Lead DevSecOps Engineer

Position Description:

CGI is seeking a Lead DevSecOps Engineer to champion secure?by?design engineering across our cloud and application platforms. You will lead the integration of security into CI/CD pipelines, architect secure cloud environments, and guide teams in adopting modern DevSecOps practices.

This is a high?impact leadership role where you will influence strategy, mentor engineers, and shape CGI's security posture across mission?critical systems.
We're standing up a dedicated vulnerability management practice at one of the largest banks in the US, automating what two vendor teams currently do by hand, and building the AI layer that takes it further.
The work is hands-on, the impact is visible, and you'll have a delivery team ready to execute with you from day one.

This position is located at our client site in Cleveland, OH, Pittsburgh, PA, or Dallas, TX.
For this role on this particular client engagement, employer sponsorship of immigration related visa and/or status as part of the PERM process will not be available.

Future duties and responsibilities
DevSecOps Practice Leadership
. Build and lead the DevSecOps engineering practice across all three execution crews Platform & Infra, Application/Data/Middleware, and Container & TRC.
. Own the Definition of Done for vulnerability remediation across all 130 mnemonics: what constitutes a properly remediated, validated, and closed item before Archer POAM closure and rescan submission.
. Coach GCC offshore engineers on PNC-specific practices including Bitbucket branching standards, Jenkins pipeline security gates, PAC enforcement, and CaaS container security policies. Act as the technical escalation point between execution crews and the Solution Architect.
Jenkins Pipeline Security and Automation
. Own the security and reliability of all Jenkins pipelines used for vulnerability remediation automation including PR generation, RITM automation, and remediation validation.
. Implement and maintain security gates within Jenkins pipelines enforcing PAC policy checks, scan thresholds, and approval workflows before any automated fix proceeds.
. Build and maintain Jenkins shared library components for reusable pipeline steps covering Archer status updates, ServiceNow RITM creation, Sysdig alert ingestion, and rescan triggering.
. Ensure all pipeline changes go through client's CAB review process and do not bypass deployment governance.
Bitbucket and Artifactory Operations
. Own the Bitbucket repository structure and branching standards for the CGI GCC automation codebase including runbook scripts, Python tools, Ansible playbooks, and Terraform modules.
. Manage Bitbucket PR workflow configurations including required reviewers, merge checks, and automated status checks that enforce quality gates before remediation scripts are merged.
. Maintain Artifactory integration within the vulnerability remediation pipeline managing artifact promotion, dependency resolution, and scanning to ensure no vulnerable dependencies are introduced into the automation toolchain.
Policy-as-Code and Compliance Automation
. Implement and maintain client PAC policy rules governing vulnerability remediation automation, ensuring automated remediations comply with client's security policies before execution.
. Build Ansible playbooks for repeatable infrastructure remediation patterns including OS patch application, SSL/TLS configuration updates, and server hardening aligned to client standards.
. Develop Terraform modules for infrastructure-level vulnerability remediations requiring environment configuration changes.
. Implement automated compliance evidence generation producing audit-ready outputs from Jenkins pipeline executions that satisfy client's OCC, FFIEC, and SOX audit requirements.
Vulnerability Tool Operations
. Own the day-to-day health and configuration of all vulnerability tool integrations including Archer API connections, Tanium feed ingestion, Sysdig alert routing, SecurityCenter data pipelines, and Imperva alert processing.
. Maintain the Python-based ServiceNow integration that creates, routes, and tracks RITMs to PNC platform teams including Converge, Firewall, DBA, Patching, NAS, and DNS without manual intervention.
. Monitor Sysdig feed health ensuring Docker/CaaS vulnerability alerts are correctly processed and deduplicated against Archer records.
. Manage scan credential rotation for authenticated scans across Tanium, SecurityCenter, and Sysdig to prevent scan coverage gaps.
Secrets and Access Management
. Own secrets management for all automation pipelines and service accounts via CyberArk in compliance with PNC's credential management standards.
. Ensure least-privilege access for all Jenkins service accounts, Bitbucket automation users, and Archer API integrations with quarterly access reviews.
. Maintain CyberArk integration within Jenkins pipelines ensuring no credentials are hardcoded in Jenkinsfiles, Ansible playbooks, Python scripts, or Terraform configurations.
Reporting and Observability
. Build and maintain the unified vulnerability SLA dashboard in Archer providing real-time view of open vulnerability counts by severity, MTTR by crew, backlog burn-down by mnemonic, and SLA compliance rate for PNC leadership.
. Develop automated weekly SLA reports integrating Archer vulnerability status, Jira sprint metrics, and ServiceNow RITM resolution times into a single consolidated view.
. Maintain Confluence documentation for all automation pipelines, runbooks, and DevSecOps standards.
Shift-Left and Continuous Improvement
. Drive shift-left security practices within client's BTI Retail, Lending, AMG, and CIB application teams by embedding PAC checks and container security scanning in Bitbucket PR pipelines before vulnerabilities surface in Sysdig scans.
. Identify and implement automation improvements targeting the highest volume repeatable remediation patterns.
. Contribute operational insights from pipeline execution data to the Solution Architect and AI/ML Engineers to continuously improve the AI triage engine.

Required Qualifications:
7+ years of hands-on DevSecOps or security automation engineering in enterprise environments
. Deep Jenkins experience in production at enterprise scale: shared library development, pipeline-as-code, credential management, plugin administration, and troubleshooting in multi-team environments
. Bitbucket administration and pipeline integration: branch permissions, PR workflow configuration, webhook-driven automation, and Jenkins integration patterns
. Artifactory: dependency management, artifact promotion, repository configuration, and security scanning integration
. Python at production quality: REST API integrations, data pipeline code, and automation scripts that GCC engineers will maintain
. Ansible: writing and maintaining playbooks for OS-level and middleware-level remediations on Linux and Windows
. Terraform: writing modules for infrastructure configuration changes with proper state management and change governance
. Policy-as-code implementation: OPA/Conftest or equivalent enforcing security standards within CI/CD pipelines at runtime
. REST API integration: production integrations against Archer GRC, ServiceNow, and Jira APIs
. Container platform operations: Docker and OpenShift/OCP specifically including image management, CaaS operations, and container security scanning
. Vulnerability management platform experience: Archer GRC, Tanium, or SecurityCenter in an operational day-to-day capacity
. CyberArk secrets management: integrating CyberArk with CI/CD pipelines and enforcing no-hardcoded-credentials standards
. Banking or financial services environment: CAB process, change window management, production deployment governance, and audit evidence requirements in a regulated context. Non-negotiable for this engagement.
Preferred Qualifications
. Direct PNC environment experience: familiarity with Converge, Micron framework, CaaS/OCP configuration, or BTI Retail/Lending mnemonic structure
. Sysdig operational experience: container vulnerability scanning, alert configuration, and downstream triage integration
. Tanium experience: endpoint detection, vulnerability data extraction, and API integration
. LangChain or AI agent pipeline experience: Phase 2 introduces an AI triage engine and engineers who can contribute to its operational integration will be more effective
. Jira administration and Confluence technical documentation at production quality

#LI-SG2
#DICE
Other Information:
CGI is required by law in some jurisdictions to include a reasonable estimate of the compensation range for this role. The determination of this range includes various factors not limited to skill set, level, experience, relevant training, and licensure and certifications. To support the ability to reward for merit-based performance, CGI typically does not hire individuals at or near the top of the range for their role. Compensation decisions are dependent on the facts and circumstances of each case. A reasonable estimate of the current range for this role in the U.S. is $57,100.00 - $154,300.00.
CGI's benefits are offered to eligible professionals on their first day of employment to include:
. Competitive compensation
. Comprehensive insurance options
. Matching contributions through the 401(k) plan and the share purchase plan
. Paid time off for vacation, holidays, and sick time
. Paid parental leave
.Learning opportunities and tuition assistance
. Wellness and Well-being programs

Skills:

• Container Technology
• Jenkins
• Python
• Terraform
• Vulnerability coordination
• Ansible
• Bitbucket

What you can expect from us:

Together, as owners, let's turn meaningful insights into action.

Life at CGI is rooted in ownership, teamwork, respect and belonging. Here, you'll reach your full potential because...

You are invited to be an owner from day 1 as we work together to bring our Dream to life. That's why we call ourselves CGI Partners rather than employees. We benefit from our collective success and actively shape our company's strategy and direction.

Your work creates value. You'll develop innovative solutions and build relationships with teammates and clients while accessing global capabilities to scale your ideas, embrace new opportunities, and benefit from expansive industry and technology expertise.

You'll shape your career by joining a company built to grow and last. You'll be supported by leaders who care about your health and well-being and provide you with opportunities to deepen your skills and broaden your horizons.

Come join our team-one of the largest IT and business consulting services firms in the world.

Qualified applicants will receive consideration for employment without regard to their race, ethnicity, ancestry, color, sex, religion, creed, age, national origin, citizenship status, disability, pregnancy, medical condition, military and veteran status, marital status, sexual orientation or perceived sexual orientation, gender, gender identity, and gender expression, familial status or responsibilities, reproductive health decisions, political affiliation, genetic information, height, weight, or any other legally protected status or characteristics to the extent required by applicable federal, state, and/or local laws where we do business.

CGI provides reasonable accommodations to qualified individuals with disabilities. If you need an accommodation to apply for a job in the U.S., please email the CGI U.S. Employment Compliance mailbox at . You will need to reference the Position ID of the position in which you are interested. Your message will be routed to the appropriate recruiter who will assist you. Please note, this email address is only to be used for those individuals who need an accommodation to apply for a job. Emails for any other reason or those that do not include a Position ID will not be returned.

We make it easy to translate military experience and skills! Click here to be directed to our site that is dedicated to veterans and transitioning service members.

All CGI offers of employment in the U.S. are contingent upon the ability to successfully complete a background investigation. Background investigation components can vary dependent upon specific assignment and/or level of US government security clearance held. Dependent upon role and/or federal government security clearance requirements, and in accordance with applicable laws, some background investigations may include a credit check. CGI will consider for employment qualified applicants with arrests and conviction records in accordance with all local regulations and ordinances.

CGI will not discharge or in any other manner discriminate against employees or applicants because they have inquired about, discussed, or disclosed their own pay or the pay of another employee or applicant. However, employees who have access to the compensation information of other employees or applicants as a part of their essential job functions cannot disclose the pay of other employees or applicants to individuals who do not otherwise have access to compensation information, unless the disclosure is (a) in response to a formal complaint or charge, (b) in furtherance of an investigation, proceeding, hearing, or action, including an investigation conducted by the employer, or (c) consistent with CGI's legal duty to furnish information.