Jeavio is a technology services company that specializes in providing innovative solutions to businesses. We work at the intersection of technology and business, helping organizations leverage cutting-edge tools, including AI, to drive growth and efficiency
You will build and lead a small, high-impact team; embed security thinking into every phase of the SDLC; and serve as a trusted advisor to engineering leads, engineering managers, and customers as we scale our AI-assisted development practices and deepen our commitments to HIPAA, SOC 2, PCI-DSS, and ISO 27001 compliance. This is a hands-on management role — you will write policies and threat models, run audits, and keep your own technical skills sharp, while also coaching and growing your team.
Key Responsibilities
Secure Development Practice & Standards
- Define, document, and enforce a company-wide Secure Software Development Lifecycle (SSDLC) aligned to OWASP, NIST, and similar cloud-native security frameworks.
- Develop and maintain security policies, coding standards, and guardrails tailored to healthcare (HIPAA), financial (PCI-DSS), SOC 2, and ISO 27001 requirements.
- Drive threat modelling, security architecture reviews, and design-level risk assessments for new projects and major feature releases.
- Champion security-by-design across cloud-native (AWS, Azure, GCP) environments — including IaC, container security, API security, and secrets management.
AI-Assisted Development Security
- Establish guidelines and controls for the secure use of AI coding assistants (GitHub Copilot, Claude Code, Cursor etc.) across engineering teams, covering data leakage, IP exposure, and code quality risks.
- Assess and mitigate security risks specific to LLM-integrated products built for customers — including (but not limited to) prompt injection, model abuse, and insecure output handling (OWASP LLM Top 10).
- Stay ahead of the rapidly evolving AI security threat landscape and translate findings into actionable team guidance.
Testing, Audits & Assurance
- Own the application security testing programme: SAST, DAST, SCA, penetration testing, and red team exercises — both for internal tooling and customer deliverables.
- Conduct and coordinate security audits and readiness assessments against SOC 2, ISO 27001, PCI-DSS, and HIPAA controls.
- Manage vulnerability disclosure and triage processes; define SLAs for remediation and track them to closure.
- Produce clear, executive-ready security reports for internal leadership and customer stakeholders.
Team Leadership & Culture
- Hire, mentor, and develop a team of 2–5 security engineers and analysts; set clear goals and foster a culture of continuous learning.
- Design and deliver security awareness and secure coding training programmes for the broader engineering organisation.
- Partner with engineering managers and engineering leads to embed security reviews and checkpoints into project delivery workflows.
- Act as the primary point of contact for security-related customer inquiries, audits, and due diligence requests.
Required Qualifications
- 8+ years of experience in application security, software security engineering, or a closely related field, with at least 2 years in a team lead or management capacity.
- Deep hands-on expertise in application security testing tools and techniques: SAST (e.g. Semgrep, Checkmarx), DAST (e.g. OWASP ZAP, Burp Suite), SCA, and penetration testing.
- Proven experience designing and implementing SDLCs and security programmes within a software services or product engineering environment.
- Strong working knowledge of cloud-native security across AWS, Azure, and/or GCP — including IAM, network security, container/Kubernetes security, and secure IaC (Terraform, CDK).
- Practical experience with HIPAA, PCI-DSS, SOC 2, and ISO 27001 frameworks — not just awareness, but hands-on involvement in audits or certifications.
- Solid grasp of secure coding principles across modern stacks (web, API, mobile) and the ability to conduct meaningful code reviews.
- Excellent written and verbal communication skills; able to translate technical risk into business impact for non-technical audiences.
Preferred Qualifications
- Relevant certifications such as CISSP, CISM, OSCP, CEH, AWS Security Specialty, or CCSP.
- Experience securing AI/ML pipelines and LLM-powered applications; familiarity with OWASP LLM Top 10 and MITRE ATLAS.
- Background working in a software development services / consulting environment, managing security across multiple simultaneous customer engagements.
- Exposure to DevSecOps toolchains — CI/CD pipeline security gates, secrets scanning, container image scanning, and policy-as-code.
- Familiarity with security frameworks beyond compliance: MITRE ATT&CK, NIST CSF, CIS Benchmarks.
