IS Service Owner for Application Security

• Designing and implementing IS Domain service operations in collaboration with IS Service Owners, Application managers, Application owners, Stakeholders, and Solution Architects, ensuring alignment with business needs and technical standards.
• Creating and managing Service Level Agreements (SLA) and Operational Level Agreements (OLA) to increase transparency between the service provider and Service Owner, and providing feedback about the service's performance, availability, etc.
• Creating effort, time, and cost estimates for demand requests (projects, solutions, deployments, and handover to operational vendor), and ensuring that service reaches its targets with an increase in performance year after year.
• Serving as the escalation point in case of a severe problem in the service and working with the service line to get the service back on track.
• Deciding on the execution of changes in services and applications as part of accountability toward the Change Advisory Board.
• Owns the endtoend Application Security Service, including strategy, governance, operational health, roadmap, and continuous improvement of the service.
• Acts as the primary accountable owner for application security testing, Web application scanning, Vulnerability Discloser Program and secure development enablement across the enterprise.
• Leads definition and enforcement of application security policies, standards, SLAs, KPIs, and service performance metrics.
• Ensures the Application Security Service aligns with enterprise cybersecurity frameworks, regulatory requirements, and audit expectations.
• Manages the full lifecycle of application security services such as SAST, DAST, SCA, Penetration Testing, API Security Testing, VDP, Threat Modeling, and Cloud Application Security.
• Owns the service catalogue description, RACI, operating model, service onboarding process, escalation structure, and reporting framework.
• Governs multiple vendors, MSSPs, and security partners to ensure performance, quality, and contract adherence.
• Monitors vendor deliverables, SLA adherence, capacity, staffing, and quality KPIs drives corrective actions and escalations when required.
• Defines multiyear service roadmap, budget planning, technology upgrades, tool rationalization, and investment cases.
• Collaborates with Product Owners, Architects, DevOps owners, and Platform teams to integrate security by design into all phases of SDLC.
• Ensures security tooling is effectively integrated into CI/CD pipelines and works closely with DevOps to maintain automation and coverage.
• Drives strategic programs such as shiftleft, secure coding adoption, application hardening, API security, and continuous scanning maturity.
• Oversees enterprise-wide application vulnerability posture publishes executive dashboards, KPI reports, SLA metrics, and risk summaries.
• Ensures findings are triaged, prioritized, assigned, and resolved within defined SLAs drives crossfunctional alignment on remediation goals.
• Owns decision-making for risk acceptance, compensating controls, and remediation exceptions, ensuring alignment with governance bodies.
• Facilitates threat modeling initiatives for critical applications and helps product teams incorporate security requirements early in design.
• Partners with Cloud Security, IAM, Infra Security, and Product Security teams to ensure unified coverage of application risks.
• Functions as the escalation point for critical security findings, zeroday events, application-related incidents, and regulatory escalations.
• Drives maturity assessments, gap analysis, and implementation of security controls based on OWASP, NIST, SANS, CIS, and ISO 27001 standards.
• Provides leadership, mentorship, and guidance to operational teams, internal stakeholders, and developers on secure coding and remediation.
• Ensures readiness for internal audits, external audits, customer duediligence requests, and compliance assessments.
• Champions adoption of secure SDLC and DevSecOps practices across all engineering teams leads enterprise-wide training and awareness.
• Manages annual financial planning for the service, including licensing, renewal strategies, vendor contracts, and operational budgets.
• Defines and drives KPIs such as MTTR, SLA adherence, vulnerability aging reduction, coverage metrics, automation levels, and false positive reduction.
• Collaborates with enterprise architecture to evaluate and approve new application technologies and ensure they meet security baselines.
• Continuously evaluates the threat landscape to update service controls, policies, and preventive security capabilities.
• Ensures all service assets, runbooks, SOPs, and workflows are documented, versioned, and kept up to date.
• Leads periodic service reviews with business units, application owners, and leadership teams to ensure alignment and transparency.
• Maintains strong stakeholder relationships across business units and drives accountability for remediation and secure development practices.

• 12+ years of total IT experience with at least 8-10 years dedicated to Application Security, Product Security, or DevSecOps leadership.
• Bachelor's or Master's degree in Computer Science, Information Technology, Cybersecurity, or an equivalent engineering discipline.
• Proven experience owning or managing endtoend application security services at scale (SAST, SCA, DAST, Pen Testing, API Security, Threat Modeling, Secure SDLC).
• Strong expertise in vulnerability management governance, SLA enforcement, risk-based prioritization, and enterprise remediation workflows.
• Hands-on understanding of secure SDLC methodologies, DevSecOps practices, and integration of security tooling into CI/CD pipelines.
• Deep knowledge of application architectures including APIs, microservices, cloud-native workloads, containerized applications, and modern development patterns.
• Strong understanding of vulnerability scanning tools, application security testing platforms, and enterprise ticketing/reporting systems.
• Experience managing bug bounty programs or vulnerability disclosure programs (VDP).
• Familiarity with cloud platforms (Azure, AWS, GCP) and their native application security features, policies, and shared responsibility models.
• Excellent communication, negotiation, and stakeholder management skills with the ability to influence nonsecurity teams.
• Certifications such as OSCP, OSWE, GWAPT, GWEB, CEH, or ITIL v4 Foundation.

Our mission in ABB IS (Information Systems) is to harness the power of information technology to deliver valuable, reliable, and competitive IS services for ABB. If you have a strong technical skills, analytical mind, and the drive to help us stay ahead of the competition, you are the one we are looking for.