Cybersecurity Director

Firm Overview:

Cambridge Associates (“CA”) is a leading global investment firm. CA’s goal is to help endowments & foundations, pension plans, and ultra-high net worth private clients implement and manage custom investment portfolios that generate outperformance so that they can maximize their impact on the world. Cambridge Associates delivers a range of services, including outsourced CIO, non-discretionary portfolio management, and investment consulting.

Headquartered in Boston, Massachusetts, CA has offices in key markets in North America, the United Kingdom, Europe, Asia, and Oceania.  Our worldwide teams ensure our clients benefit from decades of global presence, local expertise, and relationships with the top global investment managers across the world.  For more information, please visit www.cambridgeassociates.com.

Position Summary:

Financial consulting firm seeks an Application Security Architect to join its Cybersecurity team. The position is responsible for validating that internally developed web applications are designed and implemented with high security standards. The Architect will work closely with CA’s internal development teams to integrate security practices into the software development lifecycle (SDLC), establishing processes for identifying, assessing and mitigating security vulnerabilities in the software, and working to ensure that applications are secure and compliant with relevant standards and regulations. Working with the security, software engineering and infrastructure teams, the Architect establishes an application security vision with sustainable standards and processes. As a member of the firm’s Cybersecurity team the Architect is expected to contribute to the day-to-day administration of the firm’s security program, as well as its future design and development.

Key Responsibilities:

·       Establish application development security guidelines and best practices utilizing industry-standard security frameworks. Define, document and enforce clear guidelines for secure coding, vulnerability management, incident response, and application security.

·       Act as the Subject Matter Expert (SME) in application security during enterprise project development phases, providing security consulting, recommendations, and ensuring adherence to approved security requirements.

·       Collaborate with developers and software teams to embed security at every stage of the SDLC.

·       Establish an application security scorecard framework to track, prioritize, and address security issues effectively.

·       Identify, prioritize, and devise mitigation strategies for application security vulnerabilities, implementing preventative measures to avoid future incidents.

·       Integrate security tools, processes, and automation into the DevOps pipeline to enhance efficiency and scalability (DevSecOps).

·       Collaborate with cloud architects and DevOps teams to identify and remediate cloud misconfigurations, enforce security policies, and maintain secure cloud infrastructure for hosting web applications.

·       Develop strategies to implement Web Application Firewalls (WAF), Cloud Native Application Protection Platforms (CNAPP) and Cloud Security Posture Management (CSPM) tools and integrate into the organization's security framework.

·       Develop robust security requirements for authentication and authorization, including credential storage, privilege management, and adherence to role- and attribute-based access control standards.

·       Regularly monitor the security community for public-facing vulnerabilities, emerging threats, and new tactics to secure data transmissions and reduce attack exposure.

·       Stay updated on the latest security trends, tools, and technologies.

·       Attend and actively participate in application projects, change management meetings, and cross-functional discussions to ensure security is integrated from the outset.

·       Align with architects and development teams to promote secure design and data integrity preservation across users, applications, and infrastructure.

·       Foster the growth of application security champions within development teams to build a culture of security awareness and accountability.

·       Lead and participate in security team meetings to facilitate secure design and development practices.

·       Develop and deliver training programs to educate developers and other stakeholders on secure coding practices and emerging threats.

·       Develop strong relationships with stakeholders to ensure ongoing commitment to security initiatives.

·       Foster a collaborative team environment that encourages open communication and knowledge sharing.

·       Actively engage in information security projects to evaluate existing security infrastructure and proposed changes, as defined by security leadership and software architects.

·       Provide strategic input to enhance the organization's overall security posture.

Required Qualifications:

·       3+ years of work experience in cybersecurity, especially in a web application security engineer or security architect role

·       3+ years’ experience in performing penetration testing, secure code review, static, dynamic and manual source code review

·       3+ years’ experience in identifying and remediating common web application vulnerabilities such as OWASP

·       3+ years hands-on experience with Web Application Scanning Tools

·       Proficient in software development (Java, Python, C#, etc.)

·       Experience with web development technologies and frameworks (REST, JSON, XML, JavaScript, React, etc.)

·       Experience with securing intra-company and third-party APIs.

·       DevOps background in public and private clouds.

·       Experience in implementing Web Application Firewalls (WAF)

·       Experience with securing deployment and configuration of web applications in an AWS environment

·       Experience with CNAPP and CSPM tools

·       Solid understanding of network and web protocols.

·       Experience with technical documentation

·       Proven excellence in communicating business risk from cybersecurity topics.

·       Excellent communication and collaboration skills to work effectively with cross-functional teams.

·       Bachelor’s degree, preferably in a technical, scientific, or analytical discipline.

·       Candidates must be eligible to work in the US without sponsorship.

Preferred Qualifications

·       At least 5+ years’ experience in cybersecurity preferred, including compliance and risk management with system and application security engineering.

·       Experience with one or more of the following: ISO 27001, NIST, SOX, GDPR, CIS or SOC2.

·       Cybersecurity training and certification: SANS certifications (GWEB, GSEC), CISSP, CCSP and/or CSSLP, OSCP (and related).

·       2+ years’ experience with SQL

The base salary range for this role is $163,200 to $218,700. In addition to the listed salary range, this position is eligible for an annual performance-based bonus and a comprehensive, competitive benefits package. Actual placement within the stated salary range will be determined based on factors such as skills, experience, and qualifications, as well as internal equity.

The firm is committed to the concept and practice of equal employment opportunity and will not discriminate against any employee or applicant on the basis of race, color, religion, age, sex, national origin, sexual orientation, gender identity, disability, or veteran status. It is expected that all employees will follow a similar policy toward their co-workers.