Information Security Engineer III, Application and Cloud Security Lead

Overview

Remote
On Site
Full Time

Skills

Teaching
IaaS
Continuous Integration
Continuous Delivery
Hardening
Vulnerability Assessment
Roadmaps
Development Testing
Application Development
Threat Modeling
Continuous Monitoring
SCA
Workflow
Mentorship
Professional Development
DevOps
Software Development
DevSecOps
Penetration Testing
Auditing
Vulnerability Management
Research
Accountability
Innovation
Teamwork
Collaboration
Information Security
Computer Science
CISSP
Cisco Certifications
Software Development Methodology
Testing
Amazon Web Services
Microsoft Azure
Google Cloud
Google Cloud Platform
Cloud Security
Cloud Computing
Microservices
Docker
Kubernetes
Security Controls
Project Management
Management
Continuous Improvement
OWASP
Software Security
Cyber Security
NIST 800-53
FOCUS
OSCP
GPEN
Security Operations
Microsoft Office
Military
Law
Human Resources
MASS
Leadership
Recruiting

Job Details

Site: Mass General Brigham Incorporated

Mass General Brigham relies on a wide range of professionals, including doctors, nurses, business people, tech experts, researchers, and systems analysts to advance our mission. As a not-for-profit, we support patient care, research, teaching, and community service, striving to provide exceptional care. We believe that high-performing teams drive groundbreaking medical discoveries and invite all applicants to join us and experience what it means to be part of Mass General Brigham.

Job Summary
Summary
The Mass General Brigham (MGB) Information Security Engineer III - Application and Cloud Security Lead provides leadership and expertise within the cybersecurity team, specifically overseeing security practices related to application development and cloud infrastructure. This role is responsible for ensuring robust and secure software development lifecycles, implementing advanced security strategies in cloud environments, and driving continuous improvement in both application security and cloud security posture. The Engineer will lead complex security projects, coordinate cross-team collaboration, and mentor junior and mid-level engineers to foster their professional growth. The ideal candidate is a deeply technical minded security professional focused on secure coding practices or development engineering with experience designing and executing strategic / programmatic roadmaps.

The Information Security Engineer III may represent the organization in industry forums or regulatory discussions. Additionally, this role actively engages with external partners, vendors, and stakeholders to establish collaborative security strategies and ensure alignment with industry trends and best-in-class security practices.

They should have prior experience building application and/or cloud security programs, and experience in multiple of the following areas:

DevSecOps
Strategic program build and design
Secure Code Development
Application Security Testing Tools
CI/CD Pipeline Hardening
Application and Code Vulnerability Analysis
Cloud security expertise

Duties include
Collaboratively design the application and cloud security program to meet the needs of Mass General Brigham. Lead engineers in the execution of the strategic roadmap.
Leads the design, development, testing, and implementation of advanced security controls for application development and cloud environments based on published information security policies and business requirements
Establishes and maintains a secure software development lifecycle (SSDLC), incorporating security checkpoints, threat modeling, secure coding standards, and rigorous testing practices.
Drives the implementation and ongoing management of Cloud Security Posture Management (CSPM) tools and strategies, ensuring continuous monitoring and proactive remediation of cloud security issues.
Implement and maintain code analysis tools (e.g., SAST, DAST, IAST, SCA, etc.) to identify security vulnerabilities in code before deployment. Collaborate with development teams to integrate these tools into workflows and provide actionable insights to remediate identified issues, fostering a proactive approach to secure coding practices.
Serves as a technical leader within the cybersecurity team, providing guidance, mentorship, and professional development opportunities for junior and mid-level security engineers.
Collaborates closely with development, operations, and DevOps teams to embed security seamlessly into software development and deployment processes, fostering a DevSecOps culture.
Conducts and oversees application and cloud security assessments, including penetration testing, code reviews, configuration audits, and vulnerability management efforts.
Innovates by researching, evaluating, and proposing new security technologies and methods specifically designed to improve the organization's application and cloud security maturity.
Ensures high-quality, maintainable, and scalable security solutions through comprehensive architecture reviews, security assessments, and alignment with best practices.
Responds promptly and effectively to complex security incidents involving applications and cloud resources, providing expert guidance and leading remediation efforts.
Engages proactively with vendors, industry partners, and stakeholders to leverage external expertise, technologies, and best practices.
Aligns all actions and decisions with organizational values, including Patients First, Affordability, Accountability & Service Commitment, Decisiveness, Innovation & Thoughtful Risk; and demonstrates commitment to Diversity & Inclusion, Integrity & Respect, Learning & Continuous Improvement, Personal Growth, and Teamwork & Collaboration.
Performs other duties and responsibilities as assigned.

Qualifications

  • Bachelor's degree in Information Security, Computer Science, or related field; advanced degrees or equivalent professional experience preferred.
  • Minimum of 5+ years of progressive experience in application security, cloud security, or related cybersecurity roles.
  • Relevant industry certifications preferred (CISSP, CCSP, CSSLP, AWS/Azure Security Specialty, GIAC certifications).

Skills for Success
  • Expert-level knowledge and practical experience in secure software development methodologies, OWASP Top 10, and application security testing tools (SAST, DAST, IAST).
  • A comprehensive understanding of secure coding principles, with the ability to guide development teams in adhering to these best practices. Hands-on experience with static and dynamic application security testing tools is preferred.
  • Proven expertise in securing major cloud platforms (AWS, Azure, Google Cloud Platform), including experience with Cloud Security Posture Management tools, cloud-native security services, and infrastructure-as-code security.
  • Deep understanding of modern software architectures, microservices, APIs, and container security best practices (e.g., Docker, Kubernetes).
  • Ability to think strategically, creatively, and innovatively to design and implement robust security controls.
  • Demonstrated leadership skills with strong project management capabilities, able to effectively communicate complex technical security issues clearly to technical and non-technical stakeholders.
  • Proven track record of delivering and managing successful security projects and continuous improvement initiatives.
  • Strong ability to apply documented processes, playbooks, and frameworks (e.g., OWASP, NIST CSF, etc.) to effectively address and resolve a wide variety of application security challenges.
  • Knowledge of established security frameworks, including NIST Cybersecurity Framework (CSF), NIST 800-53 with a focus on their application in securing software and application environments.
  • Preferred certifications include: Offensive Security Certified Professional (OSCP), Offensive Security Certified Expert (OSCE), GIAC Penetration Tester Certification (GPEN), GIAC Experienced Penetration Tester (GX-PT), GIAC Certified Red Team Professional (GRTP), GIAC Security Operations Certified (GSOC), GIAC Security Expert (GSE), etc.
  • Must know how to use common M365 Office Suite of products.

Additional Job Details (if applicable)

  • M-F Eastern Business Hours required
  • Hybrid onsite Flexible working model required weekly includes onsite in office (number of days weekly can vary, must be flexible for business needs)
  • 1-3 onsite days per week
  • Remote working days require stable, secure, quiet, compliant working station

Remote Type

Hybrid

Work Location

399 Revolution Drive

Scheduled Weekly Hours

40

Employee Type

Regular

Work Shift

Day (United States of America)

EEO Statement:

Mass General Brigham Incorporated is an Equal Opportunity Employer. All qualified applicants will receive consideration for employment without regard to race, color, religious creed, national origin, sex, age, gender identity, disability, sexual orientation, military service, genetic information, and/or other status protected under law. We will ensure that all individuals with a disability are provided a reasonable accommodation to participate in the job application or interview process, to perform essential job functions, and to receive other benefits and privileges of employment. To ensure reasonable accommodation for individuals protected by Section 503 of the Rehabilitation Act of 1973, the Vietnam Veteran's Readjustment Act of 1974, and Title I of the Americans with Disabilities Act of 1990, applicants who require accommodation in the job application process may contact Human Resources at .

Mass General Brigham Competency Framework

At Mass General Brigham, our competency framework defines what effective leadership "looks like" by specifying which behaviors are most critical for successful performance at each job level. The framework is comprised of ten competencies (half People-Focused, half Performance-Focused) and are defined by observable and measurable skills and behaviors that contribute to workplace effectiveness and career success. These competencies are used to evaluate performance, make hiring decisions, identify development needs, mobilize employees across our system, and establish a strong talent pipeline.
Employers have access to artificial intelligence language tools (“AI”) that help generate and enhance job descriptions and AI may have been used to create this description. The position description has been reviewed for accuracy and Dice believes it to correctly reflect the job opportunity.