Director, Application Security (Cybersecurity Defense)
Cardinal Health · United States · 2 wk ago
RemoteRemoteInformation TechnologyFull-time
Responsibilities
- Lead the enterprise application security strategy aligned with cybersecurity, risk management, and business objectives.
- Establish governance frameworks to embed security into the software development lifecycle (SDLC) across all application domains.
- Collaborate with enterprise architecture, engineering, and product teams to align application security with technology strategies and transformation initiatives.
- Serve as an advisor to executive and business leadership on application security risks, priorities, and investment decisions.
- Drive a secure-by-design culture across development and engineering teams.
- Oversee application security capabilities across Pharma, Medical, and Commercial Technology segments, ensuring consistent implementation of security practices.
- Define segment-specific requirements and approaches to address unique regulatory, operational, and risk considerations.
- Ensure alignment of application security practices across segments while enabling flexibility to support business-specific needs.
- Drive standardization of processes, tooling, and reporting across segment application security teams.
- Oversee enterprise application security testing programs, including SAST, DAST, SCA, and IAST across all application environments.
- Ensure vulnerabilities are identified, assessed, prioritized, and remediated during the development lifecycle prior to deployment.
- Define secure coding standards and integrate security controls into CI/CD pipelines and development workflows.
- Collaborate with development teams to reduce application security technical debt and improve code quality.
- Oversee implementation of runtime security controls for applications and APIs, including WAF, API gateways, and runtime monitoring solutions.
- Ensure security requirements are embedded into application and API design, deployment, and operational processes.
- Collaborate with engineering and infrastructure teams to enforce runtime protections aligned with enterprise architecture.
- Monitor runtime risks and coordinate mitigation efforts across application environments.
- Lead development and integration of application security tooling, including configuration, onboarding, and operational management.
- Define use cases, policies, and detection logic for application security tools to ensure effective coverage and scalability.
- Drive integration of application security tools into CI/CD pipelines and DevSecOps workflows.
- Ensure application security tooling aligns with enterprise security architecture and standards.
- Collaborate with Security Architecture teams to define secure design patterns, reference architectures, and application security standards.
- Ensure application security requirements are incorporated into solution design and architecture reviews.
- Partner with engineering teams to implement secure development lifecycle (SDLC) practices and controls.
- Support evaluation of new technologies and architectures to ensure alignment with security requirements.
- Ensure application security practices align with regulatory requirements, compliance standards, and enterprise risk management frameworks.
- Provide application security oversight for audits, regulatory assessments, and compliance reporting.
- Collaborate with risk and compliance teams to translate application security risks into enterprise risk insights.
- Support remediation of identified risks and ensure alignment with risk tolerance and governance processes.
- Define and track KPIs and KRIs related to application security posture, vulnerability management, and SDLC integration.
- Provide regular reporting to executive leadership on application security risks, trends, and program effectiveness.
- Leverage data and analytics to drive continuous improvement in application security practices and outcomes.
- Identify opportunities to enhance automation, efficiency, and scalability of application security processes.
- Collaborate with application development, product, IT, security operations, and business teams to integrate application security into enterprise processes.
- Partner with Cyber Detection & Response to ensure application security findings are integrated into monitoring and incident response workflows.
- Engage with segment leaders to align application security initiatives with business priorities and risk considerations.
- Support M&A activities by assessing and integrating application security controls for acquired applications.
- Build and lead a high-performing application security organization with expertise across secure development, testing, and runtime protection.
- Ensure alignment of team capabilities with evolving technologies, threats, and business needs.
- Ideal candidates should have 10+ years of experience in cybersecurity, with a focus on application security, secure development, or DevSecOps.
- Deep expertise in application security testing methodologies (SAST, DAST, SCA, IAST) and secure development practices, strongly preferred.
- Strong understanding of application and API security, cloud-native architectures, and modern development frameworks.
- Experience leading application security programs across large, complex organizations, preferred.
- Strong understanding of cybersecurity frameworks (e.g., NIST CSF, OWASP, ISO 27001) and regulatory requirements.
- Demonstrated ability to collaborate with cross-functional teams and influence executive stakeholders.
- Strong leadership, communication, and problem-solving skills.
- Anticipated salary range: $135,400 - $208,100
- Bonus eligible: Yes
- Benefits: Medical, dental and vision coverage, paid time off plan, health savings account (HSA), 401k savings plan, access to wages before pay day with myFlexPay, flexible spending accounts (FSAs), short- and long-term disability coverage, work-life resources, paid parental leave, healthy lifestyle programs