About the position
At Medtronic, we bring bold ideas forward with speed and decisiveness to put patients first in everything we do. In-person exchanges are invaluable to our work. We're working onsite 4 days a week as part of our commitment to fostering a culture of professional growth and cross-functional collaboration as we work together to engineer the extraordinary. In your role, you may work from one of the following Medtronic sites: Mounds View, Minnesota; Lafayette, Colorado; Fridley, Minnesota (OHQ); Irvine, California (UCI); Rice Creek, Minnesota; Jacksonville, Florida; Boston, Massachusetts. The Manager of Application Security leads the organization's efforts to secure applications across the software development lifecycle (SDLC). This role collaborates with engineering, DevOps, and product teams to embed security best practices into design, development, and deployment processes. The manager is responsible for defining the application security strategy, leading security reviews, overseeing threat modeling, and managing security tools and programs like SAST, DAST, SCA, and bug bounty initiatives.
Responsibilities
- Lead the application security strategy and team, integrating security into the software development lifecycle and CI/CD pipelines.
- Oversee the implementation and management of security tools, secure coding practices, threat modeling, and vulnerability remediation efforts.
- Manage vendor contracts and relationships for security tools and services, including contract negotiation, compliance, and performance tracking.
- Develop, implement, and continuously improve the organization's application security program and roadmap.
- Lead and mentor a team of application security engineers and analysts.
- Collaborate with development, DevOps, and product teams to integrate security controls into CI/CD pipelines and software development practices (DevSecOps).
- Conduct threat modeling, secure code reviews, and vulnerability assessments.
- Manage and optimize application security tools (e.g., SAST, DAST, SCA, RASP, WAF, container scanning).
- Oversee the evaluation, selection, onboarding, and management of third-party security vendors and tools.
- Manage vendor relationships, including negotiating contracts, setting service-level agreements (SLAs), and tracking performance against KPIs.
- Ensure all third-party security tools and services comply with legal, procurement, and cybersecurity policy requirements.
- Review and assess vendor security practices as part of risk management and due diligence.
- Partner with internal stakeholders (Legal, Procurement, Finance) to manage contract renewals, budget forecasting, and spend tracking related to security services.
- Partner with internal teams to prioritize and remediate vulnerabilities discovered through testing, bug bounty, or vendor reports.
- Develop secure coding standards and deliver developer training to promote secure development practices.
- Track, report, and present application security KPIs to leadership.
- Stay current with evolving threats, vulnerabilities, and application security trends.
- Contribute to incident response efforts when application-related security incidents occur.
Requirements
- Bachelor's degree
- 5+ years of experience with a bachelor's degree or 3+ years of experience with an advanced degree
Nice-to-haves
- Strong understanding of Cyber Security NIST frameworks, OWASP
- Strong communication skills to upper management and leadership
- Strong ability to collaborate with other IT organizations and business partners
- Experience managing a third-party vendor contracts
- Expert in agile work processes
- Strategic thinker
- Professional certifications such as CISSP, CSSLP, GWAPT, or OSWE.
- Experience with DevSecOps practices and tools in a cloud-native environment (AWS, Azure, GCP).
- Experience working in Agile or DevOps environments.
Benefits
- Health, Dental and vision insurance
- Health Savings Account
- Healthcare Flexible Spending Account
- Life insurance
- Long-term disability leave
- Dependent daycare spending account
- Tuition assistance/reimbursement
- Simple Steps (global well-being program)
- Incentive plans
- 401(k) plan plus employer contribution and match
- Short-term disability
- Paid time off
- Paid holidays
- Employee Stock Purchase Plan
- Employee Assistance Program
- Non-qualified Retirement Plan Supplement
- Capital Accumulation Plan
