Associate Director, Application Security

Prudential’s purpose is to be partners for every life and protectors for every future. Our purpose encourages everything we do by creating a culture in which diversity is celebrated and inclusion assured, for our people, customers, and partners. We provide a platform for our people to do their best work and make an impact to the business, and we support our people’s career ambitions. We pledge to make Prudential a place where you can Connect, Grow, and Succeed.

The incumbent is responsible for leading a newly reorganized application security function, consisting of
DevSecOps engineering, DevSecOps assurance and release, and DevSecOps vulnerability triage operation team.
The incumbent is expected to be a technically strong leader in both DevSecOps and underlying DevOps
infrastructure, with strong familiarity in end-to-end vulnerability management from roadmap planning, design
architecture, DevSecOps technologies/tooling, CI/CD automation, vulnerability remediation, supported with a
strategic mindset to co-work with senior application heads, leaders and managers including Group technology
and product teams. The incumbent is expected to collaborate closely with other subject matter expert domains
within the security function to support multiple lines of business units located across Asia, Africa and UK.

• Lead a newly reorganized application security function, consisting of DevSecOps engineering, DevSecOps assurance and release, and DevSecOps vulnerability triage operation team.
• Formulate the application security strategy and vision to evolve the DevSecOps architecture and technology stack, enhancing the integration with the underlying DevOps infrastructure, and redesigning the existing DevSecOps operational workflow.
• Define both the short-term and long-term DevSecOps roadmap by taking into account of historical backgrounds of existing security infrastructure, planning for transition of parallel run-in periods for technology replacements, progressive phased approach for implementations and deployments.
• Expand DevSecOps capabilities in static analysis security testing, software composition analysis, container image scanning, dynamic analysis security testing, integrated development environment scanning, application programmatic interface security scanning and other vulnerability domains.
• Ensure the interoperability of all DevSecOps functionalities with the DevOps source code repository, continuous integration (CI) pipeline, continuous deployment (CD) pipeline, container artifactory and cloud native environment. • Advise on RFP/RFI for new DevSecOps solutions and lead POC initiatives to embark on emerging security technologies to evaluate against new vulnerability trends in dynamic threat landscape or address any gaps or deficiencies in the DevSecOps technologies.
• Engages with different security principals, distributors, integrators, and implementation partners on commercial and technical fronts to discuss, collaborate and negotiate on security weaknesses or defects, front complex escalations to timely resolution and evaluate product workarounds.
• Solutionize DevSecOps dashboards to define calculation logic for measurement of key performance indicators in control coverage, control effectiveness, data accuracy and reliability. • Push the continuous adoption of DevSecOps technologies and processes by identifying the inherent challenges/blockers across technology, process and people, followed by the execution of resolvable action plans to achieve the predefined recurring target metrics.
• Act on a group-wide security reviewer for group application production releases/go-live to evaluate and analyse any dispensations or exceptions for critical or high vulnerabilities detected, while managing any business pressure escalations from senior management from remediation delays. • Provide guidance on the process design, triage methodology and workflow components in DevSecOps vulnerability triage operations to enhance effectiveness and efficiency. • Interact with a variety of stakeholders on a daily basis ranging from information security officers of local business units, group infrastructure/DevOps, group application/product teams, different groups of application/dev heads, managers and leaders.

 

Prudential is an equal opportunity employer. We provide equality of opportunity of benefits for all who apply and who perform work for our organisation irrespective of sex, race, age, ethnic origin, educational, social and cultural background, marital status, pregnancy and maternity, religion or belief, disability or part-time / fixed-term work, or any other status protected by applicable law. We encourage the same standards from our recruitment and third-party suppliers taking into account the context of grade, job and location. We also allow for reasonable adjustments to support people with individual physical or mental health requirements.