Lead DevSecOps Engineer
Job order - J0526-2182 - Permanent Full Time
Title : Lead DevSecOps Engineer
Category : Analytics and Emerging Digital Technologies
City : Various, United States
Job Description
CGI is seeking a Lead DevSecOps Engineer to champion secure‑by‑design engineering across our cloud and application platforms. You will lead the integration of security into CI/CD pipelines, architect secure cloud environments, and guide teams in adopting modern DevSecOps practices.
This is a high‑impact leadership role where you will influence strategy, mentor engineers, and shape CGI’s security posture across mission‑critical systems.
We're standing up a dedicated vulnerability management practice at one of the largest banks in the US, automating what two vendor teams currently do by hand, and building the AI layer that takes it further.
The work is hands‑on, the impact is visible, and you'll have a delivery team ready to execute with you from day one.
This position is located at our client site in Cleveland, OH, Pittsburgh, PA, or Dallas, TX. For this role on this particular client engagement, employer sponsorship of immigration related visa and/or green card status as part of the PERM process will not be available.
Future duties and responsibilities
DevSecOps Practice Leadership
Build and lead the DevSecOps engineering practice across all three execution crews Platform & Infra, Application/Data/Middleware, and Container & TRC.
Own the Definition of Done for vulnerability remediation across all 130 mnemonics: what constitutes a properly remediated, validated, and closed item before Archer POAM closure and rescan submission.
Coach GCC offshore engineers on PNC‑specific practices including Bitbucket branching standards, Jenkins pipeline security gates, PAC enforcement, and CaaS container security policies. Act as the technical escalation point between execution crews and the Solution Architect.
Jenkins Pipeline Security and Automation
Own the security and reliability of all Jenkins pipelines used for vulnerability remediation automation including PR generation, RITM automation, and remediation validation.
Implement and maintain security gates within Jenkins pipelines enforcing PAC policy checks, scan thresholds, and approval workflows before any automated fix proceeds.
Build and maintain Jenkins shared library components for reusable pipeline steps covering Archer status updates, ServiceNow RITM creation, Sysdig alert ingestion, and rescan triggering.
Ensure all pipeline changes go through client's CAB review process and do not bypass deployment governance.
Bitbucket and Artifactory Operations
Own the Bitbucket repository structure and branching standards for the CGI GCC automation codebase including runbook scripts, Python tools, Ansible playbooks, and Terraform modules.
Manage Bitbucket PR workflow configurations including required reviewers, merge checks, and automated status checks that enforce quality gates before remediation scripts are merged.
Maintain Artifactory integration within the vulnerability remediation pipeline managing artifact promotion, dependency resolution, and scanning to ensure no vulnerable dependencies are introduced into the automation toolchain.
Policy‑as‑Code and Compliance Automation
Implement and maintain client PAC policy rules governing vulnerability remediation automation, ensuring automated remediations comply with client's security policies before execution.
Build Ansible playbooks for repeatable infrastructure remediation patterns including OS patch application, SSL/TLS configuration updates, and server hardening aligned to client standards.
Develop Terraform modules for infrastructure‑level vulnerability remediations requiring environment configuration changes.
Implement automated compliance evidence generation producing audit‑ready outputs from Jenkins pipeline executions that satisfy client's OCC, FFIEC, and SOX audit requirements.
Vulnerability Tool Operations
Own the day‑to‑day health and configuration of all vulnerability tool integrations including Archer API connections, Tanium feed ingestion, Sysdig alert routing, SecurityCenter data pipelines, and Imperva alert processing.
Maintain the Python‑based ServiceNow integration that creates, routes, and tracks RITMs to PNC platform teams including Converge, Firewall, DBA, Patching, NAS, and DNS without manual intervention.
Monitor Sysdig feed health ensuring Docker/CaaS vulnerability alerts are correctly processed and deduplicated against Archer records.
Manage scan credential rotation for authenticated scans across Tanium, SecurityCenter, and Sysdig to prevent scan coverage gaps.
Secrets and Access Management
Own secrets management for all automation pipelines and service accounts via CyberArk in compliance with PNC's credential management standards.
Ensure least‑privilege access for all Jenkins service accounts, Bitbucket automation users, and Archer API integrations with quarterly access reviews.
Maintain CyberArk integration within Jenkins pipelines ensuring no credentials are hardcoded in Jenkinsfiles, Ansible playbooks, Python scripts, or Terraform configurations.
Reporting and Observability
Build and maintain the unified vulnerability SLA dashboard in Archer providing real‑time view of open vulnerability counts by severity, MTTR by crew, backlog burn‑down by mnemonic, and SLA compliance rate for PNC leadership.
Develop automated weekly SLA reports integrating Archer vulnerability status, Jira sprint metrics, and ServiceNow RITM resolution times into a single consolidated view.
Maintain Confluence documentation for all automation pipelines, runbooks, and DevSecOps standards.
Shift‑Left and Continuous Improvement
Drive shift‑left security practices within client's BTI Retail, Lending, AMG, and CIB application teams by embedding PAC checks and container security scanning in Bitbucket PR pipelines before vulnerabilities surface in Sysdig scans.
Identify and implement automation improvements targeting the highest volume repeatable remediation patterns.
Contribute operational insights from pipeline execution data to the Solution Architect and AI/ML Engineers to continuously improve the AI triage engine.
Required Qualifications
7+ years of hands‑on DevSecOps or security automation engineering in enterprise environments.
Deep Jenkins experience in production at enterprise scale: shared library development, pipeline‑as‑code, credential management, plugin administration, and troubleshooting in multi‑team environments.
Bitbucket administration and pipeline integration: branch permissions, PR workflow configuration, webhook‑driven automation, and Jenkins integration patterns.
Artifactory: dependency management, artifact promotion, repository configuration, and security scanning integration.
Python at production quality: REST API integrations, data pipeline code, and automation scripts that GCC engineers will maintain.
Ansible: writing and maintaining playbooks for OS‑level and middleware‑level remediations on Linux and Windows.
Terraform: writing modules for infrastructure configuration changes with proper state management and change governance.
Policy‑as‑code implementation: OPA/Conftest or equivalent enforcing security standards within CI/CD pipelines at runtime.
REST API integration: production integrations against Archer GRC, ServiceNow, and Jira APIs.
Container platform operations: Docker and OpenShift/OCP specifically including image management, CaaS operations, and container security scanning.
Vulnerability management platform experience: Archer GRC, Tanium, or SecurityCenter in an operational day‑to‑day capacity.
CyberArk secrets management: integrating CyberArk with CI/CD pipelines and enforcing no‑hardcoded‑credentials standards.
Banking or financial services environment: CAB process, change window management, production deployment governance, and audit evidence requirements in a regulated context. Non‑negotiable for this engagement.
Preferred Qualifications
Direct PNC environment experience: familiarity with Converge, Micron framework, CaaS/OCP configuration, or BTI Retail/Lending mnemonic structure.
Sysdig operational experience: container vulnerability scanning, alert configuration, and downstream triage integration.
Tanium experience: endpoint detection, vulnerability data extraction, and API integration.
LangChain or AI agent pipeline experience: Phase 2 introduces an AI triage engine and engineers who can contribute to its operational integration will be more effective.
Jira administration and Confluence technical documentation at production quality.
Compensation and Benefits
CGI is required by law to provide an estimate of the compensation range for this role: $57,100.00 - $154,300.00. Benefits are offered to eligible professionals on their first day of employment and include competitive compensation, comprehensive insurance options, matching contributions through the 401(k) plan and the share purchase plan, paid time off for vacation, holidays, and sick time, paid parental leave, learning opportunities and tuition assistance, wellness and well‑being programs.
Equal Opportunity Employer
CGI provides qualified applicants with consideration for employment without regard to race, ethnicity, ancestry, color, sex, religion, creed, age, national origin, citizenship status, disability, pregnancy, medical condition, military and veteran status, marital status, sexual orientation or perceived sexual orientation, gender, gender identity, and gender expression, familial status or responsibilities, reproductive health decisions, political affiliation, genetic information, height, weight, or any other legally protected status or characteristics to the extent required by applicable federal, state, and/or local laws.
CGI provides reasonable accommodations to qualified individuals with disabilities. If you need an accommodation to apply for a job in the U.S., please email the CGI U.S. Employment Compliance mailbox at US_Employment_Compliance@cgi.com with the Position ID. This email address is only to be used for those individuals who need an accommodation to apply for a job. Emails for any other reason or those that do not include a Position ID will not be returned.
CGI will not discriminate against employees or applicants that inquire about pay. Unlocking compensation information must comply with legal duties.
All CGI offers of employment in the U.S. are contingent upon the background investigation. Background investigation components vary based on assignment and level of required clearance. Some may include a credit check. CGI will consider qualified applicants with arrests and convictions in accordance with all regulations.
#J-18808-Ljbffr