Key skills
Distributed SystemsSDLCSAMLSSOSaaSCI/CDLeadershipCommunicationOWASP
About this role
Role Overview
- Set product security architecture direction for assigned portfolios, aligning security architecture decisions with Synchrony technology strategy, risk appetite, and regulatory expectations.
- Own and evolve the Application Security Blueprint: enterprise application security standards, reference architectures, reusable patterns, and guardrails that enable consistent secure engineering across teams.
- Serve as a strategic partner to product and engineering leadership, influencing roadmaps and operating models to ensure security is built-in (not bolted-on) and delivery teams can move quickly with well-defined paved roads.
- Lead architecture governance for product/application security: establish review criteria and decision frameworks, perform design reviews and approve/drive remediation plans, manage exceptions with documented risk acceptance, compensating controls, and time-bound closure.
- Drive threat modeling at scale by defining methodology and minimum expectations, and by facilitating modeling for high-risk initiatives—explicitly documenting trust boundaries, data flows, abuse cases, and security requirements.
- Define and standardize API security architectures (north-south and east-west), including authentication/authorization, token strategy, schema and input validation, anti-automation protections, and rate limiting/throttling patterns.
- Define patterns for service-to-service security controls in distributed systems, including workload identity, authorization, mTLS, secrets handling, and policy enforcement—ensuring controls are practical for engineering adoption.
- Influence and enable secure SDLC and platform controls with engineering enablement in mind (security requirements, pipeline guardrails, dependency/supply-chain controls, secure configuration guidance), partnering with platform teams to operationalize.
- Establish and track measurable outcomes (e.g., blueprint adoption, recurring architecture risks, API posture improvements, exception burn-down, control coverage for critical apps) and provide clear executive-level reporting.
- Act as a coach and multiplier: mentor engineers and architects, elevate secure design skills across teams, and improve security decision-making through clear documentation and reusable assets.
- Perform other duties and/or special projects as assigned.
Requirements
- 7+ years in security architecture/engineering, with deep focus on application/product security in modern software environments.
- Demonstrated ability to operate at an enterprise influence level: setting standards, driving cross-team adoption, and aligning stakeholders with differing priorities.
- Strong hands-on knowledge of application and service security fundamentals: authentication/authorization, session/token security, cryptography concepts, secrets management, secure logging/monitoring design, and secure data handling.
- Proven experience leading threat modeling and producing strong architecture artifacts (DFDs, trust boundaries, security requirements, risk assessments).
- Strong knowledge of API security and common web/service risks (e.g., OWASP Top 10 / API Security Top 10), with the ability to translate risks into enforceable patterns.
- Excellent communication skills—able to present clearly to engineering teams and senior leaders, and to produce high-quality architecture documentation.
- Track record of driving security with product teams: embedding security into product planning, influencing roadmaps, defining "definition of done" security requirements, and improving time-to-market through paved-road patterns.
- Experience securing and integrating SaaS applications, including SSO/federation (SAML/OIDC), tenant and data isolation considerations, audit logging, and shared responsibility alignment.
- Experience implementing service-to-service security patterns at scale (workload identity, mTLS, authorization, policy-as-code concepts).
- Experience operationalizing security standards into engineering consumables (shared libraries, templates, reference implementations, runbooks).
- Familiarity with CI/CD-based security enablement (SAST/DAST/SCA, secrets scanning, gating/exception workflows) and vulnerability management operating models.
- Experience supporting regulated environments and mapping architecture controls to policies/standards.
- Certifications (preferred): CISSP, CCSP, CSSLP (or equivalent).
- Ability and flexibility to travel for business as required.
Tech Stack
- Distributed Systems
- SDLC
Benefits
- bonuses