The Director of Application Security Governance plays a key role in creating, maintaining, and enhancing application security practices as well as activating and facilitating IT Risk and Security policy and controls throughout the US Application Development organization. Acts as an interface between the organizations lead by the Chief Information Security Officer (CISO) and Chief Information Officer (CIO). This role helps to balance the risk and policy-based requirements set by the CISO with the business-lead activities and programs set by the CIO. In this capacity, the Director of Application Security Governance must be able to drive objectives that enhance security controls and standards while balancing business priorities and constraints. Central to the US CIO team -and covering all the Lines of Businesses in the US- this role is responsible for the formation of plans that improve application security and for the tracking and reporting of metrics related to security compliance. This includes working with Application Security Champions and Application Security on identification, prioritization, and resolution of application vulnerabilities and flaws.
The Director of Application Security Governance supports the implementation of application security practices, provides regular status reports to senior management, and facilitates the governance and resolution of application vulnerabilities in the US portfolio.
Work with Application Development managers and Security Champions to create application security plans and roadmaps that follow IT Risk and Security policies and standards, as well as supporting them in understanding and responding to internal audit reviews, legal and regulatory compliance efforts and addressing any identified findings.
Ensures that security measures are incorporated into strategic application plans and that Application Development and IT Risk and Security expectations and activities are well balanced and properly defined.
Assist in prioritizing remediation of vulnerability flaws based on the risk profile of the applications, the criticality of the vulnerability, and provide guidance as needed using the Application Security Champions.
Work with the CISO to develop security projects and activities that address identified risks and business security requirements as well as incorporate a perspective of the implication of these activities and projects in the application environment and the US business.
Develop, track and report on relevant application risk and security metrics to drive prioritization and accountability of security flaw remediation as well as security performance.
Accountable for the organization adoption of processes and tools to identify security flaws and for establishing practices to increase application security levels.
Be the liaison between Application Development, Application Security Champion Lead, Internal Audit, and IT Risk Functions. Coordinate operational activity including risk assessments, plan for closure of risk findings, disaster recovery compliance, and associated line of business reporting. Participate in secure assessments of US applications and IT infrastructure as part of the overall risk management practice of the organization. Manage list of in scope applications and their timeline and compliance with vulnerability testing.
Provide relevant stakeholder communication including policy changes, risk awareness and security training as well as creation of a strategy to support adoption of the new IT risk tools, processes or organizational changes.
Work with Security Champions to enhance the DevSecOps model by advocating for and ensuring the communication and existence of secure coding practices and standards.
People manager of a small team.
Bachelor’s degree in computer science, information systems or related field, or equivalent work experience.
7+ years of related IT experience with 5 years in an information security role & at least 2 years in a supervisory role. This role requires an individual with both a strategic and IT risk background.
Experience with threat modeling methods & data analysis
Familiar with frameworks such as COBIT, ISO 27001/2, NIST Cybersecurity.
Strong leadership skills and ability to work effectively with a multi-disciplinary set of stakeholders across different levels and with minimal supervision.
Strong understanding of the business impact of security tools, processes and policies as well as high proficiency in how to assess application risk and business impact, identify control and vulnerability assessments and define treatment strategies.
Familiar with tools like Archer, Veracode, and Primeon.
Team player; able to work collaboratively and effectively with and through others at all levels in an organization; proven ability to influence others and move toward a common vision or goal.
Excellent problem-solving and analytical skills, ability to root out cause and think strategically and critically to develop solutions to complex problems. Resilient and tenacious with a propensity to persevere.
Organized with a natural inclination for planning and attention to detail and accuracy; mindset of continuous improvement.
MBA or MS in information security is preferred
Building/maintaining application roadmaps
Professional Certifications: CISA, CISM, CSSLP, CISSP applied to software development lifecycles
Open Pages GRC
Experience with compliance requirements for HIPAA, PCI, SOX, and NYDFS
Regional Application Development
Number of Openings
At MetLife, we’re leading the global transformation of an industry we’ve long defined. United in purpose, diverse in perspective, we’re dedicated to making a difference in the lives of our customers.
Internal Number: 110410
MetLife offers solutions and guidance to help customers meet their goals and navigate life's twists and turns.
We're changing the way we do business to become the trusted partner you need.
We are committed to giving people, families, and communities what they need to adapt to their changing world.