Director, Secure SDLC & Application Security

At Iron Mountain we know that work, when done well, makes a positive impact for our customers, our employees, and our planet. That’s why we need smart, committed people to join us. Whether you’re looking to start your career or make a change, talk to us and see how you can elevate the power of your work at Iron Mountain.

Job Summary

We are looking for a highly influential and experienced Director, Secure SDLC & Application Security to mature and establish control gates across our secure software development environments and practices. This strategic role is responsible for embedding security into every stage of our Software Development Lifecycle (SDLC, SP 800-64), guided by the principles of the NIST Secure Software Development Framework (SSDF, SP 800-218). This position bridges our development, IT, and cybersecurity organizations and reports directly to the CTO with a dotted line to the CISO.

Key Responsibilities

Strategic Ownership & Influence : Own the strategy for embedding security within the development lifecycle and act as the primary security partner for development leaders.

Secure SDLC Partnership & Compliance : Drive and manage key functions like threat modeling, automated testing, secure design reviews, and secure deployment practices in partnership with the CISO organization.

FedRAMP Application Compliance & Enablement : Ensure all applications meet FedRAMP technical controls and that all required documentation and evidence are properly created, maintained, and delivered for audits and Authorization to Operate (ATO) packages.

Policy and Process Development : Establish, maintain, and enforce secure coding standards, vulnerability management procedures, and policies for the use of third‑party and open‑source software.

Business Unit Security Leadership : Provide direct leadership for information security compliance across the Digital Business Unit’s development and product functions.

Cross‑Functional Partnership : Serve as the key liaison between the CTO’s engineering teams, the CISO’s security organization, and the broader IT organization.

Tooling and Automation Integration : Drive the strategy for security tooling within the CI / CD pipeline, including compliance with SAST, DAST, and SCA.

Metrics and Dual Reporting : Develop KPIs to measure the effectiveness of the application security program and provide clear, concise reports and updates on our software security posture.

Qualifications and Skills

Experience :

10+ years of experience in software development or information security, with at least 5 years in a leadership, principal, or senior role focused on application / product security.

Demonstrable experience implementing and managing a secure SDLC based on a recognized framework like NIST SSDF (800-218).

Direct, hands‑on experience developing and securing applications within FedRAMP High and / or Moderate compliant cloud environments.

Proven success in a matrixed environment, influencing change and driving initiatives across multiple teams and departments without direct authority.

Work Authorization :

• Applicants must be legally authorized to work in the United States without the need for current or future visa sponsorship.

Technical Skills :

Expertise in threat modeling (e.g., STRIDE), secure coding practices, and modern application security vulnerabilities (OWASP Top 10).

Hands‑on experience with security testing tools (SAST, DAST, SCA and penetration tests) and their integration into developer workflows (GitLAB and Veracode).

Proven capability to utilize Tenable for enterprise‑wide vulnerability detection and compliance, driving remediation within SLA across diverse DevOps environments.

Strong understanding of DevOps / DevSecOps principles and CI / CD pipelines.

Experience building developer enablement programs covering secure coding, threat modeling, SBOM generation, and vulnerability management requirements.

Define secure baselines for third‑party components, open‑source dependencies and container registries.

Familiarity with cloud‑native security (AWS GovCloud, GCP, Azure Government).

Influence and Communication :

Exceptional stakeholder management skills, with the ability to build consensus between engineering, security, and business leaders.

Excellent ability to articulate complex security risks and concepts to varied audiences, from engineers to senior executives.

Education and Certifications :

Bachelor’s degree in Computer Science, Information Security, or a related field; Master’s degree preferred.

Relevant industry certifications (e.g., CISSP, CSSLP, GCSA) are highly desirable.

#LI-Remote

Reasonably expected salary range : $159,400.00 - $212,500.00

Category : Information Technology

Iron Mountain is a global leader in storage and information management services trusted by more than 225,000 organizations in 60 countries. We safeguard billions of our customers’ assets, including critical business information, highly sensitive data, and invaluable cultural and historic artifacts.

If you have a physical or mental disability that requires special accommodations, please let us know by sending an email to accommodationrequest@ironmountain.com. See the Supplement to learn more about Equal Employment Opportunity.

Iron Mountain is committed to a policy of equal employment opportunity. We recruit and hire applicants without regard to race, color, religion, sex (including pregnancy), national origin, disability, age, sexual orientation, veteran status, genetic information, gender identity, gender expression, or any other factor prohibited by law.

#J-18808-Ljbffr