Key skills
AWSCloudJavaJavaScriptPythonTypeScriptGoGitHubLeadershipTrivyOWASPPenetration TestingCloud SecurityZero Trust
About this role
Role Overview
- Serves as a technical security lead and domain expert to executive and engineering leadership for large, cross-organizational initiatives
- Leads the application of security techniques, threat modeling, and secure design practices to protect applications, cloud infrastructure, and product environments
- Defines, champions, and drives the adoption of organization-wide security standards, best practices, and foundational architecture patterns
- Develops and implements objective, quantifiable metrics to measure the effectiveness and maturity of Workiva’s application security program, reporting progress to executive stakeholders
- Resolves the most ambiguous, high-impact, and systemic security challenges across the entire platform, often requiring changes to established engineering processes
- Proactively identifies systemic security risks across products, services, and infrastructure
- Designs and drives effective long-term security solutions and remediation strategies across diverse product areas
- Anticipates emerging industry security trends, regulatory changes, and threat landscapes, translating them into proactive, preventative technical strategies
- Drives the formal risk acceptance or mitigation processes for critical, high-severity vulnerabilities that carry significant compliance or business risk.
- Drives broad, lasting, and foundational security changes that significantly enhance Workiva’s overall security posture, customer trust, and global compliance.
- Acts as a lead security advisor to executive leadership (VP/CTO level) on platform security risks, strategic initiatives, and technical feasibility.
- Regularly collaborates across product, engineering, platform, and infrastructure teams to influence secure architecture and design decisions
- Engages with senior internal stakeholders and leads discussions with directors and senior directors on security topics
- Defines and is fully accountable for the technical security roadmap and direction for major domains or engineering organizations without requiring external guidance.
Requirements
- 6+ years of related experience with a Bachelor’s degree or equivalent experience
- 3+ years of software development experience in at least one of the following languages: Java, Javascript/Typescript, Python, Go
- Deep knowledge of application security, secure coding practices, threat modeling, and vulnerability classes including OWASP Top 10
- Proven experience leading secure code reviews, architecture reviews, and security design discussions
- Ability to communicate complex security concepts, risks, and recommendations to both technical and executive stakeholders
- Experience using web application security testing tools such as Burp Suite
- Strong understanding of cloud security concepts, particularly in AWS-based environments
- Hands-on penetration testing experience across modern web applications
- Familiarity with DevSecOps tooling such as Semgrep, GitHub Advanced Security, Trivy, Grype, or similar
- Proven experience driving the adoption of large-scale security initiatives (e.g., implementing a global Zero Trust architecture, defining a company-wide secret management strategy)
- Proven experience designing, building, and operating production security services/systems (e.g., internal security libraries, secrets management systems, authentication services, centralized security logging frameworks) used by 10+ engineering teams.
Tech Stack
- AWS
- Cloud
- Java
- JavaScript
- Python
- TypeScript
- Go
Benefits
- A discretionary bonus typically paid annually
- Restricted Stock Units granted at time of hire
- 401(k) match and comprehensive employee benefits package