Associate Director, AI & Application Security - HYBRID ROLE
Vertex Pharmaceuticals · Boston, MA · 1 mo ago
HybridInformation Technology$172k–$258k/yrFull-time
About the role
This is a hybrid position that requires 3 days a week in our Boston office. Vertex is seeking an Associate Director, AI & Application Security, to lead security for AI-enabled applications, platforms, and services across the enterprise.
Responsibilities
- Lead AI and application security across the full lifecycle of AI-enabled systems, from design and development through deployment and operations.
- Define and evolve security standards, guardrails, and control expectations for AI systems used across Vertex.
- Apply and operationalize industry-recognized security frameworks and control models, including:
- NIST AI Risk Management Framework (AI RMF)
- NIST Cybersecurity Framework (CSF)
- OWASP Top 10
- OWASP Top 10 for LLM and Generative AI Applications
- Secure AI workloads and AI-enabled applications across cloud and SaaS environments, with emphasis on:
- policy enforcement
- data protection
- logging and telemetry
- monitoring and operational visibility
- Lead threat modeling and misuse-case analysis for AI systems, including risks such as:
- prompt injection and prompt abuses
- sensitive data leaks
- tool or action abuse
- unsafe outputs
- model misuse
- Define and mature AI guardrails, including monitoring, detection, logging, and misuse or negative testing practices.
- Establish secure development expectations for AI-enabled applications and services, including secure coding practices and appropriate separation of development and production environments.
- Build and lead application security testing practices for AI-enabled applications and supporting services, including SAST, DAST, automated scanning, and retesting processes.
- Partner with Cloud Security, Security Operations, Privacy, Legal, Data Science, and Engineering teams to align security controls with business, technical, and regulatory requirements.
- Influence architecture and platform decisions through practical, risk-based guidance that can scale with AI adoption.
- Communicate risks, tradeoffs, and recommendations clearly to both technical teams and senior leadership.
Requirements
- Cloud security architecture and controls across Azure and AWS
- Familiarity with GCP security concepts and services
- Secure software development lifecycle (SDLC) practices
- Secure coding standards and code review practices
- SAST, DAST, automated security scanning, and remediation workflows
- OWASP Top 10 and common application and API security risks
- Familiarity with OWASP guidance for LLM/GenAI applications
- API security, identity and access management, secrets management, and service-to-service trust
- Logging, telemetry, monitoring, and detection for cloud-native environments
- Threat modeling and misuse-case analysis
- Familiarity with AI security risks, including:
- prompt injection
- sensitive data leaks
- model misuse
- tool or action abuse
- unsafe outputs
- policy enforcement
- Familiarity with AI platforms and providers such as:
- Microsoft Copilot / Azure OpenAI
- Anthropic
- Google Gemini
- AWS Bedrock
- Emerging AI platforms and services
Qualifications
- Bachelor’s degree in Computer Science, Information Security, Engineering, or a related field or equivalent experience
- Significant experience in application security, product security, cloud security, or a related cybersecurity discipline
- Strong experience securing cloud environments, particularly Azure and AWS; familiarity with GCP is a plus
- Deep knowledge of application security fundamentals and secure software development practices
- Experience securing APIs, platforms, and complex distributed systems
- Experience leading threat modeling, architecture reviews, and risk-based security assessments
- Experience applying security and risk frameworks in engineering environments, including familiarity with NIST AI RMF, NIST CSF, and common application security standards
- Demonstrated ability to partner effectively with engineering and platform teams to embed security into design and delivery processes
- Experience securing generative AI applications, agentic workflows, or machine learning-enabled services
- Experience defining AI guardrails and monitoring strategies at scale
- Excellent communication and influence skills, with the ability to engage both technical teams and senior leaders
Preferred Qualifications
- Experience working in biopharmaceutical or other GxP-regulated environments with strong privacy and data protection requirements