Application Security, Sr. Manager

Senior Manager, Application Security

The Senior Manager, Application Security, SaaS, and Database Security is responsible for developing and leading a robust, global security program focused on (1) Application Security (application risk assessments, API security, code review, threat modeling, SAST/DAST scanning, application sandbox testing, secure coding guidelines, WAF rules, browser security & browser plugins & browser integrations, M365 security, GenAI security, CASB), (2) SaaS (SaaS risk assessments, SaaS posture management, SaaS guidelines & secure configuration management, cloud & drive security), and (3) Database Security (database security configuration, data monitoring). This role oversees a team that designs, implements, and manages enterprise-wide strategies in these domains to ensure the secure development, deployment, and operation of applications, SaaS platforms, and databases.

The person in this role will partner with teams across the firm to modernize the Firm's security practices and ensure secure and compliant implementation of application, SaaS, and database controls. The ideal candidate is a highly skilled, hands-on technical leader with strong people skills and a proven track record delivering enterprise security initiatives across these domains. They must be intimately familiar with technical aspects of all security areas and be able to drive consensus and collaboration among diverse teams, individuals, and business stakeholders to achieve desired results. The candidate must be detail-oriented with the ability to adapt rapidly to new challenges, think creatively and holistically, and quickly resolve unforeseen issues.

ESSENTIAL JOB DUTIES & RESPONSIBILITIES

• Develop and maintain a comprehensive strategy and roadmap for application, SaaS, and database security aligned with business objectives and risk management priorities
• Lead implementation and operation of application risk assessment and secure development lifecycle (SDLC) practices including secure coding, SAST/DAST scanning, and code reviews
• Oversee SaaS security posture management and perform risk assessments and configuration management across SaaS platforms
• Establish enterprise encryption and API security standards.
• Implement and manage database security configurations and data monitoring to ensure the protection of sensitive information
• Guide enforcement of secure API development, threat modeling, and secure integration across browser and application interfaces
• Manage security controls and technologies such as CASB, WAF, and other relevant application protection tools
• Lead SaaS security guidelines, drive adoption of secure-by-design SaaS usage, and manage associated security risks
• Ensure secure deployment of M365, browser extensions, plugins, and GenAI tools through established security controls and policies
• Develop and maintain security policies, standards, and procedures for application, SaaS, and database environments
• Collaborate with development, cloud, and IT teams to integrate security into CI/CD pipelines and cloud platforms
• Provide leadership and mentorship to a technical team responsible for application, SaaS, and database security
• Partner with SOC, IR, and vulnerability management teams to respond to and resolve security issues related to applications, SaaS platforms, and databases
• Monitor for anomalies, policy violations, and unauthorized access across applications, SaaS solutions, and data repositories
• Maintain compliance with regulatory, privacy, and audit requirements including ISO 27001, NIST, GDPR, and client-imposed obligations
• Report on key security KPIs/KRIs, risks, compliance gaps, and program maturity to technical and non-technical stakeholders
• Analyze information to identify trends, risks, and opportunities for continuous improvement
• Promote a secure-by-design framework and DevSecOps practices across development and IT lifecycles
• Make decisions and recommendations based on risk assessment, industry best practices, and emerging threats
• Stay current with evolving security trends, technologies, and threat landscapes in application, SaaS, and database domains

REQUIRED

• Bachelor's degree in information security, IT, risk management, related discipline, or equivalent experience

PREFERRED

• Professional certifications such as CISSP, CISM, or similar

SKILLS AND EXPERIENCE

• 10-15 years of experience in IT or Information Security, with at least 5 years in a leadership role focused on application, SaaS, or database security
• Proven ability to build and lead application security or cloud/SaaS security programs at scale, ideally in hybrid or cloud environments
• Deep understanding of secure software development, DevSecOps, cloud SaaS security models, and database protection practices
• Experience with tools like SAST/DAST, WAFs, CASBs, cloud security posture management (CSPM), and secure code review platforms
• Familiarity with NIST, OWASP, ISO 27001, and secure software development frameworks
• Passion for innovation, automation, and driving continuous improvement in application and cloud security practices
• Excellent interpersonal, leadership, presentation, and collaborative skills

Salary Information

NY Only: The estimated base salary range for this position is $190,000 to $220,000 at the time of posting.

The actual salary offered will depend on a variety of factors, including without limitation, the qualifications of the individual applicant for the position, years of relevant experience, level of education attained, certifications or other professional licenses held, and if applicable, the location in which the applicant lives and/or from which they will be performing the job. This role is exempt meaning it is not overtime pay eligible.

Privacy Notice

For information about how Simpson Thacher & Bartlett LLP collects and processes your personal information, please refer to our Privacy Notice available at https://www.stblaw.com/other/privacy-notice.

Simpson Thacher & Bartlett is committed to a collegial work environment in which all individuals are treated with respect and dignity. The Firm prohibits discrimination or harassment based upon race, color, religion, gender, gender identity or expression, age, national origin, citizenship status, disability, marital or partnership status, sexual orientation, veteran’s status or any other legally protected status. This Policy pertains to every aspect of an individual’s relationship with the Firm, including but not limited to recruitment, hiring, compensation, benefits, training and development, promotion, transfer, discipline, termination, and all other privileges, terms and conditions of employment.