Director- Application Security

The Director of Application Security is accountable for building and leading a holistic application security program that addresses both modern cloud-native applications and legacy systems. This role ensures security is embedded by design throughout the software lifecycle while enforcing enterprise-wide controls such as ITGCs, access governance, and disaster recovery requirements. This leader bridges engineering, infrastructure, and risk management teams - delivering scalable application security strategies and driving adoption of secure development practices while ensuring critical business applications remain compliant, resilient, and appropriately protected.

ESSENTIAL DUTIES AND RESPONSIBILITIES

1. Strategic & Program Leadership
   
   
   
   • Develop and execute an application security roadmap grounded in enterprise risk, regulatory compliance, and secure by design principles
   • Lead enterprise-wide integration of application security into SDLC / SDLC pipelines across traditional and Cloud DevOps teams
   • Maintain a balanced focus on innovation, security, and operational resilience, supporting both legacy modernization and greenfield cloud initiatives
   
   
   
   

1. Security Architecture & Technical Controls
   
   
   
   • Drive threat modeling, secure architecture reviews, and implementation of compensating controls for high-risk legacy and third-party applications
   • Oversee technical control implementation, including:
     
     
     
     1. Application Security Testing
     2. Software composition analysis
     3. API and system-to-system access controls
     4. Security tooling, where applicable
     5. Integration with SIEM tooling for alerting and containment
     
     
     
     
   • Ensure alignment with enterprise architecture, applications and cloud strategies and their respective teams
   • Ensure compliance with relevant regulations and standards such as SOX, PCI, etc. through design and implementation of appropriate preventive or detective controls.
   
   
   
   

1. Access & Identity Controls
   
   
   
   • Define and enforce secure access controls for applications, supporting:
     
     
     
     1. Least privilege access for all accounts, including end users, 3^rd party contractors, service accounts and privileged access
     2. Role-based access models (RBAC/ABAC)
     3. Federated identity, i.e. SSO and IAM
     4. Secure system-to-system and API-based authentication
     
     
     
     
   • Collaborate with IAM and infrastructure teams to secure privileged access pathways (PAM) and admin interfaces (e.g., DevOps tooling, CI/CD pipelines)
   
   
   
   

1. Governance, Risk & Compliance (ITGC Integration)
   
   
   
   • Ensure application-level controls support:
     
     
     
     1. SOX-aligned ITGCs (change management, logical access, operations)
     2. Segregation of duties between dev/test/prod - users and contractors
     3. Logging and monitoring of application and admin activity
     4. Data protection requirements (e.g., encryption, retention, classification)
     5. Third-party connections controls
     
     
     
     
   • Work closely with internal audit, GRC, and Cyber risk management teams on testing and attestation for application controls
   
   
   
   

1. Disaster Recovery & Operational Resilience
   
   
   
   • Define application security requirements for DR/BCP, including:
     
     
     
     1. Secure recovery of application data and configurations
     2. Validation of recovery procedures for critical or regulated systems
     3. Coordination with infrastructure to validate recovery point/time objectives (RPO/RTO)
     
     
     
     
   • Ensure security controls are re-established post-recovery scenarios
   
   
   
   

1. Application Risk Management
   
   
   
   • Maintain an application risk inventory including application classification, criticality, and threat exposure
   • Support risk assessments for application onboarding, M&A activity, and system migrations
   • Develop key risk metrics (OKRs / KRIs) and treatment plans
   
   
   
   

1. Stakeholder Engagement
   
   
   
   • Serve as a key influencer with application development, infrastructure, legal, internal audit, SOX, and risk stakeholders
   • Drive security enablement and training initiatives with engineering and product teams
   
   
   
   

1. Incident Management & Response
   
   
   
   • Assist in the development, updating and testing of application specific incident response plans and procedures
   • Participate in the detection, investigation, and resolution of cybersecurity incidents, ensuring prompt response and recovery
   
   
   
   

SUPERVISORY RESPONSIBILITIES

• Create a team with expertise and experience in application security and risk
• Leverage, improve and create new relationships with various business stakeholders from several departments

MINIMUM REQUIREMENT

To perform this job successfully, an individual must be able to perform each essential duty satisfactorily. The requirements listed below are representative of the knowledge, skill, and/or ability required

Education & Experience

• Bachelors degree in Computer Science, Information Security, or related field (Masters preferred)
• 10+ years of experience in cybersecurity, including 5+ years in M&A security or related roles
• Experience with security in manufacturing environments, including operational technologies (OT) and industrial control systems (ICS), is a strong plus

Skills & Competencies

• Deep understanding of cybersecurity frameworks (e.g., NIST, ISO 27001, CIS Controls).
• Proven expertise in risk management, vulnerability assessments, and regulatory compliance.
• Deep understanding of end-to-end business processes (Order to Cash, Procure to Pay, Inventory Management) and financial statements supported by IT systems.
• Strong project management skills with the ability to lead cross-functional teams.
• Excellent communication skills, capable of presenting complex security concepts to executive leadership.
• Hands-on technical knowledge of network security, cloud platforms, endpoint protection, and data governance.
• Knowledge of security roles / responsibilities design for ERP systems (SAP, Oracle) is a strong plus.

Preferred Certifications

• Certified Information Systems Security Professional (CISSP)
• Certified Information Systems Auditor (CISA)
• Certified Information Security Manager (CISM)

COMPETENCIES

• Evaluates Problems: Evaluates and analyzes different types of information objectively to identify appropriate solutions; writes fluently, establishing the key facts clearly and interprets numerical data effectively
• Technical Communication/ Presentation: Communicates with clarity and precision, presenting complex information in a concise format that is audience appropriate
• Adjusting and Driving Change: Takes a positive approach to tackling work and embraces change; invites feedback relating to performance and deals constructively with criticism. Identifies the need for and drives change when required to achieve objectives
• Focuses on Customers: Understands and anticipates customer needs and takes action to provide high-quality products and services to exceed expectations. Ability to relate to business user needs and provide guidance to applications and development teams on achieving those needs while maintaining strong security and compliance posture.
• Demonstrates Business Acumen: Demonstrates working knowledge of market, economic, legal, and regulatory environments and how they impact the business
• Agile Best Practices: Understands how agility is leveraged in IT ways of working. Adopts agile best practices as appropriate throughout the assigned work lifecycle. Responds to feedback quickly based on comments of internal and external customers and needs of the market
• Bias for Action: Takes initiative and identifies what needs to be done and acts without waiting to be asked. Executes work in a timely manner. Suggests improvements to current ways of working

BFS COMPETENCIES

• Business and Financial Acumen
  
  
  
  • Demonstrates depth of understanding for the P&L and financial analysis
  • Teaches business and financial acumen to others.
  • Understands KPIs and how BFS makes money.
  • Knows the different business segments and how they relate to one another.
  • Understands customer sales and engagement.
  • Demonstrates functional and/or technical expertise.
  • Understands complex issues and demonstrates problem solving skills.
  • Understands how to maximize business results regardless of industry cycle.
  
  
  
  
• Results Driven
  
  
  
  • Holds self and others accountable.
  • Communicates and sets clear goals with plans to deliver.
  • Manages competing priorities effectively.
  • Demonstrates appropriate urgency.
  • Drives to exceed expectations in alignment with our BFS SPICE values.
  • Embraces and follows best practices.
  • Demonstrates self-starter, can-do attitude.
  
  
  
  
• Strategic Thinking and Decision Making
  
  
  
  • Leverages resources and teams around them to solve problems and create mutually beneficial outcomes.
  • Demonstrates willingness and courage to make tough decisions in a timely manner.
  • Balances short-and-long term priorities
  • Demonstrates proactive versus reactive thinking.
  • Asks questions to identify root cause and analyze situations more accurately.
  
  
  
  
• Servant Leadership
  
  
  
  • Demonstrates humility by putting others first.
  • Builds trust-based relationships.
  • Leads by example with kindness and respect.
  • Collaborates well across all areas of the business.
  • Advocates for others
  • Actively listens to understand the meaning and intent of what the other person is communicating.
  • Demonstrates authenticity and encourages others to do the same.
  
  
  
  
• Emotional Intelligence
  
  
  
  • Demonstrates situational awareness - knows when and how to adjust leadership style in different situations.
  • Demonstrates self-awareness - understands strengths and weaknesses.
  • Demonstrates empathy - puts themselves in other's shoes.
  • Assumes positive intent.
  
  
  
  
• Develops and Leads Others
  
  
  
  • Drives alignment through clear communication of vision, goals, and expectations.
  • Invests time on a regular basis in performance feedback and developmental conversations.
  • Fosters a respectful and inclusive environment.
  • Empowers, motivates, and inspires others.
  • Coaches and mentor others for their development.
  • Guides and persuades others to deliver positive outcomes.
  
  
  
  
• Growth Mindset
  
  
  
  • Demonstrates a growth mindset; takes appropriate risks, fails fast and forward, learns from mistakes.
  • Perseveres and champions growth, even in the face of resistance, ambiguity, or possible failure.
  • Thinks like an owner with an entrepreneurial spirit.
  • Demonstrates and encourages intellectual curiosity.
  • Continuous learner; seeks opportunities and knowledge for personal and professional growth.
  • Sees possibilities over problems - actively seeks solutions.
  
  
  
  
• Innovation
  
  
  
  • Encourages out-of-the box thinking to create new ways of doing things.
  • Continuously seeks to improve and simplify pain points in the business.
  • Anticipates, embraces, and leads change.
  • Develops and executes breakthrough strategies.
  
  
  
  
• Integrity
  
  
  
  • Does the right thing even under challenging circumstances?
  • Communicates with honesty.
  • Consistently treats others fairly and equitably.
  • Demonstrates reliability and does what they say they will do.
  • Conducts tough conversations and delivers difficult messages with kindness and respect.
  
  
  
  

WORK ENVIRONMENT / PHYSICAL ACTIVITY

The physical demands described here are representative of those that must be met by an employee to successfully perform the essential functions of this job. Reasonable accommodations may be made to enable individuals with disabilities to perform the essential functions.

• Subject to both typical office environment and outside locations with temperature and weather variations
• Must be able to lift and carry up to 25 pounds
• <25% travel required