Key Responsibilities
1. API & Ecosystem Architecture
● The API Fortress: Architect the security layer for our API Gateway (e.g., Kong,
Apigee, AWS Gateway). Define global policies for Rate Limiting, Throttling, and
Authorization (preventing BOLA/IDOR attacks).
● Supply Chain Security: Design secure integration patterns for our 3rd party partners
(Fintechs, Credit Bureaus, Payment Processors). Ensure their insecurities do not
become our breaches.
● Microservices Mesh: Define how our internal services trust each other. Move from
"Network Trust" to "Cryptographic Trust" using mTLS and Service-to-Service
authentication.
2. Identity & Access Management (CIAM)
● Identity Strategy: Own the architecture for Customer Identity (CIAM). Design flows for
Biometric Binding, Adaptive MFA, and Step-Up Authentication for high-value
transactions.
● Token Lifecycle: Define the standards for OAuth 2.0 and OpenID Connect (OIDC).
Ensure we are using Financial-grade API (FAPI) standards for token issuance,
revocation, and storage.
3. Secure Development Lifecycle (SDLC)
● Threat Modeling: Lead "Whiteboard Hacking" sessions with product owners. Identify
business logic flaws (e.g., race conditions in ledgers, bypassable KYC steps) before a
single line of code is written.
● Paved Roads: Work with DevOps to architect secure-by-default libraries. (Example:
Create a standard "Encryption Wrapper" library that all developers must use, so they
don't invent their own crypto).
4. Data Privacy & Cryptography
● Data Defense: Define the architecture for Field-Level Encryption (FLE) in the
database for PII and Banking Secrets.
● Privacy Engineering: Architect systems that support "Right to be Forgotten"
(GDPR/CCPA) without breaking the immutability of the financial ledger.
Strategic Deliverables
● Identity Patterns: Deliver new security design patterns and components for
authentication, authorization, SSO, MFA, and Partner security to ensure seamless and
secure user access.
● Mobile & Edge: Deliver new security design patterns and components for Mobile
security, ensuring consistency between iOS, Android, and the backend.
● Modern Tech Stack: Deliver API, container, cloud, and AI security design patterns to
support the bank's move toward intelligent, cloud-native infrastructure.
What We Are Looking For
1. The Background
● 8+ Years Experience: A mix of Software Engineering and Security Architecture.
● Ex-Developer: You must be able to read code (Java, Kotlin, React or Node.js, ).
● Banking/Fintech Experience: Strong preference for candidates who have secured
payment gateways, ledgers, or wallets.
2. The Technical Skills
● API Security: Deep mastery of REST and GraphQL security.
● Auth Protocols: You can draw the OAuth 2.0 Authorization Code Flow with PKCE
from memory. You understand JWT signing and JWKS key rotation.
● Mobile Security: Understanding of how mobile apps store secrets
(KeyStore/Keychain) and how to prevent API abuse from emulators/bots.
3. The Mindset
● Business Aligned: You understand that a bank exists to process transactions. You
design security that reduces risk without destroying the User Experience (UX).
● Pragmatic: You know when to demand a "Blocker" fix and when to accept a "Risk
Acceptance" waiver.
Based on 1,546 disclosed Security salaries on RoleSuite, the role pays a median of $142K/year, with most offers between $114K and $180K (10th–90th percentile: $94K–$216K).
See the full Security salary breakdown →