Director of Application Security

Amex GBT is a place where colleagues find inspiration in travel as a force for good and – through their work – can make an impact on our industry. We’re here to help our colleagues achieve success and offer an inclusive and collaborative culture where your voice is valued.

Amex GBT is seeking a forward-thinking Director of Application Security to lead the strategic development and execution of a world-class application security program. Reporting directly to the Chief Information Security Officer (CISO), this highly technical leadership role will shape and drive the vision for embedding security across the software development lifecycle (SDLC), including modern AI and machine learning platforms.

The ideal candidate brings deep expertise in secure software development, application security engineering, CI/CD automation, and the ability to integrate security into traditional, cloud-native, and AI-enabled development environments. You will lead a global team of security engineers, build scalable, developer-centric security capabilities, and influence security strategies across engineering, infrastructure, DevOps, and data science teams.

What You’ll Do:

• Own and evolve the enterprise application security program, including long-term vision, technical direction, and execution.
• Define and implement scalable and modern AppSec practices that support cloud-native and AI-enabled application development.
• Lead, mentor, and grow a globally distributed team of application security engineers and specialists.
• Champion a proactive, "shift-left" security culture by embedding security into the entire SDLC.
• Act as a strategic partner to development, DevOps, AI/ML, and product teams to embed secure practices into software delivery and data science workflows.
• Build strong cross-functional relationships to promote security-first thinking and align security investments with business value.
• Represent application security in broader enterprise architecture, risk, and compliance initiatives.
• Drive adoption and optimization of security tooling (SAST, DAST, SCA, IAST, secrets scanning, etc.) integrated into CI/CD workflows.
• Design and deploy developer-friendly tooling for threat modeling, code scanning, secrets detection, and dependency analysis.
• Collaborate with AI/ML engineering teams to implement secure design patterns for model development, training pipelines, and AI service deployment.
• Develop and enforce security controls for AI applications including data integrity, adversarial robustness, model governance, and prompt injection prevention.
• Evaluate and integrate emerging tools focused on securing machine learning pipelines, generative AI models, and AI APIs.
• Build scalable security enablement programs for engineering teams, including secure coding workshops, bootcamps, and self-service platforms.
• Guide the development of internal security documentation, policies, and standards.
• Implement secure-by-default frameworks and reference architectures for internal use.
• Stay current on application security threats, AI security research, and evolving best practices in cloud and software engineering.
• Define key performance indicators (KPIs) to measure security posture and program effectiveness.
• Lead post-incident security reviews and ensure lessons are integrated into the engineering lifecycle.

What We’re Looking For:

• 10+ years in information security or technology risk roles with a focus on application security, DevSecOps, or product security.
• 5+ years of leadership experience managing high-performing technical teams.
• Hands-on software development background (5+ years), including experience with secure coding and architecture.
• Deep experience building or securing AI/ML platforms, APIs, or pipelines, especially in enterprise-scale environments.
• Proven track record in building AppSec frameworks, secure SDLC processes, and security tooling at scale.
• Deep understanding of OWASP Top 10, threat modeling, secure architecture, vulnerability management, and software supply chain risks.
• Expertise in CI/CD security and integrating tools such as GitHub Actions, Jenkins, Terraform, CloudFormation, etc.
• Familiarity with programming and scripting (e.g., Python, JavaScript, Bash) and cloud platforms (AWS, Azure, GCP).
• Experience implementing AI security best practices, including model input validation, training data protection, and secure deployment of LLMs.
• Knowledge of AI/ML-specific risks such as model inversion, data poisoning, adversarial examples, and prompt injection.
• Proficiency with cloud-native environments and container security (e.g., Docker, Kubernetes).
• Ability to build and lead high-performing global teams, including contractors and remote contributors.
• Strong communication skills, capable of translating complex security concepts to executive and engineering audiences.
• Highly collaborative, with the ability to navigate complex environments and influence across functions.
• Comfortable operating in dynamic, high-growth, and high-stakes environments.
• CISSP, CSSLP, AWS Security Specialty, GCIH, GCED, or relevant AI/ML certifications (e.g., Google Cloud ML, AWS Machine Learning Specialty).

Location

The US national annual base salary range for this position is from $100,000 to $200,000.  The national range provided includes the base salary that GBT expects to pay for the role.  Actual base salary will be based on factors including the scope and complexity of the role and the successful candidate’s relevant experience, skills, knowledge, and work location.

In addition to base salary, this role is eligible for our Annual Incentive Award plan, which rewards participants based on company and individual performance and is also eligible for awards under the company Equity Incentive Plan, which is designed to align participants' interests with those of shareholders.  For information about our comprehensive US benefits programs and eligibility, please review our Benefits-at-a-Glance document.

Benefits at a glance

The #TeamGBT Experience

Work and life: Find your happy medium at Amex GBT.

• Flexible benefits are tailored to each country and start the day you do. These include health and welfare insurance plans, retirement programs, parental leave, adoption assistance, and wellbeing resources to support you and your immediate family.

• Travel perks: get a choice of deals each week from major travel providers on everything from flights to hotels to cruises and car rentals.

• Develop the skills you want when the time is right for you, with access to over 20,000 courses on our learning platform, leadership courses, and new job openings available to internal candidates first.

• We strive to champion Inclusion in every aspect of our business at Amex GBT. You can connect with colleagues through our global INclusion Groups, centered around common identities or initiatives, to discuss challenges, obstacles, achievements, and drive company awareness and action.

• And much more!

All applicants will receive equal consideration for employment without regard to age, sex, gender (and characteristics related to sex and gender), pregnancy (and related medical conditions), race, color, citizenship, religion, disability, or any other class or characteristic protected by law.

Click Here for Additional Disclosures in Accordance with the LA County Fair Chance Ordinance.

Furthermore, we are committed to providing reasonable accommodation to qualified individuals with disabilities. Please let your recruiter know if you need an accommodation at any point during the hiring process. For details regarding how we protect your data, please consult the Amex GBT Recruitment Privacy Statement.

What if I don’t meet every requirement? If you’re passionate about our mission and believe you’d be a phenomenal addition to our team, don’t worry about “checking every box;" please apply anyway. You may be exactly the person we’re looking for!