Skip to main content

Senior DevSecOps - Cyber Security (Consulting)

47350

The Company

Cognizant (NASDAQ:CTSH) is a leading provider of information technology, consulting, and business process outsourcing services, dedicated to helping the world's leading companies build stronger businesses. Headquartered in Teaneck, New Jersey (U.S.), Cognizant has over 340,000 employees as of January 2025. Cognizant is a member of the NASDAQ-100, the S&P 500, the Forbes Global 1000, and the Fortune 500 and is ranked among the top performing and fastest growing companies in the world.

About Cognizant Consulting

To be digital, companies today must have organizational velocity approaching speed of light while providing individualized offerings that result in fanatical levels of customer satisfaction—all with laser-focused cost control. And from applications to infrastructure, processes to operational models and interfaces to experiences—there are digital forces driving change in every part of our clients’ organization. At Cognizant, our consultants orchestrate the capabilities to truly change the game—across strategy, design, technology and industry/functional knowledge to deliver insight at speed and solutions at scale. Our approach is built around elevating business understanding of the aspirations and unique abilities of customers and employees and by building these relationships based on trust and value.

More information? Please visit https://www.cognizant.com/consulting

About the Role

We are seeking a Senior DevSecOps / Security Consultant to assess, embed and uplift security practices across our client’s software delivery lifecycle. This is a security-first role. You come from a cyber security background, not a developer who has pivoted into security, and you will spend your time advising and coaching engineering squads to help them design, build and operate platforms securely by default.

The role is not about deploying a new security toolchain from scratch. The client already has tooling in flight; your job is to make it land. That means running a structured maturity assessment, prioritizing what matters, embedding existing tools properly into developer workflows, and coaching teams to use them well. You will be the bridge between Information Security and Engineering, moving the client beyond point-in-time audits towards a continuous, automated, “shift-left” model.

What You’ll Do - Run the DevSecOps Maturity Assessment

  • Conduct a comprehensive, evidence-based audit of the client’s current DevSecOps capabilities against recognised industry frameworks. Primarily OWASP SAMM and NIST SSDF, supported where relevant by OWASP ASVS, the NIST Cybersecurity Framework and MITRE ATT&CK for attacker-perspective coverage.

  • Assess the adoption, configuration and effectiveness of existing controls across SAST, SCA, DAST, IaC scanning, container security and secrets management. The assessment should distinguish between tools that are deployed, tools that are actually running, and tools that are genuinely influencing developer behaviour.

  • Engage stakeholders across engineering, platform, InfoSec and product to gather both qualitative inputs (interviews, workshops) and quantitative evidence (pipeline telemetry, scan coverage, finding-to-fix data).

  • Score each product line against SAMM business functions (Governance, Design, Implementation, Verification, Operations) and produce a clear maturity scorecard that highlights where the organisation sits today and what “good” looks like in 12 months.

  • Produce a prioritised 12-month roadmap, sequenced by risk reduction, delivery effort and developer impact, partnering with Kuan (InfoSec) to align the roadmap with broader security strategy.

  • Re-baseline maturity periodically through the engagement so progress is measurable and defensible to senior stakeholders.

Embed Existing Security Tooling into Developer Workflows

  • Take the tools the client has already invested in (such as Snyk, SonarQube and CI/CD platforms like GitHub Actions, Azure DevOps or GitLab) and make them genuinely useful: properly integrated, sensibly configured, and well understood by the engineers using them.

  • Tune signal-to-noise ratio aggressively. Triage backlogs, suppress false positives with documented rationale, calibrate severity thresholds, and ensure that what reaches a developer is genuinely actionable.

  • Refine CI/CD security gates so that they block what truly matters and stay out of the way of everything else, protecting both security outcomes and developer flow.

  • Improve the developer experience of existing controls: clearer failure messages, faster feedback, IDE and pre-commit integrations where they add value, and golden-path templates that make the secure route the easy route.

  • Curate and maintain a library of secure CI/CD reference patterns built on the client’s current stack, so squads can adopt proven, opinionated guardrails rather than reinventing them.

Coach and Enable Engineering Teams

  • Embed with developer squads as their trusted security partner, attending stand-ups, sprint planning and design reviews to bring a security lens to day-to-day delivery.

  • Run secure-coding clinics, brown-bag sessions and pairing sessions to lift the security capability of engineers across multiple product lines.

  • Translate vulnerability findings into clear, contextualised remediation guidance that developers can act on without hand-holding.

  • Champion a “security as an enabler, not a blocker” culture, building credibility with engineering by being pragmatic, hands-on and delivery-aware.

  • Develop enablement materials such as playbooks, cheat sheets and onboarding guides that scale your impact beyond the squads you work with directly.

Lead Threat Modelling and Secure Design

  • Facilitate threat-modelling sessions at the design phase of new services, features and platform changes, using STRIDE for systematic decomposition and MITRE ATT&CK to ground the conversation in real-world attacker techniques.

  • Produce lightweight, developer-friendly threat models and secure design patterns that teams can reuse across the estate.

  • Identify abuse cases, trust boundaries and data-flow risks early, and translate these into concrete acceptance criteria, controls and tests, mapped to MITRE ATT&CK techniques where it helps prioritisation.

  • Advise on secure-by-default choices for cloud-native workloads: authentication, secrets handling, network segmentation, data protection and least privilege.

Track Metrics, Governance and Progress

  • Define and track meaningful KPIs such as vulnerability burn-down, mean time to remediate, pipeline coverage and gate effectiveness, and report progress to both engineering and InfoSec leadership.

  • Use metrics to evidence movement against the maturity roadmap and to guide where to invest coaching and embedding effort next.

  • Ensure controls remain aligned with internal security standards, OWASP guidance, MITRE ATT&CK coverage objectives and relevant compliance obligations.

What We’re Looking For - Background and Mindset

  • A security professional first. Your career has been built in cyber security, application security or DevSecOps, rather than as a developer who has moved into security.

  • Comfortable in code: you read pipelines, IaC and application code fluently enough to have credible technical conversations with senior engineers, even if you are not a full-time developer yourself.

  • Pragmatic, collaborative and delivery-minded. You understand that security only works when engineering teams want to use it.

Essential Skills and Experience

  • Demonstrable experience running DevSecOps or AppSec maturity assessments using OWASP SAMM and / or NIST SSDF, and translating findings into prioritised, achievable roadmaps.

  • A track record of embedding security tooling into existing developer workflows. Not just deploying tools, but driving real adoption, tuning signal-to-noise, and lifting the developer experience.

  • Working knowledge of CI/CD security tooling (SAST, SCA, DAST, IaC scanning and secrets detection) and platforms such as GitHub Actions, Azure DevOps or GitLab.

  • Solid grounding in container and cloud workload security: Docker, Kubernetes and at least one major cloud provider (Azure, AWS or GCP).

  • Experience facilitating threat-modelling and secure design workshops with mixed audiences of developers, architects and product owners, including practical use of STRIDE and MITRE ATT&CK.

  • Familiarity with OWASP (ASVS, Top 10, SAMM), NIST (SSDF, CSF) and MITRE ATT&CK, with the ability to apply them practically rather than as a checklist.

  • Strong communication skills. You can explain a complex risk to a developer, a delivery lead and a CISO, and adjust your register for each.

Desirable

  • Industry certifications such as CISSP, CCSP, CSSLP, CCSK or equivalent.

  • Exposure to policy-as-code (e.g. OPA / Conftest, Checkov, tfsec) and supply-chain tooling (e.g. SBOMs, Sigstore). Useful for advising clients but not the primary focus of the role.

  • Awareness of AI / LLM application security concerns (e.g. OWASP Top 10 for LLMs, MITRE ATLAS) and how they reshape secure-design conversations.

  • Prior consulting experience and the ability to navigate client environments, manage stakeholders and contribute to bid or proposal work where appropriate.

Expected Deliverables

  • A formal DevSecOps Maturity Assessment Report, including scorecard against OWASP SAMM and NIST SSDF, with attacker-perspective coverage informed by MITRE ATT&CK.

  • A prioritised 12-month Shift-Left Implementation Roadmap, sequenced by risk and effort.

  • A library of Secure CI/CD Reference Patterns built on the client’s existing tooling.

  • Developer enablement materials including playbooks, secure design patterns and training collateral.

  • A live Security Metrics view evidencing progress against the maturity roadmap.

Engagement Details

  • Hybrid working, with on-site presence at the client location as required by the engagement.

  • Initial engagement length and rate / package will be confirmed during the screening conversation, dependent on contractor or FTE preference.

  • Reporting into the Engagement Lead, working alongside the client’s Head of InfoSec who leads the security workstream.

About us
Cognizant (Nasdaq: CTSH) is an AI Builder and technology services provider, building the bridge between AI investment and enterprise value by building full-stack AI solutions for our clients. Our deep industry, process and engineering expertise enables us to build an organization’s unique context into technology systems that amplify human potential, realize tangible returns and keep global enterprises ahead in a fast-changing world. See how at www.cognizant.com or @cognizant.

Additional employment information
Compensation information is accurate as of the date of this posting. Cognizant reserves the right to modify this information at any time, subject to applicable law.

Applicants may be required to attend interviews in person or by video conference. In addition, candidates may be required to present their current state or government issued ID during each interview.

Cognizant is an equal opportunity employer. Your application and candidacy will not be considered based on race, color, sex, religion, creed, sexual orientation, gender identity, national origin, disability, genetic information, pregnancy, veteran status or any other characteristic protected by federal, state or local laws.

Benefits that help you thrive and grow

Our benefits program is built with you in mind—so you can enjoy a fulfilling, balanced and healthy life.

a blue line drawing of a plant with leaves

Financial wellbeing

We regularly review market data to ensure compensation reflects the value you bring. Your benefits extend beyond pay and may include retirement plans, financial education, etc.

Stay Healthy Midnight Blue RGB

Physical and mental health

We empower you to prioritize your wellbeing through paid time off, flexible working where possible, healthcare plans, counselling, our Mental Health Allyship program and more. 

Build The Career You Want Midnight Blue RGB

Your career, your way

With 350,000+ roles at Cognizant, you’ll have opportunities explore new technologies, industries and locations—and build the skills you need to grow your career.

Making A Meaningful Impact Midnight Blue RGB

Real-world impact

Think about the biggest brands you rely on. Chances are, they rely on us to help strengthen their business. Here, you’ll turn bold ideas into solutions that improve lives everywhere.

Your path to Cognizant

Here’s what you can expect from our hiring process. Please keep in mind that it may vary by role and location. Explore our FAQs to learn more.

a person sitting at a table using a laptop

Step 1: Apply to the right opportunity

Find an open role that matches your skills and career goals and show us why you’re the person for the job. Don’t see the right opportunity? Consider joining our Talent Community.

a person holding a tablet and talking on the phone

Step 2: Connect with your recruiter

If one of our recruiters sees a fit, they’ll set up a short intro call to learn more about you and how your experiences and skills match the role.

a person smiling at a table with a laptop

Step 3: Show off your skills

If you and our team would like to continue the process, you’ll interview with our hiring team. Some roles may also require technical assessments and/or client interviews.

a group of people sitting around a table

Step 4: Decision time

Our team will then review each candidates’ potential to succeed in the role. This step may take some time because we want to find the right fit for both you and us—but you can count on us to keep you updated.

APJ Dez
Cognizant has given me the opportunity to thrive as a leader and as a person. The culture of recognition, the great benefits and the sense of community motivate me, and I strive to give my best every day.
Decree Olam Team Leader - Intuitive Operations & Automation
1 (2)
Cognizant has one of the best learning ecosystems you can ask for. From sponsored certifications to training platforms to mentorship, we have all that we need to grow.
Debashish Mishra SAP MM Developer
Apj Kate
I have the privilege of working with an amazing, diverse team with loads of international experience. It’s inspiring when we all bring our different thinking, skills and experience together to deliver great things.
Kate Wilson Technology Consulting Manager

Haven't yet found the right opportunity?

Get the latest updates on job opportunities, recruitment events and company news—tailored just for you!

Be in the know