Director, Application Security & Architecture

Invitae is a healthcare technology company that leverages genetic information to empower doctors and patients to make informed medical decisions. Our software engineers work on a variety of projects ranging from innovations in healthcare systems to taming the chaos of biology. We’re constantly improving our tools and technologies to deliver the highest quality actionable information for the patient.

Our Information Security Team is pushing the envelope on shift left strategies to ensure all software development and IT operations at Invitae adhere to security best practices from inception to implementation.  We are focused on driving security strategy and improving security maturity for the organization.  This position is a leadership role that requires an individual with a strong technical background, as well as an ability to partner and influence various technology and business operations teams to align on security priorities, strategies, and roadmaps.

Key Responsibilities:

• Performing security design reviews to assess security implications for proposed new product features and functionality that could expose risk of data loss or breach within the cloud-hosted service platform, especially as it relates to the back end architecture for data storage and transmission
• Managing the Application Security program and team, assist in conducting software security assessments including threat modeling, security control reviews and vulnerability assessments
• Working with application and functional teams across the business to incorporate a security mindset throughout software development life cycle from concept to testing and implementation
• Working closely with server, network, and business teams during incident response events to speed remediation
• Identifying and assessing design and operational vulnerabilities in web application, network and system topologies
• Evaluating and recommending technologies that could improve current systems and ensure that plans for security technologies integrate with existing solutions and do not introduce any security vulnerabilities
• Designing and implementing a comprehensive data protection strategy designed to enforce technical and organizational measures to protect intellectual property, confidential information and sensitive in scope protected data (PII and PHI) for clients and customers
• Working with product owners, business stakeholders, business analysts and engineering teams to review security requirements and approve / modify designs as needed
• Advising on data security issues, compliance, and privacy requirements including, but not limited to HIPAA, HITRUST, SOC2, SOX,and ISO 27001
• Partners with peers across the information security organization to identify new innovations, capabilities, and solutions that improve the security posture of the company
• Mentor, empower, and develop a team of cybersecurity engineers
• Leads with integrity, purpose, and with a leadership mindset
• Interacts with team members, IT peers, and IT leaders to drive win-win outcomes across the security landscape
• Collaborate with Product Architects to align team with strategies, departmental goals, and execution efforts
• Taking a lead role in conducting security research on threats and remediation techniques/technology and making recommendations for implementation
• Providing oversight and guidance for periodic security assessments to ensure compliance with information security policies and established security controls
• Ensuring applications, networks, systems and cloud services are planned, designed, developed, implemented, and monitored in accordance with security controls related to HIPAA, HITRUST, SOC2, SOX,and ISO 27001 controls and the corporate Information Security Policies
• Analyzing infrastructure, networking and system designs from a security perspective and providing recommendations and approvals for implementation decisions 
• Assisting in the development and automation of threat management, vulnerability management, and incident management processes

• Minimum 7+ years of experience in Information Security with an emphasis on leading security personnel to secure applications, networks and systems
• Proven experience as a hands-on leader of highly technical IT architects and engineers.
• Strategic thinker, translates strategy into actionable plans
• Strong hands on experience in Application, Network, System and Cloud Security Architecture design and review
• Proven ability to design end-to-end security solutions across large enterprise IT ecosystems
• Proven experience leading implementation programs for improving network security, including segmentation, zero trust implementations, perimeter and endpoint defense, proactive monitoring, and active response
• Experience breaking down complex systems and applications to find relevant security risks
• Significant experience with industry known common vulnerabilities and attack vectors
• Experience with the development, deployment, and automation of security solutions in an enterprise cloud-based environment
• Solid understanding of AWS architecture and services
• Deep understanding of container architectures for cloud services
• Detailed understanding of Microsoft Active Directory, Identity and Auth services, DNS, DHCP and email infrastructure design and security
• Deep understanding of VPN, PKI, IPAM and MFA technologies required
• Proven ability to succinctly communicate complicated technical security issues and the risks they pose to R&D programmers, DevOps engineers, system administrators and upper management
• Hands-on ability to troubleshoot issues on security platforms
• Understanding of application and operating system hardening, vulnerability assessments, security auditing, TCP/IP & network fundamentals, intrusion detection systems, firewalls, VPNs, WAFs
• Familiarity with security frameworks such as NIST CSF, NIST 800-53, SCF, OWASP
• Working knowledge of and experience in policy and process creation and management
• Demonstrated expertise designing and running security solutions with the following tools: vulnerability scanners, forensics software, SIEM, HIDS/NIDS, IPS, malware analysis and protection, content filtering, logical access controls, physical access controls, identity and access management, data loss prevention, content filtering technologies, application firewalls, security incident response techniques
• Experience with secure network firewall, application firewall, and DDoS prevention technologies

Preferred qualifications

• At least one security related certification, such as CISSP, GIAC, CompTIA Security+, required.  CISSP strongly preferred. 
• Deep understanding of Kubernetes and Docker containerization preferred
• Hands-on technical proficiency with IDS/IPS and SIEM tools.  Splunk and Graylog expertise are highly preferred.  
• Demonstrated ability to facilitate automation and integration through scripting highly preferred.
• Experience in DevOps environments and maintaining security in CI/CD processes highly desired
• Deep understanding of GSuite and Okta highly desirable
• Knowledge of technical security control environments and compliance frameworks such as CSA CCM, ISO 270001 and SOC 2, etc.  Experience supporting HITRUST and HIPAA highly desirable