Director of Product Security Engineering

Are you ready to be part of the future of healthcare? Are you able to think big, be bold, and harness the power of digital and AI to tackle longstanding life sciences challenges? Then Evinova, a new health tech business part of the AstraZeneca Group might be for you

As the Director of Product Security Engineering, you have a unique opportunity to join Evinova from the beginning. You will play a key role in implementing innovative cyber security practices that are designed by industry, for industry. You will report directly to the Evinova Head of Cyber Security, and focus collaborating with application development and platform engineering teams to deliver high quality application security services and expertise (, code scanning, remediation prioritization and support). Additionally, you will collaborate across the entire Chief Technology Officer (CTO) organization to define and implement a multi-year application security and DevSecOps roadmap. You will have ample opportunity for program ownership, increased levels of accountability, and significant visibility within the CTO Leadership Team. You will collaborate with globally dispersed technology teams. Success in this role requires leading by influence, strong emotional intelligence, and a natural disposition towards precision and accuracy. The ideal candidate will think holistically and proactively deliver on strategic initiatives to ensure our digital solutions and platform are secured against emerging threats.

Key Responsibilities include:

Develop and operationalize a standardized Application Security and DevSecOps program which encompasses the core activities of Threat Modeling, Security Tools and Testing (, SAST, SCA, DAST, IAST, etc.), and incorporating “privacy by design” and “secure by default” design processes into the CI / CD pipeline. 

Leverage a variety of AppSec and DevSecOps oriented tools to identify, assess, and prioritize security vulnerabilities across our products and platform. Additionally, automating, and standardizing system configurations with a secure-by-default disposition. This role will also be a key influencer for the selection of program enabling tools / solutions. 

 Execute in-depth analysis and provide assurance over application code, infrastructure, architecture, and configuration posturing.

Establish strong and productive relationships to ensure cyber security is viewed as an enabler and market differentiator. Providing expert level advisory and guidance on secure coding practices and addressing potential security risks. 

Establish and operationalize an application security vulnerability management program which includes steps to validate, analyze, and prioritize vulnerabilities. Additionally, driving remediation efforts. 

Develop secure development standards and related trainings to raise awareness of secure coding practices, threat actor tactics, and regulatory requirements. Leading efforts to automate infrastructure provisioning and application deployments. 

Providing cyber expertise in the definition and implementation of Infrastructure as Code patterns and practices. 

Partner with cyber security colleagues to deliver on continuous improvement objectives and deepen adjacent team’s awareness of product and application security risks and threat actor trends. 

Execute security architecture reviews for major product changes, providing assurance over security standards alignment, and driving security enhancements across existing solutions.

Lead co-sourced engagements to conduct application penetration testing, and other simulated “hacking” activities to proactively identify weaknesses and developing actionable remediation strategies. 

Collaborates with the Cyber GRC Lead to develop and report on related Key Performance Indicators and Key Risk Indicators, and the continuous improvement of security controls, processes, policies, standards, and other governing documents.

Together with the Security Operations Lead, manage and respond to product and application security alerts – guiding platform and product teams through high severity incidents. 

Provide support to external audit and customer due diligence requests, and providing training to adjacent colleagues on security awareness and best practices. 

Essential Skills/Experience:

6 + years of relevant experience and Bachelor’s degree or 10+ years of relevant experience and High School Diploma. Relevant experience may include work in the areas of software development, application and API security, penetration and vulnerability scanning, and ethical hacking.

Prior experience providing AppSec capabilities for a SaaS / cloud service provider.

Expert level understanding of security standards (, ISO 27001, GDPR, OWASP), DevSecOps practices / tools (, CI/CD, Infrastructure as Code, SAST, DAST), and agile methodologies.

Deep understanding of application security related frameworks, securing applications on the AWS cloud platform, containerization technologies, and security best practices (, API, Containers, AWS Cloud).

Strong familiarity and past experiences conducting Open-Source Software Clearance and Threat Modelling.

Prior experiences conducting web and mobile application penetration testing, documenting results, and presenting remediation strategies to a diverse stakeholder group.

Prior experiences successfully driving “secure by default” / shift left buy in across multiple teams.

Ability to make pragmatic decisions by analyzing highly complex situations, assessing risks and balancing strategic and tactical compliance/quality requirements.

Ability to work independently in a fast-paced environment with a proven ability to manage competing priorities.

Excellent written and verbal communication skills (English), project management, process improvement, attention to detail, and strategic thinking skills are highly preferred.

At least one of the following professional certifications: Certified Information Systems Security Professional (CISSP), Certified Cloud Security Professional (CCSP), AWS Solutions Architect, and / or Certified Ethical Hacker (CEH).

Knowledge of at least 2 programming languages used in web-based applications.

Desirable Skills/Experience:

Master’s degree in Technology, Computer Science, Software Engineering, or a related field.

Demonstrable experience presenting to external customers and senior levels of management.

Prior experience as a Software Developer, Infrastructure Engineer, and / or Product Security Officer.

Expert knowledge on threat actors targeting the Healthtech sector and SaaS solution providers.

Experience providing AppSec capabilities within a highly regulated sophisticated global business environment, particularly in the healthcare and / or clinical research industry. 

Demonstrate initiative, strong customer orientation, and cross-cultural working. 

In Office Requirement:

When we put unexpected teams in the same room, we unleash bold thinking with the power to inspire life-changing medicines. In-person working gives us the platform we need to connect, work at pace and challenge perceptions. That’s why we work, on average, a minimum of three days per week from the office. This role is based in Gaithersburg MD. Remote or alterative arrangements are not available for this role.

Why Evinova?

Evinova draws on AstraZeneca’s deep experience developing novel therapeutics, informed by insights from thousands of patients and clinical researchers. Together, we can accelerate the delivery of life-changing medicines, improve the design and delivery of clinical trials for better patient experiences and outcomes, and think more holistically about patient care before, during and after treatment. We know that regulators, healthcare professionals and care teams at clinical trial sites do not want a fragmented approach. They do not want a future where every pharmaceutical company provides their own, different digital solutions. They want solutions that work across the sector, simplify their workload and benefit patients broadly. By bringing our solutions to the wider healthcare community, we can help build more unified approaches to how we all develop and deploy digital technologies, better serving our teams, physicians and ultimately patients. Evinova represents a unique opportunity to deliver meaningful outcomes with digital and AI to serve the wider healthcare community and create new standards for the sector. Join us on our journey of building a new kind of health tech business to reset expectations of what a bio-pharmaceutical company can be. This means we’re opening new ways to work, pioneering cutting edge methods and bringing unexpected teams together. Interested? Come and join our journey

Date Posted

24-Jun-2024

Closing Date

27-Jun-2024Our mission is to build an inclusive and equitable environment. We want people to feel they belong at AstraZeneca and Alexion, starting with our recruitment process. We welcome and consider applications from all qualified candidates, regardless of characteristics. We offer reasonable adjustments/accommodations to help all candidates to perform at their best. If you have a need for any adjustments/accommodations, please complete the section in the application form.AstraZeneca requires all US employees to be fully vaccinated for COVID-19 but will consider requests for reasonable accommodations as required by applicable law.

---