Senior DevSecOps - Cyber Security (Consulting)

The Company

Cognizant (NASDAQ:CTSH) is a leading provider of information technology, consulting, and business process outsourcing services, dedicated to helping the world's leading companies build stronger businesses. Headquartered in Teaneck, New Jersey (U.S.), Cognizant has over 340,000 employees as of January 2025. Cognizant is a member of the NASDAQ-100, the S&P 500, the Forbes Global 1000, and the Fortune 500 and is ranked among the top performing and fastest growing companies in the world.

About Cognizant Consulting

To be digital, companies today must have organizational velocity approaching speed of light while providing individualized offerings that result in fanatical levels of customer satisfaction—all with laser-focused cost control. And from applications to infrastructure, processes to operational models and interfaces to experiences—there are digital forces driving change in every part of our clients’ organization. At Cognizant, our consultants orchestrate the capabilities to truly change the game—across strategy, design, technology and industry/functional knowledge to deliver insight at speed and solutions at scale. Our approach is built around elevating business understanding of the aspirations and unique abilities of customers and employees and by building these relationships based on trust and value.

More information? Please visit https://www.cognizant.com/consulting

About the Role

We are seeking a Senior DevSecOps / Security Consultant to assess, embed and uplift security practices across our client’s software delivery lifecycle. This is a security-first role. You come from a cyber security background, not a developer who has pivoted into security, and you will spend your time advising and coaching engineering squads to help them design, build and operate platforms securely by default.

The role is not about deploying a new security toolchain from scratch. The client already has tooling in flight; your job is to make it land. That means running a structured maturity assessment, prioritizing what matters, embedding existing tools properly into developer workflows, and coaching teams to use them well. You will be the bridge between Information Security and Engineering, moving the client beyond point-in-time audits towards a continuous, automated, “shift-left” model.

What You’ll Do - Run the DevSecOps Maturity Assessment

• Conduct a comprehensive, evidence-based audit of the client’s current DevSecOps capabilities against recognised industry frameworks. Primarily OWASP SAMM and NIST SSDF, supported where relevant by OWASP ASVS, the NIST Cybersecurity Framework and MITRE ATT&CK for attacker-perspective coverage.

• Assess the adoption, configuration and effectiveness of existing controls across SAST, SCA, DAST, IaC scanning, container security and secrets management. The assessment should distinguish between tools that are deployed, tools that are actually running, and tools that are genuinely influencing developer behaviour.

• Engage stakeholders across engineering, platform, InfoSec and product to gather both qualitative inputs (interviews, workshops) and quantitative evidence (pipeline telemetry, scan coverage, finding-to-fix data).

• Score each product line against SAMM business functions (Governance, Design, Implementation, Verification, Operations) and produce a clear maturity scorecard that highlights where the organisation sits today and what “good” looks like in 12 months.

• Produce a prioritised 12-month roadmap, sequenced by risk reduction, delivery effort and developer impact, partnering with Kuan (InfoSec) to align the roadmap with broader security strategy.

• Re-baseline maturity periodically through the engagement so progress is measurable and defensible to senior stakeholders.

Embed Existing Security Tooling into Developer Workflows

• Take the tools the client has already invested in (such as Snyk, SonarQube and CI/CD platforms like GitHub Actions, Azure DevOps or GitLab) and make them genuinely useful: properly integrated, sensibly configured, and well understood by the engineers using them.

• Tune signal-to-noise ratio aggressively. Triage backlogs, suppress false positives with documented rationale, calibrate severity thresholds, and ensure that what reaches a developer is genuinely actionable.

• Refine CI/CD security gates so that they block what truly matters and stay out of the way of everything else, protecting both security outcomes and developer flow.

• Improve the developer experience of existing controls: clearer failure messages, faster feedback, IDE and pre-commit integrations where they add value, and golden-path templates that make the secure route the easy route.

• Curate and maintain a library of secure CI/CD reference patterns built on the client’s current stack, so squads can adopt proven, opinionated guardrails rather than reinventing them.

Coach and Enable Engineering Teams

• Embed with developer squads as their trusted security partner, attending stand-ups, sprint planning and design reviews to bring a security lens to day-to-day delivery.

• Run secure-coding clinics, brown-bag sessions and pairing sessions to lift the security capability of engineers across multiple product lines.

• Translate vulnerability findings into clear, contextualised remediation guidance that developers can act on without hand-holding.

• Champion a “security as an enabler, not a blocker” culture, building credibility with engineering by being pragmatic, hands-on and delivery-aware.

• Develop enablement materials such as playbooks, cheat sheets and onboarding guides that scale your impact beyond the squads you work with directly.

Lead Threat Modelling and Secure Design

• Facilitate threat-modelling sessions at the design phase of new services, features and platform changes, using STRIDE for systematic decomposition and MITRE ATT&CK to ground the conversation in real-world attacker techniques.

• Produce lightweight, developer-friendly threat models and secure design patterns that teams can reuse across the estate.

• Identify abuse cases, trust boundaries and data-flow risks early, and translate these into concrete acceptance criteria, controls and tests, mapped to MITRE ATT&CK techniques where it helps prioritisation.

• Advise on secure-by-default choices for cloud-native workloads: authentication, secrets handling, network segmentation, data protection and least privilege.

Track Metrics, Governance and Progress

• Define and track meaningful KPIs such as vulnerability burn-down, mean time to remediate, pipeline coverage and gate effectiveness, and report progress to both engineering and InfoSec leadership.

• Use metrics to evidence movement against the maturity roadmap and to guide where to invest coaching and embedding effort next.

• Ensure controls remain aligned with internal security standards, OWASP guidance, MITRE ATT&CK coverage objectives and relevant compliance obligations.

What We’re Looking For - Background and Mindset

• A security professional first. Your career has been built in cyber security, application security or DevSecOps, rather than as a developer who has moved into security.

• Comfortable in code: you read pipelines, IaC and application code fluently enough to have credible technical conversations with senior engineers, even if you are not a full-time developer yourself.

• Pragmatic, collaborative and delivery-minded. You understand that security only works when engineering teams want to use it.

Essential Skills and Experience

• Demonstrable experience running DevSecOps or AppSec maturity assessments using OWASP SAMM and / or NIST SSDF, and translating findings into prioritised, achievable roadmaps.

• A track record of embedding security tooling into existing developer workflows. Not just deploying tools, but driving real adoption, tuning signal-to-noise, and lifting the developer experience.

• Working knowledge of CI/CD security tooling (SAST, SCA, DAST, IaC scanning and secrets detection) and platforms such as GitHub Actions, Azure DevOps or GitLab.

• Solid grounding in container and cloud workload security: Docker, Kubernetes and at least one major cloud provider (Azure, AWS or GCP).

• Experience facilitating threat-modelling and secure design workshops with mixed audiences of developers, architects and product owners, including practical use of STRIDE and MITRE ATT&CK.

• Familiarity with OWASP (ASVS, Top 10, SAMM), NIST (SSDF, CSF) and MITRE ATT&CK, with the ability to apply them practically rather than as a checklist.

• Strong communication skills. You can explain a complex risk to a developer, a delivery lead and a CISO, and adjust your register for each.

Desirable

• Industry certifications such as CISSP, CCSP, CSSLP, CCSK or equivalent.

• Exposure to policy-as-code (e.g. OPA / Conftest, Checkov, tfsec) and supply-chain tooling (e.g. SBOMs, Sigstore). Useful for advising clients but not the primary focus of the role.

• Awareness of AI / LLM application security concerns (e.g. OWASP Top 10 for LLMs, MITRE ATLAS) and how they reshape secure-design conversations.

• Prior consulting experience and the ability to navigate client environments, manage stakeholders and contribute to bid or proposal work where appropriate.

Expected Deliverables

• A formal DevSecOps Maturity Assessment Report, including scorecard against OWASP SAMM and NIST SSDF, with attacker-perspective coverage informed by MITRE ATT&CK.

• A prioritised 12-month Shift-Left Implementation Roadmap, sequenced by risk and effort.

• A library of Secure CI/CD Reference Patterns built on the client’s existing tooling.

• Developer enablement materials including playbooks, secure design patterns and training collateral.

• A live Security Metrics view evidencing progress against the maturity roadmap.

Engagement Details

• Hybrid working, with on-site presence at the client location as required by the engagement.

• Initial engagement length and rate / package will be confirmed during the screening conversation, dependent on contractor or FTE preference.

• Reporting into the Engagement Lead, working alongside the client’s Head of InfoSec who leads the security workstream.

Über Cognizant  
Cognizant (NASDAQ: CTSH) i ist ein Technologiedienstleister und Entwickler von KI-Lösungen. Wir schlagen die Brücke zwischen KI-Investitionen und echtem unternehmerischem Mehrwert, indem wir ganzheitliche Full-Stack-KI-Lösungen für unsere Kunden entwickeln. Mit unserer fundierten Branchen-, Prozess- und Engineering-Expertise integrieren wir die spezifischen Anforderungen von Unternehmen passgenau in Technologiesysteme. So entfalten wir das menschliche Potenzial, erzielen greifbare Ergebnisse und sichern globalen Unternehmen in einer sich rasant wandelnden Welt den entscheidenden Vorsprung. Erfahren Sie mehr unter cognizant.ai oder @cognizant.

Zusätzliche Informationen zur Beschäftigung
Die Vergütungsinformationen sind zum Zeitpunkt der Veröffentlichung dieser Stellenausschreibung korrekt. Cognizant behält sich das Recht vor, diese Informationen jederzeit unter Beachtung der geltenden gesetzlichen Bestimmungen zu ändern.

Bewerberinnen und Bewerber können verpflichtet sein, an Vorstellungsgesprächen persönlich oder per Videokonferenz teilzunehmen. Darüber hinaus kann es erforderlich sein, bei jedem Gespräch einen gültigen staatlichen Lichtbildausweis vorzulegen.

Cognizant ist ein Arbeitgeber mit Chancengleichheit. Ihre Bewerbung und Kandidatur werden nicht aufgrund von Rasse, Hautfarbe, Geschlecht, Religion, Glaubensbekenntnis, sexueller Orientierung, Geschlechtsidentität, nationaler Herkunft, Behinderung, genetischen Informationen, Schwangerschaft, Veteranenstatus oder sonstiger durch bundes‑, landes‑ oder kommunalrechtliche Vorschriften geschützter Merkmale berücksichtigt oder abgelehnt.