Information Security Engineer III, Application Security Lead

Site: Mass General Brigham Incorporated

At Mass General Brigham, we know it takes a surprising range of talented professionals to advance our mission-from doctors, nurses, business people and tech experts, to dedicated researchers and systems analysts. As a not-for-profit organization, Mass General Brigham is committed to supporting patient care, research, teaching, and service to the community. We place great value on being a diverse, equitable and inclusive organization as we aim to reflect the diversity of the patients we serve.

At Mass General Brigham, we believe a diverse set of backgrounds and lived experiences makes us stronger by challenging our assumptions with new perspectives that can drive revolutionary discoveries in medical innovations in research and patient care. Therefore, we invite and welcome applicants from traditionally underrepresented groups in healthcare - people of color, people with disabilities, LGBTQ community, and/or gender expansive, first and second-generation immigrants, veterans, and people from different socioeconomic backgrounds - to apply.

Job Summary
Summary
The Information Security Engineer III assumes a leadership role within their security team at Mass General Brigham. The Information Security Engineer III is tasked with designing and implementing innovative security solutions while also optimizing existing security infrastructure. They are adept at leading complex projects, coordinating efforts across teams, and overseeing the work of junior engineers. In this capacity, the Information Security Engineer III provides technical guidance and mentorship to team members, fostering their professional development.

The Information Security Engineer III may represent the organization in industry forums or regulatory discussions. Additionally, this role actively engages with external partners, vendors, and stakeholders to establish collaborative security strategies and ensure alignment with industry trends and best-in-class security practices.

The Mass General Brigham (MGB) Information Security Engineer III - Application Security Lead will be responsible for elevating the existing foundations of the MGB Application Security capability. This role will be involved in the implementation of a secure coding process and pipeline through interfacing with developers and relevant stakeholders, implementing application security scanning technologies at appropriate levels, policy creation for developers to adhere to, and leading other engineers in the execution of the program. The ideal candidate is a deeply technical minded security professional focused on secure coding practices or development engineering with experience designing and executing strategic / programmatic roadmaps. They should have prior experience in one or more of the following areas:

Strategic program build and design
Secure Code Development
Application Security Testing Tools
CI/CD Pipeline Hardening
Application and Code Vulnerability Analysis

Duties include
Programmatic Vision: Collaboratively design the application security program to meet the needs of Mass General Brigham. Lead engineers in the execution of the strategic roadmap.
Static Code Analysis: Implement and maintain static analysis tools to identify security vulnerabilities in code before deployment. Collaborate with development teams to integrate these tools into workflows and provide actionable insights to remediate identified issues, fostering a proactive approach to secure coding practices.
Compiled Binary Analysis: Perform analysis of compiled binaries to detect potential security flaws and hidden vulnerabilities. Support cross-functional teams by translating complex findings into actionable recommendations, ensuring alignment with the organization's security standards and incident response capabilities.
Open Source Library Analysis: Monitor and assess open source libraries and dependencies for known vulnerabilities and licensing risks. Work closely with development teams to address these risks promptly and maintain updated documentation, helping safeguard applications against supply chain threats.
CI/CD Pipeline Hardening: Strengthen the security of CI/CD pipelines by implementing robust controls, such as automated security testing, access management, and secret protection. Collaborate with DevOps teams to ensure secure integration and delivery processes, while documenting best practices for ongoing improvement
Cross-functional Collaboration: Work closely with IT, network, and application teams to ensure a cohesive approach to security. Facilitate communication and collaboration across departments to ensure alignment with security goals.
Incident Response Support: Support the incident response team by providing insights into potential attack vectors and vulnerabilities that may be exploited during a cyber incident.
Written Documentation: Create, review, and update documentation related to the information security and information privacy controls.
Communication: Clear and concise written and verbal communication including long-form documentation, enterprise broadcast communications, and executive presentations; special attention required to translate technical detail into language the intended audience can understand.
Industry Knowledge: Maintain awareness of new technologies and related opportunities for impact on system or application security.
MGB Values: Uses the Mass General Brigham values to govern decisions, actions and behaviors. These values guide how we get our work done: Patients, Affordability, Accountability & Service Commitment, Decisiveness, Innovation & Thoughtful Risk; and how we treat each other: Diversity & Inclusion, Integrity & Respect, Learning, Continuous Improvement & Personal Growth, Teamwork & Collaboration.
Other duties as assigned.

Qualifications

• Associate's Degree Related Field of Study required or Bachelor's Degree Related Field of Study required
• Bachelor's degree (B.A. / B.S.) in Information Security, Computer Science, Computer Engineering or equivalent from an accredited college or university preferred
• 5+ years of experience in Information Technology, Information Security, or Software Development required.
• A comprehensive understanding of secure coding principles, with the ability to guide development teams in adhering to these best practices. Hands-on experience with static and dynamic application security testing tools is preferred.
• A broad understanding of network security and architectural concepts, particularly as they pertain to securing applications, APIs, and data flows across distributed environments.
• Familiarity with tools used for static code analysis, binary analysis, open-source library management, and CI/CD pipeline hardening. A demonstrated ability to quickly learn and utilize new tools and methodologies as needed.
• Strong ability to apply documented processes, playbooks, and frameworks (e.g., OWASP, NIST CSF, etc.) to effectively address and resolve a wide variety of application security challenges.
• Advanced critical thinking skills to identify and articulate complex security issues. A sound judgment in determining when to escalate matters for further support.
• Demonstrated ability to work collaboratively with cross-functional teams, providing guidance and support to developers, DevOps engineers, and incident responders.
• Knowledge of established security frameworks, including NIST Cybersecurity Framework (CSF), NIST 800-53 with a focus on their application in securing software and application environments.
• Preferred certifications include: Offensive Security Certified Professional (OSCP), Offensive Security Certified Expert (OSCE), GIAC Penetration Tester Certification (GPEN), GIAC Experienced Penetration Tester (GX-PT), GIAC Certified Red Team Professional (GRTP), GIAC Security Operations Certified (GSOC), GIAC Security Expert (GSE), etc.

Skills for Success

• Exceptional interpersonal skills to effectively communicate with cross functional teams.
• Strong time management and organizational skills required, project management skills are desired.
• An ability to work under the required guidelines and deliver on business/project requirements.
• Strong vocabulary, written and verbal communication and effective interpersonal skills is critical.
• Comfortable working in a dynamic environment with multiple work streams, goals, and objectives.
• Must know how to use common M365 Office Suite of products.
• Ability to work independently with appropriate supervision.
• Ability to successfully negotiate and collaborate with others of different skill sets, backgrounds an levels within and external to the organization.
• Experience in one or more of the following technologies preferred: endpoint detection and response (EDR), static and dynamic source-code analysis, SIEM, privileged access management (PAM), network technologies, cloud hosting platforms, IoT search engines, OSINT tools, etc.
• Strong problem solving and critical thinking skills.

Additional Job Details (if applicable)

• M-F Eastern Business Hours required
• Hybrid onsite Flexible working model required weekly includes onsite in office (number of days weekly can vary, must be flexible for business needs)
• 1-3 onsite days per week
• Remote working days require stable, secure, quiet, compliant working station

Remote Type

Hybrid

Work Location

399 Revolution Drive

Scheduled Weekly Hours

40

Employee Type

Regular

Work Shift

Day (United States of America)

EEO Statement:

Mass General Brigham Incorporated is an Equal Opportunity Employer. By embracing diverse skills, perspectives and ideas, we choose to lead. All qualified applicants will receive consideration for employment without regard to race, color, religious creed, national origin, sex, age, gender identity, disability, sexual orientation, military service, genetic information, and/or other status protected under law. We will ensure that all individuals with a disability are provided a reasonable accommodation to participate in the job application or interview process, to perform essential job functions, and to receive other benefits and privileges of employment.

Mass General Brigham Competency Framework

At Mass General Brigham, our competency framework defines what effective leadership "looks like" by specifying which behaviors are most critical for successful performance at each job level. The framework is comprised of ten competencies (half People-Focused, half Performance-Focused) and are defined by observable and measurable skills and behaviors that contribute to workplace effectiveness and career success. These competencies are used to evaluate performance, make hiring decisions, identify development needs, mobilize employees across our system, and establish a strong talent pipeline.