Security Application Solution Architect

Summary

Join AbbVie's Information Security team as a Security Application Solution Architect to develop and implement a comprehensive information security program. Collaborate with application development teams to ensure secure design, coding, configuration, and deployment of technology solutions. This role requires a deep understanding of secure application development practices and cloud application environments. The position can be virtual from anywhere in the U.S. You will design and architect secrets management solutions, define security architecture patterns, and drive secure-by-design initiatives. You will also represent security architecture in design boards and work with IT customers to evaluate application software and infrastructure designs.

Requirements

• Deep understanding of cloud computing principles, including virtualization, containerization, microservices, and serverless computing; Risk Management, container security, Kubernetes security, IAM security, network security, auditing, encryption, secrets management and data protection, securing CI/CD
• Advanced knowledge of Identity Security concepts, least-privilege, separation of duties, and Zero trust design principles
• Understanding of federation technologies (WS-Fed, OAuth, OpenID connect, SAML …) and of encryption technologies (encryption types and protocols/standards)
• Design the security architecture for applications, ensuring all components meet best practices and regulatory compliance
• Work closely with software development, DevOps, and operations teams to integrate security into the software development lifecycle (SDLC)
• Lead efforts in identifying potential threats through application threat modeling and propose design changes to mitigate risks
• Bachelor’s degree and 9 years of experience OR Master’s Degree and 8 years of experience OR PhD and 4 years of experience in information security and/or related functions (IT Audit, Risk Management or Security Architecture)
• Must have experience with Secrets Management in a corporate environment, large enterprise strongly preferred
• Knowledge of Secrets Management tools such as HashiCorp Vault, AWS KMS, Azure Key Vault, Beyond Trust
• Demonstrated experience architecting and guiding the deployment of enterprise-scale secrets management solutions, with hands-on familiarity a plus
• During recent history, candidate must have demonstrated exceptional ability to assess and communicate information security concepts and practices, with both business and IT stakeholders
• Requires in-depth knowledge of the systems development life cycle, client area’s functions and systems, and systems applications programs development technological alternatives
• Proven implementation of creative technology solutions that advance the business
• Relevant work experience is important for successful performance of this role due to the complexity of our global IT Security environment
• Strong understanding of application security principles, including OWASP Top 10, SANS/CWE Top 25, and secure coding practices
• Expertise in secure session management, token handling, and authentication mechanisms (OAuth, SAML, OpenID Connect)
• Knowledge of cryptographic practices, encryption protocols, and PKI management
• Experience with containerization (Docker, Kubernetes) and cloud platforms (AWS, Azure, GCP)
• Familiarity with tools for code analysis (e.g., SonarQube, Veracode) and vulnerability scanning (e.g., Burp Suite, Nessus)
• Understanding of DevSecOps practices, including securing CI/CD pipelines
• Self-starter with the ability to work independently and manage multiple projects simultaneously
• Strong problem-solving and analytical skills with the ability to identify security risks and propose effective solutions
• Ability to work collaboratively in cross-functional teams and influence technical teams towards secure implementations

Responsibilities

• Design and architect enterprise-grade secrets management solutions leveraging technologies such as HashiCorp Vault, AWS KMS, Azure Key Vault, or BeyondTrust
• Provide strategic direction and technical leadership to ensure secure storage, access, rotation, and auditing of secrets across hybrid environments
• Define reusable security architecture patterns and guardrails to enable consistent, secure implementation across high-risk business applications
• Drive secure-by-design initiatives by integrating security considerations early in the software architecture lifecycle and influencing enterprise architecture direction
• Represent security architecture in design authority boards and technical review councils, advocating for risk-based security controls
• Work with in-business IT customers, including application architects and engineers to evaluate application software and infrastructure designs, for the purpose of defining/designing application controls aligned with enterprise standards
• Define and drive the architecture and roadmap for enterprise-grade secrets management capabilities, including reference architectures, integration blueprints, and scalable deployment models
• Define application-specific security control architectures and produce design artifacts to guide secure implementation of business-critical systems
• Develop re-usable implementation guidance and design patterns based on previous engagements to scale the service
• Work with information security leadership to develop strategies and plans to enforce security requirements and address identified risks in the infrastructure and applications
• Act as a security architecture liaison to IT delivery and engineering teams, embedding security principles into technical delivery and architecture review forums
• Support security aspects of business & IT initiatives by assisting in architecture, design, implementation, deployment, and operational transition of innovative & secure technology solutions
• Work with information security leadership to develop strategies and plans to enforce security requirements and address identified risks in the infrastructure
• Research, evaluate, design, test, recommend and plan the implementation of new or updated information security technologies
• Establish collaborative working relations with the Information Technology functions to ensure that solutions align with security architecture and business strategy
• Play an advisory role in application development or acquisition projects to assess security requirements and controls and to ensure that security controls are implemented as planned. Complete remediation activities and initiate actions to ensure that compliance and security gaps are successfully addressed
• Research and assess new information security threats and recommend remedial actions
• Foster an information security culture through education, skill development, and implementation of effective information security processes and practices
• Understand and adhere to corporate standards regarding applicable Corporate and Divisional Policies, including code of conduct, safety, GxP compliance, data security, and the software development lifecycle
• Matures and leverages relationships with affiliates, subsidiaries, vendors, and industry peers in accordance with Abbvie Values, Vendor Management Office, and Purchasing to further the mission, vision and goals of the organization

Preferred Qualifications

• Understanding the following concepts is a plus; identity management, federated identity services, incident management, access control, , application vulnerability testing, public key infrastructure, Windows, and Unix/Linux, public cloud infrastructure and services
• Knowledge of and experience in developing and documenting security architecture and plans, including strategic, tactical and project
• Significant SOX and HIPAA experience in dealing with IT general controls (ITGC), demonstrated through hands-on audit, remediation, and/or computer system validation
• Excellent understanding of current Information Security & Architecture trends and their impact on business strategies including: key Information Security vendors and solutions, audit organizations and influential market research firms
• Excellent communications and influencing skills with strong ability to balance differing stakeholder interests through sound analysis and persuasion
• Strong people skills, collaborative ability to work with IT stakeholders inside and outside of the organization, able to mentor team members with diverse backgrounds
• Ability to formulate network security architecture vision and translate vision into execution
• Thorough understanding of Information Security frameworks and good practices (e.g. ISO, NIST), and proven ability to strike a balance between an academic and pragmatic approach
• Information security qualification such as CISSP is preferred but not required

Benefits

• Paid time off (vacation, holidays, sick)
• Medical/dental/vision insurance
• 401(k)
• Short-term incentive programs
• Long-term incentive programs