Head of Application Security Program & Governance, Director
Top focus
About Citi: Citi, the leading global bank, has approximately 200 million customer accounts and does business in more than 160 countries and jurisdictions. Citi provides consumers, corporations, governments, and institutions with a broad range of financial products and services, including consumer banking and credit, corporate and investment banking, securities brokerage, transaction services, and wealth management.
As a bank with a brain and a soul, Citi creates economic value that is systemically responsible and in our clients’ best interests. As a financial institution that touches every region of the world and every sector that shapes your daily life, our Operations & Technology teams are charged with a mission that rivals any large tech company.
Our technology solutions are the foundations of everything we do from keeping the bank safe, managing global resources, and providing the technical tools our workers need to be successful to designing our digital architecture and ensuring our platforms provide a first-class customer experience.
We reimagine client and partner experiences to deliver excellence through secure, reliable, and efficient services. Our commitment to diversity includes a workforce that represents the clients we serve from all walks of life, backgrounds, and origins.
We foster an environment where the best people want to work. We value and demand respect for others, promote individuals based on merit, and ensure opportunities for personal development are widely available to all. Ideal candidates are innovators with well-rounded backgrounds who bring their authentic selves to work and complement our culture of delivering results with pride.
If you are a problem solver who seeks passion in your work, come join us. We’ll enable growth and progress together. The Role: This Head of Application Security Program & Governance role sits at the center of Citi's Application Security Management (ASM) function, a specialized capability within the Offensive Security and Vulnerability Management (OSVM) organization reporting directly to the Global Head of OSVM.
The position carries enterprise-wide accountability for the strategic direction, governance, and operational performance of five critical AppSec pillars: Static Application Security Testing (SAST), Component Vulnerability Management (CVM), Malicious Code Detection (MCD), Automated Release Vulnerability Assessment (ARVA), and Application Secrets Detection (ASD).
This is a rare opportunity for a seasoned application security leader to shape how one of the world's largest financial institutions secures its software development ecosystem at scale. The role demands both deep technical credibility across secure SDLC practices and the executive-level communication skills needed to influence development organizations, senior leadership, and regulatory stakeholders.
Responsibilities Define and drive the multi-year strategic roadmap for ASM program pillars (SAST, CVM, MCD, ARVA, ASD), aligning with Citi's broader OSVM and enterprise cybersecurity strategy. Lead the integration of AI and ML capabilities into ASM operations, including AI-assisted vulnerability triage, intelligent false-positive suppression, and automated remediation workflows.
Develop and deploy AI-enhanced developer guidance tools that improve security posture across engineering teams at scale. Continuously assess the adversarial AI threat landscape, including AI-accelerated exploit development and vulnerability chaining techniques.
Drive corresponding enhancements to ASM detection, response capabilities, and overall program strategy in response to emerging AI-enabled threats. Own and evolve AppSec governance standards, including exemption management, policy compliance, and regulatory alignment across Citi's software estate.
Define Application Security Key Risk Indicators (KRIs) and lead program performance insights, including root cause analysis, trend identification, and continuous improvement reporting. Serve as the primary ASM interface for development organizations, product delivery teams, Information Security partners, enterprise architecture, and senior leadership.
Oversee developer and App Manager security training programs, ensuring engineering teams understand their security obligations and are equipped to meet them. Mentor ASM pillar leads, drive cross-pillar coordination, manage program resources, and maintain delivery timelines across ASM initiatives.
Qualifications 15+ years of experience in application security, DevSecOps, or secure SDLC program leadership at enterprise scale. 5+ years' experience in people management preferred. Deep knowledge of SAST, Software Composition Analysis (SCA/CVM), and automated security testing, with hands-on experience using tools such as Checkmarx, Black Duck, Snyk, Fortify, or equivalent platforms.
Strong understanding of CI/CD pipeline security integration and the enforcement of security gates within build and deployment pipelines. Demonstrated ability to define governance frameworks, security standards, and KRI/metric programs for large-scale secure software development programs.
Experience assessing AI's impact on the threat landscape, including AI-assisted vulnerability chaining and accelerated exploit development scenarios. Proven track record leading and mentoring technical teams in a program management or technical leadership capacity.
Working knowledge of recognized security frameworks, including SSDF, OWASP SAMM, BSIMM, NIST, ISO 27001, and FFIEC guidelines. Excellent communication skills with demonstrated ability to translate complex security program data into actionable insights for both technical audiences and senior leadership.
Experience with malicious code detection, secrets detection, or automated release security gating programs is strongly preferred. Familiarity with AI/ML integration into security tooling, including AI-assisted triage, intelligent rule tuning, and LLM-based developer guidance is preferred.
Experience with cloud security testing across AWS, Azure, or GCP, and familiarity with ServiceNow for vulnerability management workflows is preferred. Experience with Dynamic Application Security Testing (DAST) methodologies and their integration into automated CI/CD pipelines is preferred.
Education Active certification in CISSP, CISM, CRISC, CISA, GIAC, or equivalent is strongly desired. Bachelor's degree in Computer Science, Information Security, Engineering, or equivalent practical experience. Master's degree preferred. This job description provides a high-level review of the types of work performed.
Other job-related duties may be assigned as required. ------------------------------------------------------ Job Family Group: Technology ------------------------------------------------------ Job Family: Information Security ------------------------------------------------------ Time Type: Full time ------------------------------------------------------ Primary Location: Telecommuter Florida United States ------------------------------------------------------ Primary Location Full Time Salary Range: $170,000.00 - $300,000.00 In addition to salary, Citi’s offerings may also include, for eligible employees, discretionary and formulaic incentive and retention awards.
Citi offers competitive employee benefits, including: medical, dental & vision coverage; 401(k); life, accident, and disability insurance; and wellness programs. Citi also offers paid time off packages, including planned time off (vacation), unplanned time off (sick leave), and paid holidays.
For additional information regarding Citi employee benefits, please visit citibenefits.com. Available offerings may vary by jurisdiction, job level, and date of hire. ------------------------------------------------------ Most Relevant Skills Please see the requirements listed above. ------------------------------------------------------ Other Relevant Skills For complementary skills, please see above and/or contact the recruiter. ------------------------------------------------------ Anticipated Posting Close Date: Jul 01, 2026 ------------------------------------------------------ Citi is an equal opportunity employer, and qualified candidates will receive consideration without regard to their race, color, religion, sex, sexual orientation, gender identity, national origin, disability, status as a protected veteran, or any other characteristic protected by law.
If you are a person with a disability and need a reasonable accommodation to use our search tools and/or apply for a career opportunity review Accessibility at Citi . View Citi’s EEO Policy Statement and the Know Your Rights poster.