Cyber DevSecOps Manager (m/f/d)

What this position is about – Purpose:    This position exists to ensure the consistent security of JTI’s Digital Ecosystem (DES) and global applications, including e-commerce solutions. The role is responsible for defining and implementing technical security standards across these platforms, embedding secure DevOps practices into CI/CD environments (e.g., Azure DevOps, GitLab, GitHub), and protecting applications from internal and external threats while promoting shift-left security practices throughout the software development lifecycle. As part of the Cyber Security Centre, this role contributes to the delivery of high-quality, cost-effective security services across JTI’s global infrastructure and application landscape—including security architecture, design, innovation, assurance, service delivery, and SOC operations. The position also drives the adoption of security tools and best practices, conducts threat assessments, and partners closely with engineering, product, and operations teams to ensure the secure design, development, and deployment of cloud-based and mobile solutions. It requires a strong foundation in cloud and container security, Secure SDLC, application security tooling (e.g., SAST, DAST, SCA), and secure coding principles, with a particular focus on Azure environments. Ultimately, this role is critical to maintaining a secure, compliant, and resilient digital environment aligned with corporate and industry security standards.       What will you do – Responsibilities:    Security Integration in CI/CD   Responsible for integrating and maintaining security tools in the CI/CD pipeline to ensure secure development and deployment Assist in identifying, tracking, and prioritizing security vulnerabilities in the development environment Support the remediation of vulnerabilities, collaborating with development and operations teams to address security issues   Security Tool Administration, Monitoring and Reporting   Assist in configuring, maintaining, and troubleshooting security tools used in the CI/CD pipeline, such as static and dynamic application security testing (SAST/DAST), and software composition analysis (SCA) Ensure that tools are functioning properly, with regular updates and maintenance to keep them current Monitor CI/CD environments for security threats, running regular security scans and audits Assist in generating reports on security findings, tracking resolution progress, and ensuring transparency in security posture   Security Awareness & Training   Contribute to security awareness initiatives within development teams, promoting secure coding practices Educate teams on common vulnerabilities and industry best practices to enhance overall security knowledge   Governance   Ensure adherence to security standards, frameworks (e.g. OWASP, NIST, ISO, PCI DSS), and JTI security policies Support the development of security policies, ensuring that security best practices are consistently followed across the team     Who are we looking for – Requirements:    Education: University degree in Computer Science, Computer Engineering, Information Systems, or related field or relevant experience   Work experience: working experience on the following new technology trends:   5+ years of solid knowledge in cloud and container security, including the specific characteristics of cloud-based security services and securing web/mobile applications 5+ years of hands-on experience in operational Cybersecurity, DevOps, or DevSecOps, with strong knowledge of the Secure SDLC approach and the ability to articulate security goals, lifecycle stages, and related processes Experience implementing Secure SDLC and integrating security into CI/CD pipelines with a shift-left approach Proficient in Azure, Python, Bash, and using tools like SCA, SAST, DAST/IAST, and image scanning Knowledge of security standards (OWASP, NIST, ISO, PCI DSS) and experience with tools like Blackduck, Coverity on Polaris, Advanced Security, WIZ etc. Familiar with cloud-native security controls, secure coding practices, and threat modeling (e.g., OWASP Threat Dragon) Strong knowledge of network security, including common protocols and the OSI model. Hands-on experience with Infrastructure-as-Code (IaC) tools (e.g., Terraform), and CI/CD platforms such as GitLab, Azure DevOps, and GitHub, including integrating security tools into pipelines. Good understanding of containerization and Kubernetes, especially from a security perspective.   Language: English professional working proficiency (spoken and written)