Senior Lead Technology Risk Officer - Application Domain, SDLC, DevOps and AI

About The Position

Requirements

• 7+ years of Technology Risk experience, or equivalent demonstrated through one or a combination of the following: work experience, training, military experience, education.

Nice To Haves

• 7+ years of experience spanning software engineering, DevSecOps, platform engineering, cloud engineering, application security, with direct experience in technology risk, technology controls, or second-line risk oversight in complex technological environments.
• Deep hands-on knowledge of modern SDLC and DevOps practices, including source control, code review, branching and release strategies, CI/CD design, automated testing, deployment automation, and production change controls.
• Experience performing technical risk assessments, control evaluations, and credible challenge across SDLC, DevOps, software supply chain, cloud, and AI-enabled engineering environments to translate findings into concise risk narratives, control gaps, remediation expectations, and executive reporting.
• Ability to read and interpret architecture patterns, deployment designs, control implementations, technical standards, and engineering evidence with sufficient depth to challenge first-line technical decisions.
• Experience with AI governance and controls, or model risk concepts as applied to engineering productivity tools, agentic workflows, or AI-assisted software delivery, and the risks associated with them.
• Strong judgment, analytical rigor, and communication skills with the ability to influence senior stakeholders while maintaining credibility with technical teams.
• Knowledge of industry frameworks and guidance relevant to technology and security risk, such as NIST, SSDF, COBIT, FFIEC guidance, ISO 27001, or similar frameworks.
• Strong technical understanding of developer platforms and engineering toolchains, including technologies such as GitHub or GitLab, Jenkins or Azure DevOps, artifact repositories, package managers, Terraform, containers, Kubernetes, and major cloud platforms.
• Hands-on familiarity with engineering and security tooling used in modern delivery environments, including static and dynamic analysis, software composition analysis, container security, CSPM, CI/CD security controls, and observability platforms.
• Prior experience in financial services, highly regulated environments, or large-scale enterprise engineering organizations with complex control and resilience expectations.
• Relevant certifications such as CISSP, CISM, CRISC, CISA, CCSP, cloud provider certifications, Kubernetes certifications, or secure software lifecycle credentials.
• Experience evaluating or implementing controls for secure build systems, software supply chain security, policy-as-code, secrets management, release orchestration, and cloud-native delivery pipelines.
• Demonstrated expertise assessing build and release integrity, secrets management, privileged automation, infrastructure as code, and runtime control effectiveness in complex engineering environments.

Responsibilities

• Provide expert second-line oversight of modern engineering practices, including application architecture patterns, secure SDLC, CI/CD, DevSecOps, platform engineering, infrastructure as code, containerized workloads, and production release controls.
• Own second-line technology risk coverage and provide thought leadership across the application risk domain, partnering closely with first-line engineering, controls and technology teams to drive consistent oversight of application architecture, development practices, deployment pipelines, and supporting engineering controls.
• Perform technically rigorous assessments of source control workflows, branching strategies, build systems, test automation, artifact repositories, package dependencies, deployment orchestration, and runtime platform configurations to identify control weaknesses and systemic risk.
• Evaluate the integrity of software delivery pipelines end to end, including code provenance, pipeline trust boundaries, secrets handling, approval models, environment segregation, artifact immutability, and rollback or recovery capabilities.
• Lead deep-dive technical risk reviews of complex delivery environments and modernization programs, converting architecture, pipeline, and operational observations into clear risk statements, root causes, and targeted remediation expectations.
• Analyze developer ecosystems and engineering tool chains at a practitioner level, including repositories, CI runners, build agents, package managers, IaC frameworks, containers, Kubernetes, cloud services, and observability stacks.
• Evaluate AI-enabled engineering capabilities, including code assistants, prompt-based development workflows, automated test generation, agentic tooling, and model-integrated developer platforms, with emphasis on data exposure, unsafe code generation, traceability, and human review requirements.
• Review design and implementation patterns for application and platform controls, such as policy-as-code, secrets management, service identity, environment hardening, logging, monitoring, drift detection, and release gating.
• Develop technically meaningful risk indicators and challenge metrics for SDLC, DevOps, and AI-enabled engineering, such as deployment control exceptions, pipeline bypasses, privileged access patterns, dependency exposure, control coverage gaps, and remediation aging.
• Serve as a trusted technical risk partner to engineering, security, architecture, and control teams by applying expert discipline knowledge to high-impact decisions and shaping resilient engineering practices across the enterprise.

Benefits

• robust benefits
• competitive compensation
• programs designed to help you find work-life balance and well-being
• rewarded for investing in your community
• celebrated for being your authentic self
• empowered to grow