Aller au contenu principal

Senior DevSecOps - Cyber Security (Consulting)

47350

The Company

Cognizant (NASDAQ:CTSH) is a leading provider of information technology, consulting, and business process outsourcing services, dedicated to helping the world's leading companies build stronger businesses. Headquartered in Teaneck, New Jersey (U.S.), Cognizant has over 340,000 employees as of January 2025. Cognizant is a member of the NASDAQ-100, the S&P 500, the Forbes Global 1000, and the Fortune 500 and is ranked among the top performing and fastest growing companies in the world.

About Cognizant Consulting

To be digital, companies today must have organizational velocity approaching speed of light while providing individualized offerings that result in fanatical levels of customer satisfaction—all with laser-focused cost control. And from applications to infrastructure, processes to operational models and interfaces to experiences—there are digital forces driving change in every part of our clients’ organization. At Cognizant, our consultants orchestrate the capabilities to truly change the game—across strategy, design, technology and industry/functional knowledge to deliver insight at speed and solutions at scale. Our approach is built around elevating business understanding of the aspirations and unique abilities of customers and employees and by building these relationships based on trust and value.

More information? Please visit https://www.cognizant.com/consulting

About the Role

We are seeking a Senior DevSecOps / Security Consultant to assess, embed and uplift security practices across our client’s software delivery lifecycle. This is a security-first role. You come from a cyber security background, not a developer who has pivoted into security, and you will spend your time advising and coaching engineering squads to help them design, build and operate platforms securely by default.

The role is not about deploying a new security toolchain from scratch. The client already has tooling in flight; your job is to make it land. That means running a structured maturity assessment, prioritizing what matters, embedding existing tools properly into developer workflows, and coaching teams to use them well. You will be the bridge between Information Security and Engineering, moving the client beyond point-in-time audits towards a continuous, automated, “shift-left” model.

What You’ll Do - Run the DevSecOps Maturity Assessment

  • Conduct a comprehensive, evidence-based audit of the client’s current DevSecOps capabilities against recognised industry frameworks. Primarily OWASP SAMM and NIST SSDF, supported where relevant by OWASP ASVS, the NIST Cybersecurity Framework and MITRE ATT&CK for attacker-perspective coverage.

  • Assess the adoption, configuration and effectiveness of existing controls across SAST, SCA, DAST, IaC scanning, container security and secrets management. The assessment should distinguish between tools that are deployed, tools that are actually running, and tools that are genuinely influencing developer behaviour.

  • Engage stakeholders across engineering, platform, InfoSec and product to gather both qualitative inputs (interviews, workshops) and quantitative evidence (pipeline telemetry, scan coverage, finding-to-fix data).

  • Score each product line against SAMM business functions (Governance, Design, Implementation, Verification, Operations) and produce a clear maturity scorecard that highlights where the organisation sits today and what “good” looks like in 12 months.

  • Produce a prioritised 12-month roadmap, sequenced by risk reduction, delivery effort and developer impact, partnering with Kuan (InfoSec) to align the roadmap with broader security strategy.

  • Re-baseline maturity periodically through the engagement so progress is measurable and defensible to senior stakeholders.

Embed Existing Security Tooling into Developer Workflows

  • Take the tools the client has already invested in (such as Snyk, SonarQube and CI/CD platforms like GitHub Actions, Azure DevOps or GitLab) and make them genuinely useful: properly integrated, sensibly configured, and well understood by the engineers using them.

  • Tune signal-to-noise ratio aggressively. Triage backlogs, suppress false positives with documented rationale, calibrate severity thresholds, and ensure that what reaches a developer is genuinely actionable.

  • Refine CI/CD security gates so that they block what truly matters and stay out of the way of everything else, protecting both security outcomes and developer flow.

  • Improve the developer experience of existing controls: clearer failure messages, faster feedback, IDE and pre-commit integrations where they add value, and golden-path templates that make the secure route the easy route.

  • Curate and maintain a library of secure CI/CD reference patterns built on the client’s current stack, so squads can adopt proven, opinionated guardrails rather than reinventing them.

Coach and Enable Engineering Teams

  • Embed with developer squads as their trusted security partner, attending stand-ups, sprint planning and design reviews to bring a security lens to day-to-day delivery.

  • Run secure-coding clinics, brown-bag sessions and pairing sessions to lift the security capability of engineers across multiple product lines.

  • Translate vulnerability findings into clear, contextualised remediation guidance that developers can act on without hand-holding.

  • Champion a “security as an enabler, not a blocker” culture, building credibility with engineering by being pragmatic, hands-on and delivery-aware.

  • Develop enablement materials such as playbooks, cheat sheets and onboarding guides that scale your impact beyond the squads you work with directly.

Lead Threat Modelling and Secure Design

  • Facilitate threat-modelling sessions at the design phase of new services, features and platform changes, using STRIDE for systematic decomposition and MITRE ATT&CK to ground the conversation in real-world attacker techniques.

  • Produce lightweight, developer-friendly threat models and secure design patterns that teams can reuse across the estate.

  • Identify abuse cases, trust boundaries and data-flow risks early, and translate these into concrete acceptance criteria, controls and tests, mapped to MITRE ATT&CK techniques where it helps prioritisation.

  • Advise on secure-by-default choices for cloud-native workloads: authentication, secrets handling, network segmentation, data protection and least privilege.

Track Metrics, Governance and Progress

  • Define and track meaningful KPIs such as vulnerability burn-down, mean time to remediate, pipeline coverage and gate effectiveness, and report progress to both engineering and InfoSec leadership.

  • Use metrics to evidence movement against the maturity roadmap and to guide where to invest coaching and embedding effort next.

  • Ensure controls remain aligned with internal security standards, OWASP guidance, MITRE ATT&CK coverage objectives and relevant compliance obligations.

What We’re Looking For - Background and Mindset

  • A security professional first. Your career has been built in cyber security, application security or DevSecOps, rather than as a developer who has moved into security.

  • Comfortable in code: you read pipelines, IaC and application code fluently enough to have credible technical conversations with senior engineers, even if you are not a full-time developer yourself.

  • Pragmatic, collaborative and delivery-minded. You understand that security only works when engineering teams want to use it.

Essential Skills and Experience

  • Demonstrable experience running DevSecOps or AppSec maturity assessments using OWASP SAMM and / or NIST SSDF, and translating findings into prioritised, achievable roadmaps.

  • A track record of embedding security tooling into existing developer workflows. Not just deploying tools, but driving real adoption, tuning signal-to-noise, and lifting the developer experience.

  • Working knowledge of CI/CD security tooling (SAST, SCA, DAST, IaC scanning and secrets detection) and platforms such as GitHub Actions, Azure DevOps or GitLab.

  • Solid grounding in container and cloud workload security: Docker, Kubernetes and at least one major cloud provider (Azure, AWS or GCP).

  • Experience facilitating threat-modelling and secure design workshops with mixed audiences of developers, architects and product owners, including practical use of STRIDE and MITRE ATT&CK.

  • Familiarity with OWASP (ASVS, Top 10, SAMM), NIST (SSDF, CSF) and MITRE ATT&CK, with the ability to apply them practically rather than as a checklist.

  • Strong communication skills. You can explain a complex risk to a developer, a delivery lead and a CISO, and adjust your register for each.

Desirable

  • Industry certifications such as CISSP, CCSP, CSSLP, CCSK or equivalent.

  • Exposure to policy-as-code (e.g. OPA / Conftest, Checkov, tfsec) and supply-chain tooling (e.g. SBOMs, Sigstore). Useful for advising clients but not the primary focus of the role.

  • Awareness of AI / LLM application security concerns (e.g. OWASP Top 10 for LLMs, MITRE ATLAS) and how they reshape secure-design conversations.

  • Prior consulting experience and the ability to navigate client environments, manage stakeholders and contribute to bid or proposal work where appropriate.

Expected Deliverables

  • A formal DevSecOps Maturity Assessment Report, including scorecard against OWASP SAMM and NIST SSDF, with attacker-perspective coverage informed by MITRE ATT&CK.

  • A prioritised 12-month Shift-Left Implementation Roadmap, sequenced by risk and effort.

  • A library of Secure CI/CD Reference Patterns built on the client’s existing tooling.

  • Developer enablement materials including playbooks, secure design patterns and training collateral.

  • A live Security Metrics view evidencing progress against the maturity roadmap.

Engagement Details

  • Hybrid working, with on-site presence at the client location as required by the engagement.

  • Initial engagement length and rate / package will be confirmed during the screening conversation, dependent on contractor or FTE preference.

  • Reporting into the Engagement Lead, working alongside the client’s Head of InfoSec who leads the security workstream.

À propos de nous : 
Cognizant (NASDAQ : CTSH) est un concepteur d’IA et un fournisseur de services technologiques. Avec notre gamme de solutions IA full-stack, nous accompagnons nos clients au carrefour de l’investissement dans l’IA et de la valeur ajoutée. Notre grande expertise sectorielle, des processus et de l’ingénierie nous permet de convertir le contexte propre à chaque entreprise en systèmes technologiques amplificateurs du potentiel humain, générateurs de résultats tangibles et garants de l’avantage des acteurs internationaux dans un monde en constante évolution. Découvrez notre méthode sur www.cognizant.com ou suivez @cognizant.

Renseignments suppplémentaires sur l'emploi
Les informations relatives à la rémunération du poste à pourvoir dépendent de la date de publication de l’offre de poste. Cognizant se réserve le droit de modifier ces informations à tout moment, sous réserve des lois applicables.

Cognizant est un employeur soucieux de l'égalité des chances entre candidats. Votre candidature sera étudiée indépendamment de votre race, couleur, sexe, religion, croyances, orientation sexuelle, identité de genre, origine, handicap, informations génétiques, grossesse, statut d'ancien militaire ou de toute autre critère jugé discriminant par les lois européennes ou françaises.

Vous êtes porteur d'un handicap, vous pouvez-nous contacter par courriel [email protected] si vous souhaitez préciser les aménagements nécessaires pour le poste ou les entretiens à venir.

Les candidats peuvent être invités à participer à des entretiens en face à face ou par vidéoconférence. En outre, les candidats peuvent être amenés à présenter une carte d'identité valide lors de chaque entretien.

Des avantages sociaux qui font la différence

un dessin au trait bleu d’une plante avec des feuilles

Bien-être financier

Nous révisons régulièrement les données du marché afin d’assurer que la rémunération reflète la valeur que vous apportez. Vos avantages vont au‑delà du salaire et peuvent inclure des régimes de retraite avec cotisations de contrepartie, des formations financières, etc.

Stay Healthy Midnight Blue RGB

Bien-être physique et mental

Nous vous encourageons à prioriser votre bien‑être grâce aux congés rémunérés, au travail flexible lorsque possible, aux régimes de soins de santé, à la counseling clinique, à notre programme d’alliance en santé mentale, et plus encore.

Build The Career You Want Midnight Blue RGB

Votre carrière, à votre façon

Avec plus de 350 000 rôles chez Cognizant, vous aurez l’occasion d’explorer de nouvelles technologies, de nouveaux secteurs et de nouveaux lieux—et de développer les compétences dont vous avez besoin pour faire évoluer votre carrière.

Making A Meaningful Impact Midnight Blue RGB

Un impact concret

Pensez aux marques sur lesquelles vous comptez au quotidien. Il y a de fortes chances qu’elles comptent aussi sur nous pour renforcer leur entreprise. Ici, vous transformerez des idées audacieuses en solutions qui améliorent la vie des gens à travers le monde.

Votre parcours vers Cognizant

Voici ce à quoi vous pouvez vous attendre de notre processus de recrutement. Veuillez noter qu’il peut varier selon le poste et le lieu. Consultez notre FAQ pour en savoir plus.

une personne assise à une table à l’aide d’un ordinateur portable

Étape 1: Trouvez votre rôle et postulez

Trouvez un poste ouvert qui correspond à vos compétences et à vos objectifs de carrière, puis montrez‑nous pourquoi vous êtes la personne idéale pour ce rôle. Si aucun poste ne correspond à votre profil pour le moment, veuillez rejoindre notre communauté de talents.

une personne tenant une tablette et parlant au téléphone

Étape 2: Discutez avec un recruteur

Si l’un de nos recruteurs détermine que vous convenez au poste, il vous contactera pour organiser un court entretien visant à mieux comprendre votre parcours et vos compétences.

une personne souriante à une table avec un ordinateur portable

Étape 3: Montrez vos talents

Si vous et notre équipe souhaitent poursuivre le processus, vous rencontrerez notre équipe d’embauche. Certains postes peuvent également nécessiter des évaluations techniques et/ou des entrevues avec des clients.

un groupe de personnes assises autour d’une table

Étape 4: Décision finale

Notre équipe examinera ensuite le potentiel de chaque candidat à réussir dans le rôle. Cette étape peut prendre un peu de temps car nous voulons prendre la bonne décision—mais vous pouvez compter sur nous pour vous tenir informé(e).

Vous n’avez pas trouvé la bonne opportunité?

Recevez les dernières mises à jour sur nos offres d'emploi, nos événements de recrutement et notre actualité adaptée juste pour vous.

S'inscrire