Head of Application Security Program & Governance, Director

CitiTampa, FL
$170,000 - $300,000Remote

About The Position

This Head of Application Security Program & Governance role sits at the center of Citi's Application Security Management (ASM) function, a specialized capability within the Offensive Security and Vulnerability Management (OSVM) organization reporting directly to the Global Head of OSVM. The position carries enterprise-wide accountability for the strategic direction, governance, and operational performance of five critical AppSec pillars: Static Application Security Testing (SAST), Component Vulnerability Management (CVM), Malicious Code Detection (MCD), Automated Release Vulnerability Assessment (ARVA), and Application Secrets Detection (ASD). This is a rare opportunity for a seasoned application security leader to shape how one of the world's largest financial institutions secures its software development ecosystem at scale. The role demands both deep technical credibility across secure SDLC practices and the executive-level communication skills needed to influence development organizations, senior leadership, and regulatory stakeholders.

Requirements

  • 15+ years of experience in application security, DevSecOps, or secure SDLC program leadership at enterprise scale.
  • 5+ years' experience in people management preferred.
  • Deep knowledge of SAST, Software Composition Analysis (SCA/CVM), and automated security testing, with hands-on experience using tools such as Checkmarx, Black Duck, Snyk, Fortify, or equivalent platforms.
  • Strong understanding of CI/CD pipeline security integration and the enforcement of security gates within build and deployment pipelines.
  • Demonstrated ability to define governance frameworks, security standards, and KRI/metric programs for large-scale secure software development programs.
  • Experience assessing AI's impact on the threat landscape, including AI-assisted vulnerability chaining and accelerated exploit development scenarios.
  • Proven track record leading and mentoring technical teams in a program management or technical leadership capacity.
  • Working knowledge of recognized security frameworks, including SSDF, OWASP SAMM, BSIMM, NIST, ISO 27001, and FFIEC guidelines.
  • Excellent communication skills with demonstrated ability to translate complex security program data into actionable insights for both technical audiences and senior leadership.
  • Bachelor's degree in Computer Science, Information Security, Engineering, or equivalent practical experience.

Nice To Haves

  • Experience with malicious code detection, secrets detection, or automated release security gating programs is strongly preferred.
  • Familiarity with AI/ML integration into security tooling, including AI-assisted triage, intelligent rule tuning, and LLM-based developer guidance is preferred.
  • Experience with cloud security testing across AWS, Azure, or GCP, and familiarity with ServiceNow for vulnerability management workflows is preferred.
  • Experience with Dynamic Application Security Testing (DAST) methodologies and their integration into automated CI/CD pipelines is preferred.
  • Master's degree preferred.

Responsibilities

  • Define and drive the multi-year strategic roadmap for ASM program pillars (SAST, CVM, MCD, ARVA, ASD), aligning with Citi's broader OSVM and enterprise cybersecurity strategy.
  • Lead the integration of AI and ML capabilities into ASM operations, including AI-assisted vulnerability triage, intelligent false-positive suppression, and automated remediation workflows.
  • Develop and deploy AI-enhanced developer guidance tools that improve security posture across engineering teams at scale.
  • Continuously assess the adversarial AI threat landscape, including AI-accelerated exploit development and vulnerability chaining techniques.
  • Drive corresponding enhancements to ASM detection, response capabilities, and overall program strategy in response to emerging AI-enabled threats.
  • Own and evolve AppSec governance standards, including exemption management, policy compliance, and regulatory alignment across Citi's software estate.
  • Define Application Security Key Risk Indicators (KRIs) and lead program performance insights, including root cause analysis, trend identification, and continuous improvement reporting.
  • Serve as the primary ASM interface for development organizations, product delivery teams, Information Security partners, enterprise architecture, and senior leadership.
  • Oversee developer and App Manager security training programs, ensuring engineering teams understand their security obligations and are equipped to meet them.
  • Mentor ASM pillar leads, drive cross-pillar coordination, manage program resources, and maintain delivery timelines across ASM initiatives.

Benefits

  • medical, dental & vision coverage
  • 401(k)
  • life, accident, and disability insurance
  • wellness programs
  • paid time off packages, including planned time off (vacation), unplanned time off (sick leave), and paid holidays.
© 2026 Teal Labs, Inc
Privacy PolicyTerms of Service