Company

Cox Automotive - USA

Information Technology

AVP, Cybersecurity

Assistant Vice Presidents (AVP)Hybrid - Ability to work remotely part of the week

Yes, 5% of the time

Day

Compensation

Compensation includes a base salary of $207,900.00 - $346,500.00. The base salary may vary within the anticipated base pay range based on factors such as the ultimate location of the position and the selected candidate’s knowledge, skills, and abilities. Position may be eligible for additional compensation that may include an incentive program.

The Associate Vice President of Security Architecture and Engineering strategically sets the direction of Cox Automotive’s security architecture and secure development processes globally for both enterprise and product technology spanning both on-premise and multi-cloud environments. This leader defines security architecture and development guardrails, policies, and standards that foster an environment of secure development and operation, data protection, and adherence to relevant industry regulatory and client compliance obligations. This role builds strong partnerships with multiple stakeholder groups including Product and Enterprise Architecture, Site Reliability Engineering, Product and Technology Governance, Technology Vendor Management, as well as Product and Enterprise technology portfolio and delivery stream leaders. Key success factors include strong security knowledge in the design and build of secure software products in both on-premise and multi-cloud environments and the ability to partner, influence and lead both direct and cross-functional teams throughout the organization. This role will directly report to the Chief Information Security Officer of Cox Automotive.

Primary Responsibilities:

Embedded Security Champions:

• Lead of team of cybersecurity professionals that embed in delivery streams of a scaled agile (SAFe) product and technology organization.
• Serve as the primary security advocate for security principles, secure development controls, and standards driven security architecture guardrails.
• Review engineering team designs of epics, stories, and features for compliance with security architecture guardrails and controls and consider attacker threats, tactics and procedures when reviewing new functionality.
• Encourage self-sustaining security practices and behaviors within delivery teams.
• Reduce friction with delivery teams by enabling ready access to technical security decisioning that favor solutions that improve security posture while enabling the business to move faster.

Security Architecture:

• Lead a team of cybersecurity professionals that identify, develop, document, and socialize cybersecurity standards and guardrails for both product and enterprise technologies both in on-premise and multi-cloud environments that align with the overall cybersecurity strategy.
• Partner with the Legal and Security Governance, Risk and Compliance teams to ensure that security policies, standards, procedures, and guardrails enable compliance with relevant regulatory and contractual requirements.
• Drive consensus and gain alignment with product and technology architecture, site reliability, technology governance, and technology vendor management teams on cybersecurity guardrails, principles, and technologies.

Application Security COE:

• Lead a team of subject matter experts in secure application development, providing guidance and recommendations for secure coding practices, tools, and techniques.
• Provide technical guidance to development teams on secure coding issues identified by SAST, DAST, SCA, and manual penetration tests.

• Coordinate application penetration testing and ongoing threat modeling with embedded security practitioners and relevant members of the broader cybersecurity team.
  

Secure Development Tooling and Enablement

• Lead a team of cybersecurity and engineering professionals that build, operate, and integrate tools to enable software engineers to more easily develop software securely.
• Collaborate with cross-functional teams to ensure that application security is seamlessly integrated into the software development process and CI/CD pipelines.
• Manage the operations and effectiveness of the product security pipeline tools (SAST, DAST, SCA, Secrets, etc.).
• Update product security tooling to reduce false positives.
• Provide a robust API Key management and secrets management process.

Common Responsibilities Across All Focus Areas

• Lead and coordinate large-scale information security projects, including implementation of secure development cybersecurity tooling and practices.
• Identify, propose, and influence business solutions, negotiate deliverables and requirements across multiple business customers or organizations.
• Provide leadership and strategic direction for the function, including budgeting capital and operating expenses.
• Oversee and lead contract negotiations and vendor management for secure development (static code scanning, dynamic code scanning, software composition analysis), secrets management, manual penetration testing, and other security capabilities as appropriate.

Minimum Qualifications:

• • Bachelor’s degree in a related discipline and 14 years’ experience in a related field. The right candidate could also have a different combination, such as a master’s degree and 12 years’ experience; a Ph.D. and 9 years’ experience in a related field; or 18 years’ experience in a related field12+ years of experience required in the field of information security with a demonstrated path of increasing scope and management responsibilities.
• 5+ years managing or leading a team that was primarily focused on Security Architecture and/or Secure Development.
• Experience in the development and design of security standard methodologies to all layers of the application stack in both on-premise and cloud environments.
• Ability to make strategic decisions, supervise complex programs, manage and educate highly skilled professionals, and influence other departments relating to security risk and control.
• Solid, pragmatic business acumen with a proven record of creatively solving problems and offering solutions.
• Consultative nature to work through controversial or complex topics to employees, leaders, and/or senior leadership.
• Ability to manage multiple complex projects while meeting all deadlines and manage leaders of teams to achieve optimal results.
• Develop strong and productive working environment with key stakeholders and collaborate closely with other Cox entities’ security teams to implement security best practices.
• Excellent customer service skills, writing and executive presentation skills.
• Knowledge of current Cybersecurity and technology architectures such as zero trust, IaaS, PaaS, SaaS, virtualization, containerization, DevOps, Agile, and software-defined networking across a variety of environments and deployments.
• Knowledge of cybersecurity frameworks (i.e. ISO 27000, NIST, FFIEC, etc.) and industry relevant regulations that will guide architectural requirements (i.e. GDPR, FFIEC, GLBA, etc.)
• Experience with application security implementations and standard methodologies.
• Knowledge of Identity and Access Management (IAM), Cryptography / Key Management, Access Controls and Security Protocols, secrets modernization, secrets management e.g., Multi-factor, SAML, OAuth, OIDC etc.
• Extensive technology knowledge and recognized expertise in several areas including Java, Spring, Oracle, Lambda, Cloud patterns, Cloud Service and User Authentication or similar.
• Experience with firewall, WAF, and other edge services as well as deep understanding of DMZ and other network architectures.
• Experience establishing a strategy for and implementing cloud enterprise solutions in AWS and/or Azure.
• A strong understanding of cloud container platforms such as Kubernetes / EKS.
• Relevant industry certification: CISSP, CEH, OSCP, Azure, AWS, CISM, CISA, etc.

Preferred:

• Advanced degree (MBA / MS).
• 5+ years of experience in a senior management role.
• Experience in national critical infrastructure industries (telecommunications, financial services, defense, government, etc.).

To be employed in this role, you’ll need to clear a pre-employment drug test. Cox Automotive does not currently administer a pre-employment drug test for marijuana for this position. However, we are a drug-free workplace, so the possession, use or being under the influence of drugs illegal under federal or state law during work hours, on company property and/or in company vehicles is prohibited.

The Company offers eligible employees the flexibility to take as much vacation with pay as they deem consistent with their duties, the company’s needs, and its obligations; seven paid holidays throughout the calendar year; and up to 160 hours of paid wellness annually for their own wellness or that of family members. Employees are also eligible for additional paid time off in the form of bereavement leave, time off to vote, jury duty leave, volunteer time off, military leave, parental leave, and COVID-19 vaccination leave.Through groundbreaking technology and a commitment to stellar experiences for drivers and dealers alike, Cox Automotive employees are transforming the way the world buys, owns, sells – or simply uses – cars. Cox Automotive employees get to work on iconic consumer brands like Autotrader and Kelley Blue Book and industry-leading dealer-facing companies like vAuto and Manheim, all while enjoying the people-centered atmosphere that is central to our life at Cox. Benefits of working at Cox may include health care insurance (medical, dental, vision), retirement planning (401(k)), and paid days off (sick leave, parental leave, flexible vacation/wellness days, and/or PTO). For more details on what benefits you may be offered, visit our benefits page. Cox is an Equal Employment Opportunity employer – All qualified applicants/employees will receive consideration for employment without regard to that individual’s age, race, color, religion or creed, national origin or ancestry, sex (including pregnancy), sexual orientation, gender, gender identity, physical or mental disability, veteran status, genetic information, ethnicity, citizenship, or any other characteristic protected by law. Cox provides reasonable accommodations when requested by a qualified applicant or employee with disability, unless such accommodations would cause an undue hardship.