Mass General Brigham (Enterprise Services)
Information Security Engineer III, Application and Cloud Security Lead
Mass General Brigham (Enterprise Services), Somerville, Massachusetts, us, 02145
Overview
The Mass General Brigham (MGB) Information Security Engineer III - Application and Cloud Security Lead provides leadership and expertise within the cybersecurity team, overseeing security practices related to application development and cloud infrastructure. This role ensures robust and secure software development lifecycles, implements advanced security strategies in cloud environments, and drives continuous improvement in both application security and cloud security posture. The Engineer will lead complex security projects, coordinate cross-team collaboration, and mentor junior and mid-level engineers to foster professional growth. The ideal candidate is a technically minded security professional focused on secure coding practices or development engineering with experience designing and executing strategic roadmaps. The Information Security Engineer III may represent the organization in industry forums or regulatory discussions and engages with external partners, vendors, and stakeholders to establish collaborative security strategies and ensure alignment with industry trends and best-in-class security practices. Prior experience in building application and/or cloud security programs is required, with experience in multiple of the following areas: DevSecOps, strategic program build and design, secure code development, application security testing tools, CI/CD pipeline hardening, application and code vulnerability analysis, and cloud security expertise.
Responsibilities
Collaboratively design the application and cloud security program to meet the needs of Mass General Brigham and lead engineers in the execution of the strategic roadmap.
Lead the design, development, testing, and implementation of advanced security controls for application development and cloud environments based on published information security policies and business requirements.
Establish and maintain a secure software development lifecycle (SSDLC), incorporating security checkpoints, threat modeling, secure coding standards, and rigorous testing practices.
Drive the implementation and ongoing management of Cloud Security Posture Management (CSPM) tools and strategies, ensuring continuous monitoring and proactive remediation of cloud security issues.
Implement and maintain code analysis tools (SAST, DAST, IAST, SCA, etc.) to identify security vulnerabilities in code before deployment. Collaborate with development teams to integrate these tools into workflows and provide actionable remediation insights.
Serve as a technical leader within the cybersecurity team, providing guidance, mentorship, and professional development opportunities for junior and mid-level security engineers.
Collaborate with development, operations, and DevOps teams to embed security into software development and deployment processes, fostering a DevSecOps culture.
Conduct and oversee application and cloud security assessments, including penetration testing, code reviews, configuration audits, and vulnerability management.
Innovate by researching, evaluating, and proposing new security technologies and methods to improve the organization’s application and cloud security maturity.
Ensure high-quality, maintainable, and scalable security solutions through architecture reviews, security assessments, and alignment with best practices.
Respond promptly and effectively to complex security incidents involving applications and cloud resources, providing expert guidance and leading remediation efforts.
Engage proactively with vendors, industry partners, and stakeholders to leverage external expertise and best practices.
Align all actions with organizational values and demonstrate commitment to diversity, integrity, and teamwork.
Perform other duties and responsibilities as assigned.
Qualifications
Bachelor\'s degree in Information Security, Computer Science, or related field; advanced degrees or equivalent professional experience preferred.
Minimum of 5+ years of progressive experience in application security, cloud security, or related cybersecurity roles.
Relevant industry certifications preferred (CISSP, CCSP, CSSLP, AWS/Azure Security Specialty, GIAC certifications).
Skills for Success
Expert-level knowledge and practical experience in secure software development methodologies, OWASP Top 10, and application security testing tools (SAST, DAST, IAST).
A thorough understanding of secure coding principles with the ability to guide development teams in best practices. Hands-on experience with static and dynamic application security testing tools is preferred.
Proven expertise in securing major cloud platforms (AWS, Azure, GCP), including CSPM tools, cloud-native security services, and IaC security.
Deep understanding of modern software architectures, microservices, APIs, and container security (Docker, Kubernetes).
Strategic, creative, and innovative thinking to design and implement robust security controls.
Demonstrated leadership with strong project management and ability to communicate complex security issues to technical and non-technical stakeholders.
Proven track record of delivering and managing successful security projects and continuous improvement initiatives.
Ability to apply documented processes, playbooks, and frameworks (e.g., OWASP, NIST CSF) to address and resolve security challenges.
Knowledge of security frameworks including NIST CSF and NIST 800-53 with a focus on securing software environments.
Preferred certifications include OSCP, OSCE, GPEN, GX-PT, GRTP, GSOC, GSE, etc.
Must know how to use the M365 Office Suite of products.
Work Arrangements
M-F Eastern Business Hours required.
Hybrid onsite flexible working model; on-site in office weekly (days per week vary by business needs).
1-2 on-site days per week.
Remote working days require a stable, secure, quiet, compliant working station.
Compensation & Benefits The salary range for this position is $92,102.14 to $155,032.25 annually. Base pay is determined by the minimum job qualifications and will consider skills, experience, education, and certifications. This range is an estimate and does not reflect total compensation.
In addition to base pay, we offer comprehensive benefits, career advancement opportunities, differentials, premiums, bonuses, and recognition programs. Our Talent Acquisition team will provide an overview of potential compensation and benefits during the interview process.
Mass General Brigham Incorporated is an Equal Opportunity Employer. All qualified applicants will receive consideration for employment without regard to race, color, religious creed, national origin, sex, age, gender identity, disability, sexual orientation, military service, genetic information, or other status protected by law. We provide reasonable accommodations to participate in the application or interview process and for performing essential job functions.
#J-18808-Ljbffr
Responsibilities
Collaboratively design the application and cloud security program to meet the needs of Mass General Brigham and lead engineers in the execution of the strategic roadmap.
Lead the design, development, testing, and implementation of advanced security controls for application development and cloud environments based on published information security policies and business requirements.
Establish and maintain a secure software development lifecycle (SSDLC), incorporating security checkpoints, threat modeling, secure coding standards, and rigorous testing practices.
Drive the implementation and ongoing management of Cloud Security Posture Management (CSPM) tools and strategies, ensuring continuous monitoring and proactive remediation of cloud security issues.
Implement and maintain code analysis tools (SAST, DAST, IAST, SCA, etc.) to identify security vulnerabilities in code before deployment. Collaborate with development teams to integrate these tools into workflows and provide actionable remediation insights.
Serve as a technical leader within the cybersecurity team, providing guidance, mentorship, and professional development opportunities for junior and mid-level security engineers.
Collaborate with development, operations, and DevOps teams to embed security into software development and deployment processes, fostering a DevSecOps culture.
Conduct and oversee application and cloud security assessments, including penetration testing, code reviews, configuration audits, and vulnerability management.
Innovate by researching, evaluating, and proposing new security technologies and methods to improve the organization’s application and cloud security maturity.
Ensure high-quality, maintainable, and scalable security solutions through architecture reviews, security assessments, and alignment with best practices.
Respond promptly and effectively to complex security incidents involving applications and cloud resources, providing expert guidance and leading remediation efforts.
Engage proactively with vendors, industry partners, and stakeholders to leverage external expertise and best practices.
Align all actions with organizational values and demonstrate commitment to diversity, integrity, and teamwork.
Perform other duties and responsibilities as assigned.
Qualifications
Bachelor\'s degree in Information Security, Computer Science, or related field; advanced degrees or equivalent professional experience preferred.
Minimum of 5+ years of progressive experience in application security, cloud security, or related cybersecurity roles.
Relevant industry certifications preferred (CISSP, CCSP, CSSLP, AWS/Azure Security Specialty, GIAC certifications).
Skills for Success
Expert-level knowledge and practical experience in secure software development methodologies, OWASP Top 10, and application security testing tools (SAST, DAST, IAST).
A thorough understanding of secure coding principles with the ability to guide development teams in best practices. Hands-on experience with static and dynamic application security testing tools is preferred.
Proven expertise in securing major cloud platforms (AWS, Azure, GCP), including CSPM tools, cloud-native security services, and IaC security.
Deep understanding of modern software architectures, microservices, APIs, and container security (Docker, Kubernetes).
Strategic, creative, and innovative thinking to design and implement robust security controls.
Demonstrated leadership with strong project management and ability to communicate complex security issues to technical and non-technical stakeholders.
Proven track record of delivering and managing successful security projects and continuous improvement initiatives.
Ability to apply documented processes, playbooks, and frameworks (e.g., OWASP, NIST CSF) to address and resolve security challenges.
Knowledge of security frameworks including NIST CSF and NIST 800-53 with a focus on securing software environments.
Preferred certifications include OSCP, OSCE, GPEN, GX-PT, GRTP, GSOC, GSE, etc.
Must know how to use the M365 Office Suite of products.
Work Arrangements
M-F Eastern Business Hours required.
Hybrid onsite flexible working model; on-site in office weekly (days per week vary by business needs).
1-2 on-site days per week.
Remote working days require a stable, secure, quiet, compliant working station.
Compensation & Benefits The salary range for this position is $92,102.14 to $155,032.25 annually. Base pay is determined by the minimum job qualifications and will consider skills, experience, education, and certifications. This range is an estimate and does not reflect total compensation.
In addition to base pay, we offer comprehensive benefits, career advancement opportunities, differentials, premiums, bonuses, and recognition programs. Our Talent Acquisition team will provide an overview of potential compensation and benefits during the interview process.
Mass General Brigham Incorporated is an Equal Opportunity Employer. All qualified applicants will receive consideration for employment without regard to race, color, religious creed, national origin, sex, age, gender identity, disability, sexual orientation, military service, genetic information, or other status protected by law. We provide reasonable accommodations to participate in the application or interview process and for performing essential job functions.
#J-18808-Ljbffr