Director, Application Security

ROLE SUMMARY

Pfizer's Global Information Security (GIS) organization delivers proactive cyber defense for the global enterprise. Our mission is to secure all of Pfizer's digital information assets, from scientific breakthroughs to manufacturing, and out to the patients we serve. We achieve this through world-class talent, top-tier technologies, best practices, and fostering a cybersecurity ownership culture across the company.

The Director of Application Security will lead efforts to fortify the security posture of Pfizer's on-premise and cloud critical applications and infrastructure. This includes hardening application security, eliminating configuration errors, ensuring proper authorizations, and establishing comprehensive logging for incident responders.

The Director will also drive the development of Application Security Services strategy, including: policy, conducting security assessments, hardening Pfizer's key line of business applications, leading red team exercises, addressing application vulnerabilities, and enhancing operational processes.

Collaboration with the DevOps team and the broader developer community at Pfizer is crucial for success, ensuring adherence to policy and evolving security standards. This position requires thought leadership, technical expertise and strong communication skills to support Secure Business Enablement (SBE) initiatives. The incumbent will report to the Sr. Director, Secure Business Enablement and be part of the Global Information Security (GIS) organization within Pfizer Enterprise Platforms & Security.

ROLE RESPONSIBILITIES

Primary responsibilities involve spearheading the implementation of comprehensive security measures for Pfizer's critical applications and supporting infrastructure. This includes strategizing and overseeing the development of security policies, leading application security assessments and red team operations, and implementing advanced logging and monitoring systems for effective incident response. The role emphasizes driving initiatives to eliminate configuration errors, enforcing strict authorization protocols, and integrating security best practices into the development lifecycle with DevSecOps teams. Working closely with Digital Leads, Principal Engineers, and Product Owners, the incumbent ensures technical decisions support overarching security strategic priorities.

• Own and develop strategic application security policies, ensuring they are effectively communicated and adopted across all teams
• Lead and inspire DevSecOps teams to integrate secure API development and deployment practices
• Foster a culture of continuous improvement in application security across the organization
• Oversee and mentor junior team members fostering a culture where colleagues can thrive and continue to sharpen application security skillsets
• Engage with regulatory bodies to ensure applications adhere to security compliance and regulatory requirements
• Own the development and delivery of training curricula to enhance application security awareness among developers and stakeholders
• Evaluate and integrate new security technologies to enhance application protection measures, staying ahead of emerging threats
• Coordinate with other Digital business lines to ensure holistic and integrated security measures are applied consistently
• Spearhead comprehensive security assessments and vulnerability testing for critical applications, mentoring teams in best practices
• Guide strategic application incident response initiatives, providing high-level technical direction and support during security incidents
• Oversee the development and implementation of advanced monitoring and logging mechanisms for real-time threat detection
• Drive initiatives to eradicate configuration errors and strengthen application security through robust authorization protocols
• Conduct high-level application security audits and integrate findings into the broader application security strategy
• Guide the implementation of security patches and updates, ensuring timely and effective application protection
• Conduct application architectural design reviews, ensuring security and compliance are integral to the development process
• Exercise sound judgment and decision-making, leveraging knowledge, experience, policies, procedures, and Pfizer's core values (Courage, Excellence, Equity, & Joy)
• Ownership and accountability for SaaS Application Security Strategy including: Integrations, On/Off-boarding, Operations and emphasizing collaborative protection of cloud-based services (AppOmni)

BASIC QUALIFICATIONS

• Bachelor's Degree in cybersecurity, computer science, information systems, or a related field
• 10+ years of experience in application security, software development, or security engineering
• 5+ years of experience with cloud security technology principles (AWS, Azure, Google Cloud), on-premise enterprise environments and software delivery models (SaaS, IaaS).
• 5+ years of operating with SaaS Applications, strong understanding of API functionality, secure coding practices and automation principles
• Proven experience in agile work environments with strong collaborative and problem-solving skills
• Expertise in application security tools and methodologies, including OWASP Top 10 and API Security
• Expertise in threat modeling, security architecture design, and secure coding practices
• Strong leadership experience in managing, guiding, and mentoring security teams
• Excellent communication skills for conveying complex security issues to diverse stakeholders
• Experience with regulatory compliance frameworks such as GDPR, HIPAA, and SOX
• Proficiency in risk assessment and mitigation strategies
• Hands-on experience with incident response and handling
• Advanced knowledge of scripting languages such as Python, Bash, or PowerShell
• Experience with containerization technologies (Docker), orchestration (Kubernetes), and infrastructure as code (Terraform)
• Proficiency in application security assessments, penetration testing, and vulnerability management
• Familiarity with security frameworks such as NIST SSDF, OpenSAMM, or BSIMM
• Certification in relevant security areas, such as CISSP, CISM, or equivalent
• Experience with identity and access management (IAM), security information and event management (SIEM), and endpoint protection platforms
• Ability to work under pressure in a fast-paced environment and manage multiple projects simultaneously
• Demonstrated leadership in developing and implementing security policies, procedures, and standards

PREFERRED QUALIFICATIONS

• Master's degree in Information / Cyber Security is a plus
• Experience with security automation and orchestration tools
• Knowledge of data privacy regulations such as GDPR and CCPA
• Experience with integrating security into CI/CD pipelines and DevSecOps practices
• Strong understanding of data protection laws and privacy regulations
• Experience with advanced threat detection and response tools
• Knowledge of machine learning and AI applications in cybersecurity
• Experience with blockchain security and secure software supply chain management
• Familiarity with zero trust architecture and implementation
• Expertise in developing and delivering cybersecurity training programs

Candidate demonstrates a breadth of diverse leadership experiences and capabilities including: the ability to influence and collaborate with peers, develop and coach others, oversee and guide the work of other colleagues to achieve meaningful outcomes and create business impact.

NON-STANDARD WORK SCHEDULE, TRAVEL OR ENVIRONMENT REQUIREMENTS

Standard work schedule & 10% domestic travel required

Last Date to Apply for Job: 9/3/2024

The annual base salary for this position ranges from $161,600.00 to $269, In addition, this position is eligible for participation in Pfizer's Global Performance Plan with a bonus target of 20.0% of the base salary and eligibility to participate in our share based long term incentive program. We offer comprehensive and generous benefits and programs to help our colleagues lead healthy lives and to support each of life's moments. Benefits offered include a 401(k) plan with Pfizer Matching Contributions and an additional Pfizer Retirement Savings Contribution, paid vacation, holiday and personal days, paid caregiver/parental and medical leave, and health benefits to include medical, prescription drug, dental and vision coverage. Learn more at Pfizer Candidate Site - U.S. Benefits | ). Pfizer compensation structures and benefit packages are aligned based on the location of hire. The United States salary range provided does not apply to Tampa, FL or any location outside of the United States.

Relocation assistance may be available based on business needs and/or eligibility.

Sunshine Act

Pfizer reports payments and other transfers of value to health care providers as required by federal and state transparency laws and implementing regulations. These laws and regulations require Pfizer to provide government agencies with information such as a health care provider's name, address and the type of payments or other value received, generally for public disclosure. Subject to further legal review and statutory or regulatory clarification, which Pfizer intends to pursue, reimbursement of recruiting expenses for licensed physicians may constitute a reportable transfer of value under the federal transparency law commonly known as the Sunshine Act. Therefore, if you are a licensed physician who incurs recruiting expenses as a result of interviewing with Pfizer that we pay or reimburse, your name, address and the amount of payments made currently will be reported to the government. If you have questions regarding this matter, please do not hesitate to contact your Talent Acquisition representative.

EEO & Employment Eligibility

Pfizer is committed to equal opportunity in the terms and conditions of employment for all employees and job applicants without regard to race, color, religion, sex, sexual orientation, age, gender identity or gender expression, national origin, disability or veteran status. Pfizer also complies with all applicable national, state and local laws governing nondiscrimination in employment as well as work authorization and employment eligibility verification requirements of the Immigration and Nationality Act and IRCA. Pfizer is an E-Verify employer. This position requires permanent work authorization in the United States.

Information & Business Tech

#LI-PFE