Sr. Principal Security Engineer, Application Security Strategy & Architecture

About The Position

Requirements

• Bachelor’s Degree in Computer Science, Information Security, Software Engineering, or a related field.
• At least 5 years of experience in application security, security architecture, or a closely related discipline.
• Demonstrated experience leading or architecting a large-scale security, identity, or platform migration in an enterprise environment.
• Hands-on experience with GitHub enterprise environments, including GitHub Actions, CI/CD security controls, and identity and access management patterns.
• Experience evaluating and selecting enterprise security tooling, including SAST, DAST, or SCA platforms.
• Familiarity with threat modeling methodologies and application security fundamentals (OWASP Top 10, CWE, secure coding practices).

Nice To Haves

• Deep familiarity with GitHub’s identity and access model, including experience with or strong understanding of GitHub Enterprise Managed Users (EMU), SAML/OIDC federation, PAT governance, and GitHub Actions security controls.
• Experience assessing the security implications of platform migrations—understanding what breaks, what coverage gaps are created, and how to sequence remediation.
• Strong expertise in application security fundamentals—OWASP Top 10, CWE, secure coding practices, threat modeling, and vulnerability management.
• Working knowledge of AppSec tooling ecosystems: SAST (Checkmarx or equivalent), DAST, SCA, and secrets scanning platforms.
• Ability to communicate effectively to produce architectural documentation and present risk and recommendation to senior leadership.
• Familiarity with secrets management platforms and software supply chain security patterns.
• Awareness of AI-augmented security tooling and the ability to evaluate where AI meaningfully improves AppSec workflows versus where it introduces risk.
• Working knowledge of cloud environments (AWS preferred) and containerized workloads in the context of security architecture.
• Ability to operate as a senior individual contributor—providing architectural leadership and program-level judgment without requiring direct management authority to drive outcomes.

Responsibilities

• Define and maintain the architectural direction for Lilly’s Secure SDLC program, including SAST, DAST, SCA, secrets management, and software supply chain capabilities.
• Partner with the Director of Application Security to identify and communicate program-level execution risks and dependencies.
• Translate regulatory, compliance, and audit requirements into security architecture that engineering teams can implement and sustain.
• Lead structured evaluations of security tooling across SAST, DAST, SCA, penetration testing, and AI-augmented security platforms.
• Define evaluation criteria, design proof-of-concept engagements, assess vendor capabilities against Lilly’s environment and scale, and produce recommendation packages for leadership decision-making.
• Maintain awareness of the AppSec tooling landscape and advise on emerging capabilities—including AI-driven security tools—that warrant evaluation or adoption.
• Partner with procurement, legal, and engineering collaborators to support vendor selection and contract alignment.
• Serve as the AppSec architecture lead for platform transformations, owning security architecture decisions and ensuring AppSec requirements are represented.
• Assess and document the security impact of the migration on existing AppSec controls—identifying gaps in SAST, secrets scanning, and CI/CD security coverage that the migration creates and defining the remediation path.
• Partner with engineering and platform teams to ensure security requirements are embedded into migration sequencing and cutover planning—not addressed after the fact.
• Define security readiness criteria for each phase of the transformation and serve as the AppSec authority on go/no-go decisions at key transition points.
• Provide senior technical guidance to AppSec engineers on complex implementation challenges, architecture decisions, and remediation approaches.
• Conduct security reviews for high-risk applications, platforms, and infrastructure changes.
• Support threat modeling engagements for major product initiatives and platform changes across Lilly’s development ecosystem.
• Contribute to Lilly’s Secure SDLC standards and vulnerability management policy, ensuring policy is grounded in architectural reality and can be implemented through platform and pipeline controls.

Benefits

• company bonus (depending, in part, on company and individual performance)
• company-sponsored 401(k)
• pension
• vacation benefits
• eligibility for medical, dental, vision and prescription drug benefits
• flexible benefits (e.g., healthcare and/or dependent day care flexible spending accounts)
• life insurance and death benefits
• certain time off and leave of absence benefits
• well-being benefits (e.g., employee assistance program, fitness benefits, and employee clubs and activities)