The Company
Cognizant (NASDAQ:CTSH) is a leading provider of information technology, consulting, and business process outsourcing services, dedicated to helping the world's leading companies build stronger businesses. Headquartered in Teaneck, New Jersey (U.S.), Cognizant has over 340,000 employees as of January 2025. Cognizant is a member of the NASDAQ-100, the S&P 500, the Forbes Global 1000, and the Fortune 500 and is ranked among the top performing and fastest growing companies in the world.
About Cognizant Consulting
To be digital, companies today must have organizational velocity approaching speed of light while providing individualized offerings that result in fanatical levels of customer satisfaction—all with laser-focused cost control. And from applications to infrastructure, processes to operational models and interfaces to experiences—there are digital forces driving change in every part of our clients’ organization. At Cognizant, our consultants orchestrate the capabilities to truly change the game—across strategy, design, technology and industry/functional knowledge to deliver insight at speed and solutions at scale. Our approach is built around elevating business understanding of the aspirations and unique abilities of customers and employees and by building these relationships based on trust and value.
More information? Please visit https://www.cognizant.com/consulting
About the Role
We are seeking a Senior DevSecOps / Security Consultant to assess, embed and uplift security practices across our client’s software delivery lifecycle. This is a security-first role. You come from a cyber security background, not a developer who has pivoted into security, and you will spend your time advising and coaching engineering squads to help them design, build and operate platforms securely by default.
The role is not about deploying a new security toolchain from scratch. The client already has tooling in flight; your job is to make it land. That means running a structured maturity assessment, prioritizing what matters, embedding existing tools properly into developer workflows, and coaching teams to use them well. You will be the bridge between Information Security and Engineering, moving the client beyond point-in-time audits towards a continuous, automated, “shift-left” model.
What You’ll Do - Run the DevSecOps Maturity Assessment
Conduct a comprehensive, evidence-based audit of the client’s current DevSecOps capabilities against recognised industry frameworks. Primarily OWASP SAMM and NIST SSDF, supported where relevant by OWASP ASVS, the NIST Cybersecurity Framework and MITRE ATT&CK for attacker-perspective coverage.
Assess the adoption, configuration and effectiveness of existing controls across SAST, SCA, DAST, IaC scanning, container security and secrets management. The assessment should distinguish between tools that are deployed, tools that are actually running, and tools that are genuinely influencing developer behaviour.
Engage stakeholders across engineering, platform, InfoSec and product to gather both qualitative inputs (interviews, workshops) and quantitative evidence (pipeline telemetry, scan coverage, finding-to-fix data).
Score each product line against SAMM business functions (Governance, Design, Implementation, Verification, Operations) and produce a clear maturity scorecard that highlights where the organisation sits today and what “good” looks like in 12 months.
Produce a prioritised 12-month roadmap, sequenced by risk reduction, delivery effort and developer impact, partnering with Kuan (InfoSec) to align the roadmap with broader security strategy.
Re-baseline maturity periodically through the engagement so progress is measurable and defensible to senior stakeholders.
Embed Existing Security Tooling into Developer Workflows
Take the tools the client has already invested in (such as Snyk, SonarQube and CI/CD platforms like GitHub Actions, Azure DevOps or GitLab) and make them genuinely useful: properly integrated, sensibly configured, and well understood by the engineers using them.
Tune signal-to-noise ratio aggressively. Triage backlogs, suppress false positives with documented rationale, calibrate severity thresholds, and ensure that what reaches a developer is genuinely actionable.
Refine CI/CD security gates so that they block what truly matters and stay out of the way of everything else, protecting both security outcomes and developer flow.
Improve the developer experience of existing controls: clearer failure messages, faster feedback, IDE and pre-commit integrations where they add value, and golden-path templates that make the secure route the easy route.
Curate and maintain a library of secure CI/CD reference patterns built on the client’s current stack, so squads can adopt proven, opinionated guardrails rather than reinventing them.
Coach and Enable Engineering Teams
Embed with developer squads as their trusted security partner, attending stand-ups, sprint planning and design reviews to bring a security lens to day-to-day delivery.
Run secure-coding clinics, brown-bag sessions and pairing sessions to lift the security capability of engineers across multiple product lines.
Translate vulnerability findings into clear, contextualised remediation guidance that developers can act on without hand-holding.
Champion a “security as an enabler, not a blocker” culture, building credibility with engineering by being pragmatic, hands-on and delivery-aware.
Develop enablement materials such as playbooks, cheat sheets and onboarding guides that scale your impact beyond the squads you work with directly.
Lead Threat Modelling and Secure Design
Facilitate threat-modelling sessions at the design phase of new services, features and platform changes, using STRIDE for systematic decomposition and MITRE ATT&CK to ground the conversation in real-world attacker techniques.
Produce lightweight, developer-friendly threat models and secure design patterns that teams can reuse across the estate.
Identify abuse cases, trust boundaries and data-flow risks early, and translate these into concrete acceptance criteria, controls and tests, mapped to MITRE ATT&CK techniques where it helps prioritisation.
Advise on secure-by-default choices for cloud-native workloads: authentication, secrets handling, network segmentation, data protection and least privilege.
Track Metrics, Governance and Progress
Define and track meaningful KPIs such as vulnerability burn-down, mean time to remediate, pipeline coverage and gate effectiveness, and report progress to both engineering and InfoSec leadership.
Use metrics to evidence movement against the maturity roadmap and to guide where to invest coaching and embedding effort next.
Ensure controls remain aligned with internal security standards, OWASP guidance, MITRE ATT&CK coverage objectives and relevant compliance obligations.
What We’re Looking For - Background and Mindset
A security professional first. Your career has been built in cyber security, application security or DevSecOps, rather than as a developer who has moved into security.
Comfortable in code: you read pipelines, IaC and application code fluently enough to have credible technical conversations with senior engineers, even if you are not a full-time developer yourself.
Pragmatic, collaborative and delivery-minded. You understand that security only works when engineering teams want to use it.
Essential Skills and Experience
Demonstrable experience running DevSecOps or AppSec maturity assessments using OWASP SAMM and / or NIST SSDF, and translating findings into prioritised, achievable roadmaps.
A track record of embedding security tooling into existing developer workflows. Not just deploying tools, but driving real adoption, tuning signal-to-noise, and lifting the developer experience.
Working knowledge of CI/CD security tooling (SAST, SCA, DAST, IaC scanning and secrets detection) and platforms such as GitHub Actions, Azure DevOps or GitLab.
Solid grounding in container and cloud workload security: Docker, Kubernetes and at least one major cloud provider (Azure, AWS or GCP).
Experience facilitating threat-modelling and secure design workshops with mixed audiences of developers, architects and product owners, including practical use of STRIDE and MITRE ATT&CK.
Familiarity with OWASP (ASVS, Top 10, SAMM), NIST (SSDF, CSF) and MITRE ATT&CK, with the ability to apply them practically rather than as a checklist.
Strong communication skills. You can explain a complex risk to a developer, a delivery lead and a CISO, and adjust your register for each.
Desirable
Industry certifications such as CISSP, CCSP, CSSLP, CCSK or equivalent.
Exposure to policy-as-code (e.g. OPA / Conftest, Checkov, tfsec) and supply-chain tooling (e.g. SBOMs, Sigstore). Useful for advising clients but not the primary focus of the role.
Awareness of AI / LLM application security concerns (e.g. OWASP Top 10 for LLMs, MITRE ATLAS) and how they reshape secure-design conversations.
Prior consulting experience and the ability to navigate client environments, manage stakeholders and contribute to bid or proposal work where appropriate.
Expected Deliverables
A formal DevSecOps Maturity Assessment Report, including scorecard against OWASP SAMM and NIST SSDF, with attacker-perspective coverage informed by MITRE ATT&CK.
A prioritised 12-month Shift-Left Implementation Roadmap, sequenced by risk and effort.
A library of Secure CI/CD Reference Patterns built on the client’s existing tooling.
Developer enablement materials including playbooks, secure design patterns and training collateral.
A live Security Metrics view evidencing progress against the maturity roadmap.
Engagement Details
Hybrid working, with on-site presence at the client location as required by the engagement.
Initial engagement length and rate / package will be confirmed during the screening conversation, dependent on contractor or FTE preference.
Reporting into the Engagement Lead, working alongside the client’s Head of InfoSec who leads the security workstream.
关于高知特 (Cognizant)
高知特(Cognizant)(纳斯达克代码:CTSH)作为一家AI Builder和相关技术服务提供商,致力于通过打造全栈AI解决方案,帮助企业将人工智能投资转化为实际价值。公司凭借深厚的行业经验、流程优化和工程技术专长,将企业独特的业务场景融入科技系统,赋能组织释放人才潜能,推动切实成果,并帮助全球企业在瞬息万变的环境中保持领先。如需了解更多详情,敬请访问 cognizant.ai 或关注@cognizant。
补充雇佣信息
薪酬信息截至本职位发布之日为准。Cognizant 保留在适用法律允许的范围内随时修改该信息的权利。
申请人可能需要通过现场面试或视频会议的方式参加面试。此外,候选人在每次面试时可能需要出示其当前所在州或政府签发的有效身份证件。
Cognizant 是一家提供平等就业机会的雇主。在招聘过程中,您的申请和候选资格不会因种族、肤色、性别、宗教、信仰、性取向、性别认同、国籍、残疾、遗传信息、怀孕、退伍军人身份或任何其他受联邦、州或地方法律保护的特征而受到影响。
