Application Security Director

Summary

Join AbbVie's Application Security team as a strategic leader, driving the enterprise application security program. You will partner with development teams, embedding security throughout the software development lifecycle and shifting security left. Responsibilities include building and scaling new functions like product security, DevSecOps, and API security. You will lead multiple security teams, developing a comprehensive program enabling secure, rapid development. This remote position is open anywhere in the U.S. The role requires significant experience in application security, software development, and team leadership. AbbVie offers a comprehensive benefits package.

Requirements

• Bachelor’s Degree and 10 years of experience OR Masters Degree and 9 years experience OR PhD and 5 years of experience
• Understanding of software development, programming languages, the software development life cycle, and common security coding vulnerabilities (eg, OWASP Top 10)
• 10+ years of information security experience, including: Minimum 5 years hands-on software development
• Minimum 5 years leading application security or security architecture programs
• Experience maintaining and implementing SDLC at the enterprise level
• Experience developing enterprise level security policies and standards with focus on application security
• Experience partnering with the business supporting IT teams to design and implement security applications
• Direct experience building developer security training programs
• Direct experience working with business partners to secure business product that are used by large customer bases (e.g. used by millions of customers)
• Demonstrated experience leading teams within information technology
• Experience implementing and maintaining: API security controls and gateways
• Container security platforms
• Secrets management solutions
• Software composition analysis (SCA) tools
• Security automation in CI/CD pipelines
• Developer self-service security tools
• Supply chain security controls
• Proven experience in managing 3rd party risks from both a strategic and operations perspective
• Proven track record implementing: Direct experience with code review, web application security assessments, and security architecture
• Experience integrating security into Agile/DevOps practices
• Strong interpersonal skills, ability to successfully adapt to changing requirements
• Proven ability to lead and develop an organization specifically through change and transformation
• Must be comfortable with ambiguity; strong writing and verbal communication skills, problem solving and creative thinking skills, and ability to work effectively with conceptual structures, outlines and models
• Ability to interact with and influence at all levels of management across divisions and functions

Responsibilities

• Accountability and ownership of the Application Security program including both strategy, execution, and ongoing operations
• Build and maintain relationship with business and business-focused IT partners to gain support for and drive success to application security programs and processes
• Build, develop, and execute on scalable and secure practices for the AbbVie App Sec program
• Oversee application security capabilities, following a “shift left” methodology to best integrate security throughout all phases of the SDLC
• Influence roadmaps and decisions of partner teams to promote application security
• Develop an application security framework, encompassing all aspects of application security, including vulnerability management, threat modeling, data protection, security logging/monitoring, secrets management, software supply chain security, DevSecOps integration, secure code training, security review & testing, and compliance
• Lead and develop multiple application security teams focusing on: Development standards & SDLC integration
• DevSecOps Program
• Application Security / DevSecOps operations & engineering
• Product security
• Software supply chain and secrets management
• API & container security
• Build and scale developer-focused security programs including: Developer certification and training programs
• Secure code bootcamps
• AppSec champions programs
• Self-service security tooling
• Design and implement custom security tooling to ensure development teams have the best possible customer experience when interacting with Application Security

Benefits

• Paid time off (vacation, holidays, sick)
• Medical/dental/vision insurance
• 401(k)
• Short-term incentive programs
• Long-term incentive programs