Threat Mitigation Lead - Secure Software Development

At Lilly, we unite caring with discovery to make life better for people around the world. We are a global healthcare leader headquartered in Indianapolis, Indiana. Our employees around the world work to discover and bring life-changing medicines to those who need them, improve the understanding and management of disease, and give back to our communities through philanthropy and volunteerism. We give our best effort to our work, and we put people first. We’re looking for people who are determined to make life better for people around the world.

We are looking for an experienced Cyber Threat Mitigation Lead with a focus on secure software development. This role is designed for someone who excels at working with cross functional teams to drive down security risks and threats in applications and software. This lead will partner closely with cyber leadership to understand risk and prioritize efforts. The candidate will address challenging complex issues; therefore, creative problem solving is essential.

As the Threat Mitigation Lead, you will be responsible for working with internal cyber teams, software engineers and developers, and other stakeholders to reduce the impact of identified threats. You will drive the implementation of mitigation strategies throughout the software development process and promote lessons learned that will enhance secure coding practices.

What You Will Do:

1. Threat Mitigation

• Partner with AppSec and cyber leadership to prioritize identified security threats.

• Lead efforts to assess, track, and mitigate risks through engagement with software development teams.

• Guide teams to address security vulnerabilities by integrating solutions into development and operational workflows.

• Aid in developing solutions that bring risks within acceptable levels.

• Provide guidance and raise awareness on mitigation activities that require monitoring to account for changing threat landscapes and residual risk.

• Balance security and business objectives with a bias towards timely remediation.

2. ‘Stay Secure’ Software Development Practices (SSDLC)

• Partner with AppSec to promote the integration of secure coding practices throughout the SDLC to avoid repeated risk events.

3. Strategy Execution

• Act as a key player in the creation and execution of threat mitigation strategies for vulnerabilities identified in ongoing development and within existing applications.

• Ensure identified vulnerabilities are effectively tracked and managed through their lifecycle, from detection to remediation.

• Develop and refine strategies that help teams respond to evolving threats, reducing their risk to production systems.

4. Leadership and Cross-functional Collaboration

• Mentor cross-functional teams, ensuring that developers, security engineers, and architects are aligned in driving down cyber threats.

• Facilitate collaboration between product, engineering, and security teams to align on mitigation strategies and best practices.

• Assist the Cyber AppSec team through providing guidance to engineering teams on security best practices, focusing on practical implementation that enhances both security and development efficiency.

5. Continuous Improvement

• Work with leadership and development teams to continuously improve threat mitigation and security integration processes.

• Proactively recommend improvements in software development security practices and collaborate with teams to implement them.

• Encourage and maintain a security-aware culture among development teams to make security an inherent part of their workflows.

6. Metrics and Reporting

• Provide regular updates to cyber leadership on progress made toward reducing security risks and the overall security posture of software development efforts.

• Ensure visibility into ongoing efforts to mitigate threats, escalating key issues as needed.

Your Basic Qualifications:

• Bachelor's or master’s degree in computer science, Information Security, or a related field, or equivalent practical experience.

• 7+ years of experience in software development, with at least 3+ years in a cyber security or similar role.

• Strong experience with Secure Software Development Life Cycle (SSDLC) practices and methodologies.

• Hands-on experience with security testing tools (SAST/DAST, fuzz testing, static analysis) and integrating them into SDLC processes.

• Familiarity with common security threats, vulnerabilities (e.g., OWASP Top 10), and how to mitigate them.

• Experience in DevOps/CI/CD pipelines and embedding security into these workflows.

• Proficient in a high-level programming language.

What You Should Bring:

• Certifications such as CISSP, GIAC-GSSP, or OSCP.

• Strong understanding of secure coding practices and the ability to guide teams in applying them.

• Familiarity with cloud security (AWS, Azure, Google Cloud) and container security (Docker, Kubernetes, OpenShift).

• Proven track record of collaborating with security and development teams to reduce security risks and mitigate vulnerabilities.

• Excellent communication skills, with the ability to effectively engage technical and non-technical stakeholders.

• Experience with penetration testing or advanced security assessments.

• Knowledge of regulatory and industry standards such as GDPR, PCI DSS, HIPAA, ISO 27001.

Lilly is dedicated to helping individuals with disabilities to actively engage in the workforce, ensuring equal opportunities when vying for positions. If you require accommodation to submit a resume for a position at Lilly, please complete the accommodation request form (https://careers.lilly.com/us/en/workplace-accommodation) for further assistance. Please note this is for individuals to request an accommodation as part of the application process and any other correspondence will not receive a response.

Lilly is proud to be an EEO Employer and does not discriminate on the basis of age, race, color, religion, gender identity, sex, gender expression, sexual orientation, genetic information, ancestry, national origin, protected veteran status, disability, or any other legally protected status.

Our employee resource groups (ERGs) offer strong support networks for their members and are open to all employees. Our current groups include: Africa, Middle East, Central Asia Network, Black Employees at Lilly, Chinese Culture Network, Japanese International Leadership Network (JILN), Lilly India Network, Organization of Latinx at Lilly (OLA), PRIDE (LGBTQ+ Allies), Veterans Leadership Network (VLN), Women’s Initiative for Leading at Lilly (WILL), enAble (for people with disabilities). Learn more about all of our groups.

Actual compensation will depend on a candidate’s education, experience, skills, and geographic location.  The anticipated wage for this position is

Full-time equivalent employees also will be eligible for a company bonus (depending, in part, on company and individual performance). In addition, Lilly offers a comprehensive benefit program to eligible employees, including eligibility to participate in a company-sponsored 401(k); pension; vacation benefits; eligibility for medical, dental, vision and prescription drug benefits; flexible benefits (e.g., healthcare and/or dependent day care flexible spending accounts); life insurance and death benefits; certain time off and leave of absence benefits; and well-being benefits (e.g., employee assistance program, fitness benefits, and employee clubs and activities).Lilly reserves the right to amend, modify, or terminate its compensation and benefit programs in its sole discretion and Lilly’s compensation practices and guidelines will apply regarding the details of any promotion or transfer of Lilly employees.

#WeAreLilly