**Security Architect — Banamex** Banamex is transforming—and we’re doing it from the inside out. We’re rebuilding one of Mexico’s most iconic banks into a **modern, secure, cloud-first financial platform** that moves at fintech speed but with the scale and trust of a national institution. As our **Security Architect** , you’ll report directly to the **CTO** and become the **architectural backbone** of that transformation. Your mission: design the next-generation security fabric that protects millions of customers while empowering engineers to deliver faster, safer, and smarter. You won’t be maintaining controls—you’ll be **defining what secure banking looks like for the next decade** . From **Zero Trust architecture and DevSecOps pipelines** to **SPEI/CoDi payments, cloud workloads, and digital identity** , you’ll embed resilience, privacy, and compliance into every product we launch. This is a role for someone who wants to **build patterns that outlive them** , influence architectural decisions at the highest level, and see their work ripple across the entire Mexican financial ecosystem. If you want to make impact—not noise—this is where it happens. **What you’ll own** + **Target Security Architecture:** Define and evolve reference architectures, control patterns, and guardrails for on-prem, cloud (AWS/Azure/GCP), and hybrid environments. + **Design Authority:** Lead architecture reviews and formal threat modeling (STRIDE/LINDDUN); document risk-based decisions that stand up to audit. + **Zero-Trust & Identity:** Drive identity-centric designs (OIDC/OAuth2/SAML, MFA, PAM), workload identity, micro-segmentation, and continuous verification. + **Data Security:** Standardize encryption at rest/in transit, KMS/HSM usage, tokenization, data classification, DLP, and secrets management. + **Cloud & Container Security:** Patterns for Kubernetes, serverless, and IaC (Terraform); adopt policy-as-code (OPA/Conftest), image signing, and runtime protections. + **DevSecOps Enablement:** Embed SAST/DAST/IAST/SCA and IaC scanning into CI/CD; create reusable modules and golden paths developers love. + **Payments & Channels:** Architect controls for SPEI/CoDi rails, card issuing/acquiring, mobile/web apps, and open banking APIs. + **Third-Party & SaaS:** Intake standards, vendor architecture reviews, compensating controls, and continuous monitoring. + **Detection & Response Architecture:** Telemetry standards and use cases for SIEM/SOAR/EDR/NDR aligned to MITRE ATT&CK. + **Compliance by Design:** Map controls and evidence to CNBV/Bank of Mexico expectations, PCI DSS, ISO 27001, SOX/GLBA equivalents, and FFIEC-aligned practices. + **Executive Storytelling:** Translate technical risk into business impact for the CTO, Architecture Board, and senior leadership. **What makes this opportunity special** + **Direct impact at the top:** Report to the CTO and shape bank-wide technology strategy. + **National scale:** Your patterns secure mission-critical platforms used across Mexico. + **Modernization with purpose:** Move fast with strong guardrails—security that accelerates delivery, not slows it. + **Growth & visibility:** Present to executive forums, mentor engineers, and build the bank’s security pattern library. **What you’ve done (Required)** + 10+ years in security engineering/architecture; 3+ designing enterprise systems in regulated industries (banking/fintech preferred). + Owned reference architectures and security patterns across cloud + on-prem. + Depth in identity (OAuth2/OIDC/SAML), IAM/PAM, Zero Trust, and secrets management. + Practical cryptography (TLS/mTLS, key mgmt, HSM/KMS), data protection, and classification. + DevSecOps experience integrating SAST/DAST/SCA, container/K8s security, and IaC scanning into pipelines. + Designed logging/telemetry for SIEM/SOAR with clear detection use cases. + Proven track translating regulatory requirements into automated, auditable controls. + Excellent documentation (C4/sequence diagrams) and executive communication. **Nice to have** + Payments (SPEI/CoDi), open banking APIs, card rails, fraud-signal integration. + Mobile/web AppSec (OWASP ASVS/MASVS) and customer identity (CIAM). + Mainframe or legacy modernization security patterns. + Certifications: CISSP, CCSP, ISSAP, CSSLP, OSCP, AWS/Azure Security Specialty (or equivalent experience). ------------------------------------------------------ **Job Family Group:** Technology ------------------------------------------------------ **Job Family:** Digital Software Engineering ------------------------------------------------------ **Time Type:** Full time ------------------------------------------------------ **Most Relevant Skills** Please see the requirements listed above. ------------------------------------------------------ **Other Relevant Skills** For complementary skills, please see above and/or contact the recruiter. ------------------------------------------------------ _Citi is an equal opportunity employer, and qualified candidates will receive consideration without regard to their race, color, religion, sex, sexual orientation, gender identity, national origin, disability, status as a protected veteran, or any other characteristic protected by law._ _If you are a person with a disability and need a reasonable accommodation to use our search tools and/or apply for a career opportunity review_ _Accessibility at Citi (https://www.citigroup.com/citi/accessibility/application-accessibility.htm)_ _._ _View Citi’s_ _EEO Policy Statement (https://www.citigroup.com/global/eeo-aa-policy)_ _and the_ _Know Your Rights (https://www.eeoc.gov/sites/default/files/2023-06/22-088\_EEOC\_KnowYourRights6.12ScreenRdr.pdf)_ _poster._ Citi is an equal opportunity and affirmative action employer. Minority/Female/Veteran/Individuals with Disabilities/Sexual Orientation/Gender Identity.