Senior Application Security Architect
The Global Consumer Information Security Team is responsible for managing technology risk by providing security controls and compliance guidance to Technology Development Units and ensuring adherence to Citi standards, policies, and procedures, and driving secure SDLC for Citi Consumer Technology. The team needs to ensure security requirements are identified early in the development lifecycle and architecture/design of the application incorporates required security controls. A Senior Application Security Architect (SASA) is required to assess technology risks and provide security solutions to address the risks in compliance with Citi Information Security standards and industry best practices. The SASA will have strong technical acumen and should establish relationships with application managers, domain architects, project managers, business product owners and various other Info Sec teams. You will join a team of security architects that has been tasked with performing threat modeling exercises and proposing technical controls for business critical applications. The work environment offers latest technologies and provides opportunities to solve complex real world problems using them.
Job Family Group:
- Assess risk when business and technology decisions are made, demonstrating particular consideration for the firm's reputation and safeguarding its clients and assets, by driving compliance with applicable laws, rules and regulations, adhering to Policy, applying sound ethical judgment regarding personal behavior, conduct and business practices, and escalating, managing and reporting control issues with transparency
- Review existing security profile of applications, create security architecture baselines, identify gaps and define target/reference architectures to remediate gaps and adopt best practices.
- Define security architecture roadmap that leads to target state architecture. Prioritize architecture deliverables, and establish short-term, mid-term and long-range architecture plans. Facilitate the migration to the reference architecture in alignment with the strategic plan.
- Act as an advocate for the adoption of controls/tools/products that leads to target state by building awareness and influencing key stakeholders. Expertise in managing stakeholder expectations across business and technology is required.
- Develop security design patterns by identifying broader and emerging IS issues and drive adoption of patterns and best practices
- Provide security architecture consulting across the bank to multiple project teams and other domain architects.
- Maintain understanding of business issues, operating procedures and priorities.
- Understand current as well as emerging security threats and reflect changes in security architecture to mitigate threats. Perform industry trend analysis to evaluate and recommend new products/tools that will help improve the security posture of the organization.
This job description provides a high-level review of the types of work performed. Other job-related duties may be assigned as required. Candidates should have in-depth subject matter expertise of application and data security, with adequate knowledge of infrastructure and network security. Requirements include:
- 7+ years of experience as Security Architect/Security Analyst/Penetration Tester/Information Security Officer in a similar organization
- In depth, hands on experience of Cloud Security across cloud service models (IaaS/PaaS/SaaS). Cloud security experience in one or more external cloud provider environments and services (e.g. AWS, Kubernetes/CloudFoundry, Salesforce) preferred.
- Thorough understanding of modern application architectures and technology. Experience with cloud native applications, microservices architecture and container technology highly preferred.
- Demonstrable experience in web application security, mobile security, API security (Oauth, OIDC). Must have SME level knowledge of web application vulnerabilities and business logic flaws and threats
- Extensive experience in security risk assessment and threat modeling of applications
- Knowledge on Big Data/Analytics platform security will be an added advantage
- Proficient in interpreting and applying policies, standards and procedures
- Thorough understanding of Industry and Enterprise technology standards for Information Security
- In depth familiarity with security hacking tools and techniques.
- Industry/Vendor Certifications Preferred - CISSP/CCSP/CSSLP, AWS Architect, AWS Security Specialty
- Bachelor's degree/University degree
- Master's degree preferred
Technology Job Family:
Information Security Time Type:
Citi is an equal opportunity and affirmative action employer.
Qualified applicants will receive consideration without regard to their race, color, religion, sex, sexual orientation, gender identity, national origin, disability, or status as a protected veteran.
Citigroup Inc. and its subsidiaries ("Citi") invite all qualified interested applicants to apply for career opportunities. If you are a person with a disability and need a reasonable accommodation to use our search tools and/or apply for a career opportunity review Accessibility at Citi
View the " EEO is the Law
" poster. View the EEO is the Law Supplement
View the EEO Policy Statement
View the Pay Transparency Posting