Secure Developer Experience Specialist

Global Risk and Security (GR&S) at Vanguard enables business strategy, protects client and Vanguard interests (e.g., assets and data), and stewards a strong risk culture. Our teams leverage enterprise-wide insights, deep expertise, and trusted advice so that across Vanguard leaders and crew drive faster, stronger, risk-informed decisions.

Within GR&S, the Enterprise Security and Fraud (ES&F) sub-division is responsible for the global protection of Vanguard crew, property, data, and client assets. We are the trusted advisors that protect the pride of Vanguard with state-of-the-art security and fraud capabilities. We are a world-class destination of highly engaged, passionate, and diverse talent expected to continuously learn and develop in an ever-changing security landscape.

Our crew are our greatest resource - by joining our team you will build collaborative long-term relationships and enjoy a suite of benefits that includes comprehensive health and wellness care, work-life balance, and an investment in your future at its core.

Core Responsibilities

• Design and Maintain the Secure Developer Scorecard: Lead the creation, evolution, and ongoing management of a secure developer scorecard that measures developer successes and failures in secure coding practices. Ensure the scorecard reflects key metrics such as vulnerability prevention, SDLC adherence, time spent on secure coding, and alignment with Vanguard-specific expectations.
• Discover and Address Developer Community Bottlenecks: Proactively engage with the developer community to identify bottlenecks, frustrations, and barriers that delay code merges to production or lead to the dismissal of secure coding governance. Analyze feedback and data to pinpoint areas for improvement.
• Lead Developer Engagement and Feedback Loops: Facilitate regular sessions with developers to listen, gather insights, and foster open dialogue about secure development challenges. Serve as a trusted advocate for developers, ensuring their voices are heard in enterprise security initiatives.
• Build Business Cases for Secure Development Process Improvements: Translate developer feedback and scorecard insights into actionable business cases for process, tooling, or cultural changes. Present recommendations to leadership with a focus on business value, profitability, and measurable outcomes.
• Conduct Learning and Awareness Activities: Develop and deliver targeted learning sessions, workshops, and awareness campaigns to promote secure coding practices and SDLC governance within the developer community.

• Minimum 8 years of related work experience, with at least 3 years in IT security or application development.
• Undergraduate degree in Computer Science, Information Technology, Cybersecurity, Information Systems, or related field.Alternatively, candidates with a non-technical degree or no degree but substantial relevant experience will be considered.

• Minimum of 2+ years of professional experience in secure software development, application security, or developer enablement roles.
• Alternatively, 5+ years of experience in cybersecurity, security awareness, or enterprise application risk management may substitute for direct developer experience.
• Direct developer experience is not strictly required. However, candidates must demonstrate:
• Rudimentary coding capability (e.g., able to read, write, and understand code in at least one major programming language such as Python, Java, or C#).
• High-level understanding of the Software Development Life Cycle (SDLC), secure coding principles, and the challenges faced in enterprise application development.
• Familiarity with common developer workflows, tools, and bottlenecks.
• Highly respected certifications: CISSP, CSSLP. Desired: Security+ or equivalent foundational security certification. Considered: SSAP or similar credentials, especially for candidates with a background in security awareness and developer enablement.
• Candidates lacking direct developer experience but possessing a strong background in cybersecurity awareness, secure development advocacy, or enterprise change management will be strongly considered.

• Experience with any of the following is a plus:
• Using Wiz dashboards or similar tools for extracting insights and informing project decisions
• Qualys, CloudFleet, or other vulnerability management platforms
• AWS, Azure, GCP, or OCI cloud environments
• Secure code training platforms
• Familiarity with secure development frameworks (e.g., NIST SSDF, OWASP SAMM, SLSA)
• Developer productivity platforms, code analysis tools, or IDE security controls