VP Cyber Application Security

About The Position

Requirements

• 12+ years in cybersecurity and/or software engineering, with demonstrated experience building and operating an enterprise AppSec program across multiple product lines and technology stacks.
• 8+ years of leadership/managerial experience in application security.
• 8+ years of experience in SDLC practices, common vulnerabilities, and modern application architectures (APIs, microservices, cloud, containers).
• 8+ years of experience implementing and operationalizing AppSec tooling and integrating it into CI/CD pipelines at scale.
• Bachelor's degree in computer science, Information Technology, Information Systems, or a related field (or foreign equivalent degree) or equivalent work experience.

Nice To Haves

• Proven ability to influence engineering and product leadership through partnership, governance, and metrics-driven decision-making.
• Experience in leveraging AI or similar technologies for automating processes, improving services, and reducing SLAs.
• Background in regulated environments and familiarity with common security and risk frameworks.
• Experience with software supply chain security practices (SBOM, dependency governance, code signing, pipeline integrity).
• Experience with penetration testing oversight and integrating findings into engineering backlogs.
• Relevant certifications (e.g., CISSP, CSSLP, GIAC, or equivalent) or comparable demonstrated expertise

Responsibilities

• Establish and mature secure architecture and threat modeling practices for applications, APIs, microservices, and cloud-native workloads.
• Own the application security tooling strategy and operations (e.g., SAST, DAST, SCA, secret scanning, container/IaC scanning) and drive CI/CD integration and automation.
• Drive vulnerability management processes for application findings, including severity standards, remediation SLAs, exception handling, and risk acceptance workflows.
• Partner with engineering leaders to build scalable developer enablement (secure coding training, playbooks, reusable patterns, office hours, and “security champions” programs).
• Provide executive-level reporting on application risk posture, trends, remediation performance, and program effectiveness using meaningful KPIs and KRIs.
• Collaborate with incident response, fraud, infrastructure security, and GRC teams to ensure application risks are addressed end-to-end.
• Support regulatory, audit, and client assurance needs by producing evidence, artifacts, and program documentation related to application security controls.
• Influence third-party and open-source risk practices as they relate to software supply chain security.