This job posting is anticipated to remain open for 30 days, from 20-May-2026. The posting may close early due to the volume of applicants. Join a financial services firm where your contributions are valued. Edward Jones is a Fortune 500 company where people come first. With over 9 million clients and 20,000 financial advisors across the U.S. and Canada, were proud to be privately-owned, placing the focus on our clients rather than shareholder returns. Behind everything we do is our purpose: We partner for positive impact to improve the lives of our clients and colleagues, and together, better our communities and society. We are an innovative, flexible, and inclusive organization that attracts, develops, and inspires performance excellence and a sense of belonging. People are at the center of our partnership. Edward Jones associates are seen, heard, respected, and supported. This is what we believe makes us the best place to start or build your career. View our Purpose, Inclusion and Citizenship Report. Fortune 500, published June 2024, data as of December 2023. Compensation provided for using, not obtaining, the rating. Team Overview Edward Jones is seeking a Head of Application Security to lead the enterprise strategy and execution of secure software delivery across a complex, highly regulated environment. Reporting directly to the Chief Information Security Officer (CISO), this leader will own and scale the firms application security program, ensuring that all code is developed, tested, and deployed securely, and that security is embedded across the full software development lifecycle (SDLC). The selected candidate will lead a team responsible for secure coding governance and deployment pipelines, secure coding training for developers, threat modeling, SBOM/ SBOM - Bs completion and management for applications, and penetration testingdriving measurable risk reduction while enabling technology teams to deliver at speed. This is a highly visible role requiring strong executive influence, deep technical credibility, and the ability to build durable partnerships across Engineering, Architecture, DevOps/ SRE, Risk, Compliance, and Audit. What You'll Do: Enterprise Application Security Strategy & Governance:Define and execute the enterprise Application Security strategy and operating model, aligned to business priorities and risk appetite. Establish and maintain enterprise secure SDLC standards (policies, controls, patterns, and reference architectures) across modern and legacy environments. Establish and maintain enterprise standards related to the secure use of AI developer tools. Set the vision for secure-by-design engineering practices and embed them into platform and product delivery. Secure Code Development & Deployment:Ensure secure coding practices and controls are implemented across all engineering teams (e.g., code review requirements, security gates, CI/ CD integration). Drive adoption of automated security testing within pipelines (e.g., SAST, SCA, secrets detection) and ensure outcomes are actionable and measurable. Establish expectations and quality thresholds to prevent high-risk code from being promoted into production. Threat Modeling (Enterprise Standardization & Coverage):Own enterprise threat modeling methodology, tooling, templates, and training. Ensure threat models are completed for all applications, including material changes and new product launches. Partner with Architecture and Engineering leaders to translate threat model outputs into prioritized remediation and design improvements. SBOM / SBOM - Bs Program Ownership:Establish and operationalize enterprise requirements for SBOM generation, validation, storage, and continuous monitoring. Ensure SBOM/ SBOM - Bs are completed for all applications and integrate results into vulnerability management and third-party risk processes. Drive supply chain security posture improvements (e.g., dependency governance, provenance controls, patch/upgrade cadences). Penetration Testing & Offensive Security Delivery:Ensure penetration testing is completed for applications according to risk tiering, launch criteria, and regulatory expectations. Establish testing scope standards (web, mobile, APIs, microservices, cloud-native) and ensure findings lead to measurable risk reduction. Develop executive-ready reporting that demonstrates coverage, trends, and remediation progress. Risk Management, Metrics & Executive Reporting:Define and manage KPIs/ KR - Is for App. Sec (coverage, vulnerability trends, remediation SLAs, pentest outcomes, threat model completion rates, SBOM compliance). Provide regular briefings to the CISO and senior leadership on App. Sec posture, emerging risks, and investment needs. Partner with Audit, Risk, Legal, and Compliance to demonstrate defensible controls and evidence-based outcomes. Leadership & Organizational Development:Lead, mentor, and scale a high-performing team of App. Sec engineers, threat modelers, penetration testers, and program leaders. Create career paths, operating rhythms, and continuous improvement culture; optimize for both risk reduction and developer experience. Manage budget, tooling portfolio, and vendor relationships to achieve outcomes efficiently. Stakeholder Influence & Change Management:Drive cross-functional alignment across Engineering, Product, DevOps, Infrastructure, and Architecture. Influence senior technology leaders to adopt secure patterns and to prioritize remediation based on risk. Build strong partnership with enterprise vulnerability management and incident response teams to ensure seamless security operations integration What you'll need: (Qualifications) 12 years in cybersecurity with deep, hands-on application security leadership experience, including program ownership at scale. Proven executive leadership experience (e.g., Director/ MD/ VP level) leading teams and influencing enterprise outcomes. Demonstrated ability to implement and operationalize: Secure SDLC and security controls integrated into CI/ CD pipelines, threat modeling at scale (methodology adoption outcomes), SBOM/ SBOM - Bs and software supply chain governance, penetration testing programs and remediation lifecycle management. Strong technical depth across modern application architectures (cloud, microservices, containers, APIs, mobile, web). Demonstratable knowledge on the use of AI developer tools and how to use them securely in an enterprise environment. Experience partnering with Risk/ Compliance/ Audit in regulated environments (financial services preferred). Ability to communicate complex security topics clearly to executives and non-technical stakeholders. Preferred Qualifications Experience with large-scale engineering transformation (Dev. Sec. Ops, platform engineering, cloud migration). Familiarity with secure software supply chain practices and dependency governance. Recognized security certifications (e.g., CISSP, CISM, CSSLP, OSCP/ OSWE, GIAC) are a plus. Experience defining application risk tiering models and security launch criteria. Experience with AI developer tools and technologies and how to use them responsibly and securely. Core Competencies Executive presence and ability to influence at CISO/ CTO/ CIO levels Strong program management and operational rigor Ability to balance risk reduction with delivery enablement (security as an accelerator) Talent development and building high-trust, high-performance teams Data-driven decision making and metrics-based storytelling