Security Design Architect - Application and Cloud Security

Security Design Architect - Application and Cloud Security

Experience: 10+ years Location: Montreal Hybrid: 3 days in office

Job Description

The mission of the SecDesign team is to provide security architecture assessments of technology systems and processes to identify business risks and recommend remedial actions based on established security standards or best practices.

The SecDesign Generalist acts as an internal consultant, performing multiple security architecture and design assessments across diverse technologies. The Integrator collaborates globally with Technology, Business, Suppliers, Stakeholders, and Partners to perform SecDesign assessments.

The role also includes working with a global team to modernize the firm’s SDLC platform, enabling deployment automation to private/public cloud endpoints and SaaS‑based tooling.

Responsibilities (SecDesign Generalist)

Assessment & Risk Prioritization

• Lead SecDesign deep dives with assessment requestors
  

• Prioritize risks relative to business impact
  

• Conduct assessments and provide technology risks/requirements across:
  

  • Authentication, Authorization, Auditing
    

  • Application Security (session security, vulnerability/Pen Testing, input validation)
    

  • Secure data transport and storage
    

  • Network Security principles
    

  • Cloud Security principles
    

Architecture & Governance

• Periodically review and update security reference architecture
  

• Participate in Operational and Technology Risk governance processes
  

• Identify new areas and opportunities for technology investment
  

Skills and Experience

Soft Skills (Required)

• Excellent written, oral, presentation, and listening skills
  

• Ability to influence through factual reasoning
  

• Strong time management; ability to handle multiple concurrent assessments
  

• Delivery‑focused under short timelines and senior‑management involvement
  

• Ability to adjust communication of technology risks vs. business risks
  

Security Architecture Skills

• Required — In‑depth knowledge of application, network, and platform vulnerabilities; ability to explain them to developers
  

• Required — Experience conducting Information Security / IT Security / Audit assessments and presenting outcomes
  

• Required — Strong ability to review technical designs and functional requirements to identify security weaknesses
  

• Required — Knowledge of Cloud Service Providers (AWS/Google/Azure), DevOps, CI/CD
  

• Required — Working experience in at least three of the following domains:
  

  • Authentication: SAML, SiteMinder, Kerberos, OpenID
    

  • Entitlements & identity management
    

  • Data protection, DLP, secure data transfer/storage
    

  • Application Security (validation checking, attack methodologies)
    

  • Cryptography (encryption, hashing)
    

• Desired — Experience administering:
  

  • Version control (Bitbucket, GitHub)
    

  • Issue tracking (Jira)
    

  • CI (Jenkins, GitHub Actions)
    

  • Release management
    

• Desired — Knowledge of network models, risks at each layer, and functions of switches, routers, firewalls, proxies, VPNs, load‑balancers
  

• Desired — Working knowledge of major operating systems (Unix, Windows, z/OS, Mac OS), enterprise configuration/management, platform security risks
  

• Desired — Experience with testing tools: Veracode, Fortify, OunceLabs, AppScan, WebInspect, Burp
  

Development Experience

• Required — Background in programming, design, and application architecture
  

• Required — Experience implementing complex enterprise applications
  

• Required — Working knowledge of:
  

  • Java, JavaScript, C#, C/C++, Perl, Python, Ruby
    

• Desired — In‑depth knowledge of web technologies (browsers, servers, services)
  

Other Areas of Expertise

• Frameworks, protocols, subsystems: J2EE, .NET, Spring, RPC, SOAP, MQSeries, JMS, RMI, JMX, Hibernate
  

• Knowledge of JSP/Servlet/EJB or ASP.NET, HTTP/HTTPS, Cookies, AJAX, JavaScript, Flex/Silverlight
  

• Database design and programming experience
  

• Experience liaising with 3rd‑party entities (exchanges, suppliers, regulators)
  

• Experience conducting/reviewing penetration tests, dynamic/static vulnerability assessments
  

• Understanding of geographic regulations and their impact on security assessments
  

• Financial Services experience preferred
  

• CISSP or other industry qualification
  

• Desired — Experience working with global organizations