vCISO
Virtual CISO
About the Role
We are seeking a highly skilled Virtual Chief Information Security Officer (vCISO) who combines deep application security expertise, hands-on technical capability, and strong strategic leadership. This role is ideal for a professional who is comfortable operating at the executive level while also directly engaging in technical security work, secure SDLC implementation, and CI/CD hardening.
You will apply OWASP best practices, leverage models such as OSAMM to assess and improve maturity, and drive the ongoing enhancement of application, API, and endpoint security. In parallel, you will act as a security generalist, providing guidance across identity, cloud, network, governance, and compliance domains.
This is a high-impact role for someone who can both build and execute security strategy and drive hands-on security improvements across engineering teams.
Primary Responsibilities (?70%) – Application Security, OWASP & Technical Leadership
Drive AppSec initiatives including threat modeling, secure design reviews, code reviews, penetration testing, and remediation oversight.
Apply OWASP frameworks (Web App Top 10, API Top 10, Endpoint Top 10) to identify and mitigate high-impact risks.
Use OSAMM or similar maturity frameworks to assess current posture, set maturity goals, and guide the improvement roadmap.
Integrate and maintain security tooling within CI/CD pipelines to ensure secure development and deployment practices.
Actively protect and monitor production environments, ensuring timely mitigation of vulnerabilities and emerging threats.
Develop and enforce a secure SDLC across software and infrastructure teams.
Collaborate closely with development and DevOps teams to embed security into design, build, and deployment processes.
Secondary Responsibilities (?30%) – Strategy, Governance & Compliance
Define, refine, and implement the organization’s security strategy, ensuring alignment with business goals and risk appetite.
Oversee compliance efforts related to ISO 27001, SOC 2, GDPR, and internal policies.
Lead security governance processes, including creation and enforcement of policies, standards, and procedures.
Advise across security domains including IAM, network security, cloud (AWS/Azure), and endpoint management.
Provide clear, business-aligned security insights and communicate risks effectively to executives and stakeholders.
Requirements
Proven experience as an Application Security Engineer, Security Architect, vCISO, or senior security consultant.
Deep hands-on expertise with OWASP frameworks, including Top 10 (web, API, endpoint).
Practical experience using OSAMM or similar models to guide software assurance maturity.
Strong knowledge of CI/CD pipelines and their secure implementation.
Experience with enterprise security tools such as Jamf, Palo Alto (PAB, GP), AWS, Azure, Okta, Cloudflare.
Understanding of compliance frameworks (ISO 27001, SOC 2, GDPR).
Excellent leadership, analytical, and communication skills, with the ability to influence both technical and executive stakeholders.
Yuliia
