Application Security Principal

Who we areFounded in 1999 and headquartered in Central Ohio, we’re a privately-owned, independent healthcare navigation organization. We believe that no one should have to navigate the cost and complexity of healthcare alone, and we’re on a mission to make healthcare simpler and more effective for our millions of members. Our big-hearted, tech-savvy team fights to ensure that our members get the care they need, when they need it, at the most affordable cost – that’s why we call ourselves Healthcare Warriors®.We’re committed to building diverse and inclusive teams – more than 2,000 of us and counting – so if you’re excited about this position, we encourage you to apply – even if your experience doesn’t match every requirement. About the roleThe Application Security Principal is a senior, hands-on security leader who reports directly to the Chief Information Security Officer (CISO) and is responsible for building, operating, and continuously improving the enterprise Application Security (AppSec) program. The role is deeply embedded within software engineering initiatives, working side-by-side with development teams to enable secure-by-design and secure-by-default software delivery. This leader focuses on teaching, mentoring, and influencing engineers to write secure code and to effectively use modern AppSec tools and automation to reduce risk while maintaining delivery velocity. The role operates in a regulated healthcare environment and ensures alignment with HIPAA and HITRUST requirements.Location: This position is located at our Dublin, OH campus or may work remotely anywhere in the United States of America.What you’ll do (Essential Responsibilities)Create, own, and drive the enterprise Application Security program, including vision, strategy, roadmap, and operating model.Embed within software engineering projects to provide hands-on guidance for secure design, coding, testing, and deployment practices.Teach, mentor, and lead software engineers to improve secure coding skills and security decision-making throughout the SDLC.Define and operationalize a secure SDLC, including threat modeling, secure design reviews, automated security testing, and release controls.Own and optimize application security tooling and workflows, including Snyk, SonarCloud, GitHub Advanced Security, GitHub Copilot, Palisade, and related CI/CD integrations.Establish developer-friendly remediation workflows, including prioritized findings, fix guidance, and automation where possible.Partner with Engineering and Product leadership to align application security priorities with business objectives and delivery timelines.Lead threat modeling and architectural risk assessments for new applications, APIs, and major enhancements.Develop and track AppSec metrics and KPIs that demonstrate risk reduction, coverage, and program effectiveness.Ensure application security controls and practices meet HIPAA Security Rule and HITRUST CSF requirements and support audit readiness.Collaborate with infrastructure, cloud, and enterprise security teams on identity, secrets management, and secure platform patterns.Support security incident response activities related to application vulnerabilities and contribute to root-cause analysis and long-term remediation.Build and lead an application security champions or guild program to scale secure development practices across teams.All other duties as assigned.What you’ll bring (Qualifications)Experience: Extensive experience designing and leading application security programs within complex enterprise environments.Strong background in software engineering with the ability to read, review, and reason about code for security issues. Hands-on experience integrating and operating modern AppSec tools such as Snyk, SonarCloud, GitHub Advanced Security, and CI/CD pipelines. Experience guiding developers in the effective and responsible use of AI-assisted development tools such as GitHub Copilot. Deep understanding of secure SDLC principles, threat modeling methodologies, and common application vulnerability classes. Experience securing cloud-native, API-driven, and microservices-based architectures. Strong knowledge of healthcare regulatory requirements, including HIPAA and HITRUST, and their application to software development. Proven ability to influence without authority and to build strong partnerships with engineering and product teams. Excellent communication and teaching skills, with the ability to translate security concepts into practical developer guidance. Demonstrated leadership, program management, and strategic planning capabilities.A high degree of personal accountability and trustworthiness, a commitment to working within Quantum Health’s policies, values and ethics, and protecting the sensitive data entrusted to us.