related field
• Relevant industry certification (e.g., CISSP, CSSLP, CISM)
• Direct experience leading Application Security efforts in the healthcare technology sector
• Experience selecting, negotiating, and managing complex third-party application security tools (SAST/DAST/SCA)
• Experience with building security into AI security products

Responsibilities

• Define, communicate, and execute the long-term vision, strategy, and roadmap for the Application Security program, aligning it with business objectives and regulatory requirements (e.g., HIPAA, HITRUST, PCI)
• Act as player/coach for our Application Security team, fostering a culture of ownership, continuous improvement, and deep technical partnership with engineering
• Develop and manage the Application Security budget, selecting and overseeing the deployment of essential security tools and technologies (SAST, DAST, SCA, IAST, etc.)
• Drive the adoption of secure development practices, secure coding standards, and security design principles across all product and engineering teams
• Serve as the primary subject matter expert for application security across the organization, advising C-level and senior leadership on risks and mitigation strategies
• Oversee and guide the application security architecture process, ensuring security is built into the design of web applications, APIs, and microservices from the ground up
• Establish and formalize the application-level threat modeling program to proactively identify and prioritize risks across the product portfolio
• Develop comprehensive metrics and reporting to track the organization's application security posture, vulnerability remediation progress, and program effectiveness for executive review
• Lead the application-focused incident response strategy, ensuring effective communication, root cause analysis, and the implementation of robust preventative controls post-incident
• Lead threat modeling efforts for our AI product suite
• Define and enforce the security standards and controls specifically tailored for our existing and emerging AI/ML features, including agentic AI solutions, to mitigate risks such as prompt injection, model poisoning, and data leakage
• Collaborate closely with Data Science and Engineering teams to integrate MLOps security practices (SecMLOps), ensuring secure data handling, model integrity verification, and secure deployment pipelines for all AI components
• Implement and manage security testing methodologies (e.g., adversarial testing, data drift monitoring) specific to machine learning models and related APIs
• Partner with legal and compliance teams to ensure ethical and secure use of AI, ensuring compliance with relevant security, privacy, and regulatory requirements specific to AI/ML applications in healthcare
• Champion DevSecOps principles, overseeing the integration of automated security testing and controls directly into CI/CD pipelines and engineering workflows
• Partner with engineering leadership to implement tooling and educational initiatives that enable developers to efficiently write and deploy secure code at scale in the age of AI
• Ensure the Application Security program meets all applicable regulatory and contractual obligations (e.g., HIPAA, HITRUST, PCI)
• Oversee third-party vendor security assessments, focusing on the security and data protection posture of integrated applications and services
• Act as the key liaison for all application security matters during customer security reviews, regulatory audits, and compliance activities

Benefits

• Medical, dental, vision, life & disability insurance
• 401(k) plan with company match
• Flexible Time Off (FTO), wellbeing days, paid holidays, and summer Fridays
• Mental health resources
• Paid parental leave & Backup Care
• Tuition reimbursement
• Employee Resource Groups (ERGs)