ROLE SUMMARY 

Pfizer’s Global Information Security (GIS) organization delivers proactive cyber defense for the global enterprise.  Our mission is to secure all of Pfizer’s digital information assets ranging from our scientific breakthroughs to the manufacturing floor, and out to the patients we serve.  We achieve this mission through a combination of world-class talent, top-tier technologies, industry leading best practices, and the promotion of a cybersecurity ownership culture across the company.  

Pfizer’s DevSecOps mission underscores the critical importance of cybersecurity throughout the software development lifecycle, particularly within Pfizer’s Customer & Commercial Creation Center (C4) portfolio of applications. The Sr. Manager, DevSecOps Engineering will assume a central role in ensuring that cybersecurity measures are seamlessly integrated into every facet of commercial solutions. The ​Sr. Manager, DevSecOps Engineering​ will play a pivotal role in orchestrating the integration of security tooling across the development pipeline. This role will be tasked with designing and implementing secure pipeline automations and leading the integration of various security tools such as SAST and SCA/SBOM within the CI/CD pipeline. Collaboration with the DevOps team and broader developer community at Pfizer is fundamental to success in this role, ensuring alignment with evolving security standards and best practices across the organization. 

The position requires a balance of technical expertise and effective communication skills to drive and support Attack Surface Reduction initiatives. The incumbent will report to the Manager, Attack Surface Reduction. The Attack Surface Reduction team is part of the Secure Business Enablement (SBE) organization with Pfizer Global Information Security.
 

ROLE RESPONSIBILITIES  

Primary responsibilities involve spearheading the implementation of robust security measures tailored to the C4 development ecosystem. This includes devising strategies to manage secrets and tokens within the CI/CD pipeline, overseeing the setup and maintenance of automated security processes, and configuring advanced DevSecOps tools like SAST, SCA, and Secrets Scanning. Additionally, assessing infrastructure configurations via Infrastructure as Code (IaC) scanning is an integral part of the role. The Sr. Manager is also on point to lead incident response for C4 solutions, ensuring a swift and effective response to security incidents. Representing security engineering in program and stakeholder meetings, the incumbent offers consultation, identifies risks based on various factors, and draws on past experiences to propose secure solutions and develop estimates. Collaborating closely with Digital Leads, Principal Engineers, and Product Owners is essential to ensure technical decisions align with overarching security strategic priorities. 

• Lead the implementation and enforcement of secure coding standards and integration of security controls throughout the software development lifecycle

• Own and operate the implementation and maintenance of automated security quality-gates within the C4 CI/CD pipeline

• Serve as primary security Subject Matter Expert (SME) for all C4 development projects and applications under purview, offering guidance and oversight to ensure security considerations are integrated seamlessly into every phase of the project lifecycle

• Lead security reviews and assessments of C4 project architectures, designs, and code implementations, proactively identifying and addressing security vulnerabilities and compliance gaps

• Facilitate threat modeling sessions, working closely with C4 development teams to identify and mitigate security risks early in the development process

• Forge strong collaborations with Digital Leads, Principal Engineers, and Product Owners to ensure security is ingrained in technical decision-making processes

• Ownership and Accountability for leading and coordinating efforts with the Incident Response (IR) team during C4 Platform security engagements. Ensure timely identification, conduct thorough investigations, and facilitate effective remediation of security incidents in accordance with established protocols

• Facilitate post-incident reviews and lessons learned sessions with C4 project teams and the IR team, identifying opportunities for process improvements and proactive security measures to prevent similar incidents in the future 

• Drive API security integration across C4 development teams, overseeing secure API design, development, and deployment. Collaborate cross-functionally to implement robust security controls, conduct assessments, and establish best practices 

• Act as a translator between business stakeholders and technical engineers, to ensure that technical, security and privacy considerations are represented in strategic discussions and business objectives are being met by our solutions 

• Own and operate integration assessments and advise on best practices for new and existing integrations within the C4 development environment 

• Oversight of contracted resources (as required)

• Provide thought leadership by fostering and building a community of practice for collective learning of security tools, practices, and systems across all disciplines within Pfizer 

• Exercise sound judgment and decision-making, leveraging knowledge, experience, policies, procedures, and company values (Courage, Excellence, Equity, & Joy)

BASIC QUALIFICATIONS  

• Bachelor’s Degree in cybersecurity, computer science, information systems, or engineering 

• 7+ years’ experience in DevSecOps, software development, and security engineering

• Demonstrated experience in an agile work environment possessing qualities such as a collaborative mindset, adaptability to change, and a proactive problem-solving approach 

• Demonstrated expertise in AppSec, DAST, SAST, SCA/SBOM, OWASP Top 10, API Security and other relevant areas

• Demonstrated proficiency in threat modeling, security architecture design, and secure coding practices

• Demonstrated proficiency in implementing security controls to protect against common API security risks

• Experience managing the security lifecycle of APIs, from design and development to deployment and retirement

• Demonstrated experience in designing, implementing, and maintaining automated security checks within CI/CD pipelines

• Strong understanding with DevOps methodologies and tools, with a track record of successfully collaborating with DevOps Engineering teams

• Understanding of API security standards and their application in securing RESTful and GraphQL APIs 

• Experience serving in a formal or informal leadership capacity 

• Experience with one or more scripting languages, such as Python, Bash, or PowerShell

• Demonstrated proficiency in IaC tools and technologies with a deep understanding of IaC principles and best practices 

• Experience with VCS workflow tools for automating security processes in the development pipeline

• Ability to work independently with instruction on complex problems and be able to work as a team player

• Demonstrated history of driving innovation by collaborating with business customers to convert business requirements into new technical solutions 

• Demonstrated history of identifying and implementing solution and process improvement opportunities based on expertise and experience 

• Outstanding communication skills, including the ability to communicate potentially complex information in a concise, accurate, and complete manner in both written and verbal form 

• Ability to manage multiple competing tasks simultaneously and complete work within allocated timeframes 

• Strong desire to keep up to date with technology developments and learn new skills 

PREFERRED QUALIFICATIONS 

• In-depth understanding of cloud security principles and hands-on experience with cloud platforms such as AWS, Azure, or Google Cloud 

• Demonstrated mastery in IaC tools and technologies with a deep understanding of IaC principles and best practices 

• Strong understanding and experience with RESTful API’s 

• Advanced knowledge of one or more scripting languages, such as Python, Bash, or PowerShell 

• Experience with one or more programming languages, such as Type/JavaScript, JAVA, or PHP 

• Understanding of DevOps pipeline and CI/CD tools 

• Experience with Agile methodologies 

• Proficiency in using SIEM for monitoring and analyzing security events 

• Extensive experience and expertise in leveraging VCS workflow tools for automating security processes within the development pipeline 

• Demonstrated mastery in utilizing SIEM for monitoring and analyzing security events 

• Demonstrates a breadth of diverse leadership experiences and capabilities including: the ability to influence and collaborate with peers, develop and coach others, oversee and guide the work of other colleagues to achieve meaningful outcomes and create business impact.

NON-STANDARD WORK SCHEDULE, TRAVEL OR ENVIRONMENT REQUIREMENTS

• Work Location Assignment: Hybrid colleagues must be able to work in Pfizer office 2-3 days per week, or as needed by the business to connect and innovate with their team face-to-face. However, they also benefit from being able to work offsite regularly when it makes business sense to do so.

Other Job Details:

• Last day to apply: April 03, 2024

The annual base salary for this position ranges from $117,300.00 to $195,500.00. In addition, this position is eligible for participation in Pfizer’s Global Performance Plan with a bonus target of 17.5% of the base salary and eligibility to participate in our share based long term incentive program. We offer comprehensive and generous benefits and programs to help our colleagues lead healthy lives and to support each of life’s moments. Benefits offered include a 401(k) plan with Pfizer Matching Contributions and an additional Pfizer Retirement Savings Contribution, paid vacation, holiday and personal days, paid caregiver/parental and medical leave, and health benefits to include medical, prescription drug, dental and vision coverage. Learn more at Pfizer Candidate Site – U.S. Benefits | (uscandidates.mypfizerbenefits.com). Pfizer compensation structures and benefit packages are aligned based on the location of hire. The United States salary range provided does not apply to Tampa, FL or any location outside of the United States.

Relocation assistance may be available based on business needs and/or eligibility.

Information & Business Tech

#LI-PFE