Sr. DevSecOps Engineer, Information Security

About The Position

Requirements

• 8–10+ years of experience
• Deep multi-cloud expertise (AWS + Azure)
• Strong Terraform skills
• Ability to drive technical strategy across a regulated financial institution

Nice To Haves

• Canadian regulated financial services experience (banking, trust company, credit union, fintech sponsor bank).
• Active certifications: CISSP, CCSP, OSCP/CPTS, AWS Security Specialty, Azure SC-100, AZ-500, AZ-400, CKS, HashiCorp Terraform Associate/Pro.
• Prior Security Centre of Excellence experience: stood one up, or served as the lead engineer inside one.
• Supply-chain security: Sigstore, in-toto, SLSA, SBOM (CycloneDX/SPDX), Dependency Track.
• Offensive security background: OSCP, real red-team/purple-team engagements, CTF placement.
• AI/LLM security experience: secure agent design, prompt-injection defenses, model supply-chain integrity.

Responsibilities

• Build and evolve the DevSecOps technical strategy across CI/CD, IaC, secure cloud architecture, detection, and compliance automation.
• Partner with the AVP of Corporate Information Security and the Team Lead, DevSecOps, on the security roadmap; translate risk decisions into engineering work.
• Collaborate on architecture decisions and ADRs for the DevSecOps platform. Champion paved roads and golden paths over one-off solutions.
• Lead vendor evaluations and POCs for security tooling. Make the build-vs-buy argument with the data to back it up.
• Develop and maintain a Security Centre of Excellence for all new products and substantial changes, ensuring security requirements are met before they reach production.
• Represent DevSecOps to engineering leadership, audit (internal and external), and regulators on technical questions.
• Personally architect and build the hardest pieces: the IaC pipeline that gates all production change, the cross-cloud detection fabric, the SBOM/supply-chain integrity program, the secrets management migration.
• Drive the AWS-to-Azure migration of applications as a senior security engineering owner: design target-state controls in Azure, run gap analysis against AWS, validate equivalence before workload cutover.
• Architect and review Terraform at scale: module strategy, state isolation, workspace patterns, drift detection, breaking-change management.
• Implement and operate policy-as-code across the SDLC: PR-time, pipeline-time, deploy-time, and runtime enforcement.
• Lead implementation of supply-chain security: signed builds (Sigstore/cosign), SBOM generation and storage, SLSA-aligned provenance, dependency pinning, runner isolation.
• Integrate, monitor, and tune SAST/DAST platforms across CI/CD pipelines.
• Build out Zero Trust patterns: workload identity federation, conditional access, just-in-time access and microsegmentation.
• Publish and disseminate CI/CD best practices, patterns, and solutions across product engineering teams.
• Own the threat-modeling program: set the methodology (STRIDE, LINDDUN, attack-tree, MITRE ATT&CK-mapped), train others on it, ensure outputs become real backlog items.
• Be an engineering owner of control evidence for SOC 2, PCI-DSS and applicable Canadian regulatory expectations.
• Automate audit evidence collection wherever feasible: replace screenshot-based evidence with API-pulled, signed, dated artifacts.
• Contribute to the cybersecurity risk register and risk treatment plans; partner with GRC and Operational Risk Management.
• Make the case to regulators and auditors that controls are designed effectively and operating effectively.
• Stay current on emerging threats and regulatory changes in cloud security, AI, and automation; apply innovative solutions to enhance the security framework.
• Mentor Intermediate and Junior DevSecOps engineers: set development goals, do code reviews that teach, sponsor stretch projects.
• Build the team's documentation and onboarding so it scales with hires.
• Contribute to a healthy on-call culture: sustainable rotations, blameless retros, runbook quality.

Benefits

• Competitive salaries
• Profit sharing
• RRSP matching
• Benefits from day one
• Generous paid time off
• A strengths-based approach
• Commitment to your well-being in five key areas: Financial, Physical, Social, Career, and Community.