**Innovate here. And see your ideas come to life.** It's an exciting time to work in tech at Edward Jones. We are making massive investments in emerging technologies to improve how we work with our clients and with each other. Relationships are the focus of our business model. And working in Technology here means using your skills to build, deliver and maintain the technologies that enable us to deepen and support those relationships. The best part? We develop and create our own industry-leading solutions internally. And you can be a part of it. Working with emerging new technologies. Creating platforms, programs and experiences that change how we work together - and support our client-first focus. Changing the future of our firm, the industry and the advisor-client relationship. **Job Overview** **Position Schedule:** Full-Time This job posting is anticipated to remain open for 30 days, from 03-Mar-2026. The posting may close early due to the volume of applicants. **Team Overview** Edward Jones is seeking a Head of Application Security to lead the enterprise strategy and execution of secure software delivery across a complex, highly regulated environment. Reporting directly to the Chief Information Security Officer (CISO), this leader will own and scale the firm's application security program, ensuring that all code is developed, tested, and deployed securely, and that security is embedded across the full software development lifecycle (SDLC). The selected candidate will lead a team responsible for secure coding governance and deployment pipelines, secure coding training for developers, threat modeling, SBOM/SBOMBs completion and management for applications, and penetration testing-driving measurable risk reduction while enabling technology teams to deliver at speed. This is a highly visible role requiring strong executive influence, deep technical credibility, and the ability to build durable partnerships across Engineering, Architecture, DevOps/SRE, Risk, Compliance, and Audit. **What You'll Do:** + **Enterprise Application Security Strategy & Governance:** Define and execute the enterprise Application Security strategy and operating model, aligned to business priorities and risk appetite.Establish and maintain enterprise secure SDLC standards (policies, controls, patterns, and reference architectures) across modern and legacy environments.Establish and maintain enterprise standards related to the secure use of AI developer tools. Set the vision for "secure-by-design" engineering practices and embed them into platform and product delivery. + **Secure Code Development & Deployment:** Ensure secure coding practices and controls are implemented across all engineering teams (e.g., code review requirements, security gates, CI/CD integration). Drive adoption of automated security testing within pipelines (e.g., SAST, SCA, secrets detection) and ensure outcomes are actionable and measurable. Establish expectations and quality thresholds to prevent high-risk code from being promoted into production. + **Threat Modeling (Enterprise Standardization & Coverage):** Own enterprise threat modeling methodology, tooling, templates, and training. Ensure threat models are completed for all applications, including material changes and new product launches. Partner with Architecture and Engineering leaders to translate threat model outputs into prioritized remediation and design improvements. + **SBOM / "SBOMBs" Program Ownership:** Establish and operationalize enterprise requirements for SBOM generation, validation, storage, and continuous monitoring. Ensure SBOM/SBOMBs are completed for all applications and integrate results into vulnerability management and third-party risk processes. Drive supply chain security posture improvements (e.g., dependency governance, provenance controls, patch/upgrade cadences). + **Penetration Testing & Offensive Security Delivery:** Ensure penetration testing is completed for applications according to risk tiering, launch criteria, and regulatory expectations. Establish testing scope standards (web, mobile, APIs, microservices, cloud-native) and ensure findings lead to measurable risk reduction. Develop executive-ready reporting that demonstrates coverage, trends, and remediation progress. + **Risk Management, Metrics & Executive Reporting:** Define and manage KPIs/KRIs for AppSec (coverage, vulnerability trends, remediation SLAs, pentest outcomes, threat model completion rates, SBOM compliance). Provide regular briefings to the CISO and senior leadership on AppSec posture, emerging risks, and investment needs. Partner with Audit, Risk, Legal, and Compliance to demonstrate defensible controls and evidence-based outcomes. + **Leadership & Organizational Development:** Lead, mentor, and scale a high-performing team of AppSec engineers, threat modelers, penetration testers, and program leaders. Create career paths, operating rhythms, and continuous improvement culture; optimize for both risk reduction and developer experience. Manage budget, tooling portfolio, and vendor relationships to achieve outcomes efficiently. + **Stakeholder Influence & Change Management:** Drive cross-functional alignment across Engineering, Product, DevOps, Infrastructure, and Architecture. Influence senior technology leaders to adopt secure patterns and to prioritize remediation based on risk. Build strong partnership with enterprise vulnerability management and incident response teams to ensure seamless security operations integration Edward Jones' compensation and benefits package includes medical and prescription drug, dental, vision, voluntary benefits (such as accident, hospital indemnity, and critical illness), short- and long-term disability, basic life, and basic AD&D coverage. Short- and long-term disability, basic life, and basic AD&D coverage are provided at no cost to associates. Edward Jones offers a 401k retirement plan, and tax-advantaged accounts: health savings account, and flexible spending account. Edward Jones observes ten paid holidays and provides 15 days of vacation for new associates beginning on January 1 of each year, as well as sick time, personal days, and a paid day for volunteerism. Associates may be eligible for bonuses and profit sharing. All associates are eligible for the firm's Employee Assistance Program. For more information on the Benefits available to Edward Jones associates, please visit our benefits page (https://secure.edwardjonesbenefits.com/fleet/public/index/f914262d-0362-4682-bd1e-0ccd25f1dfb1) . **Hiring Minimum:** $144000 **Hiring Maximum:** $245100 Qualified applicants with arrest or conviction records will be considered for employment in accordance with the Los Angeles County Fair Chance Ordinance and the California Fair Chance Act. Edward Jones is prohibited from hiring individuals with certain specified criminal history as set forth in Section 3(a)(39) and 15(b)(4) and Rule 17a-3(a)(12) of the Securities and Exchange Act of 1934, and conducts background reviews consistent with FINRA Rule 3110(e). A copy of a notice regarding the provisions of the Los Angeles County Fair Chance Ordinance is available at: dcba.lacounty.gov/wp-content/uploads/2024/08/FCOE-Official-Notice-Eng-Final-8.30.2024.pdf . Read More About Job Overview **Skills/Requirements** **What Experience You'll Need:** + 12+ years in cybersecurity with deep, hands-on application security leadership experience, including program ownership at scale. + Proven executive leadership experience (e.g., Director/MD/VP level) leading teams and influencing enterprise outcomes. + Demonstrated ability to implement and operationalize: Secure SDLC and security controls integrated into CI/CD pipelines, threat modeling at scale (methodology + adoption + outcomes), SBOM/SBOMBs and software supply chain governance, penetration testing programs and remediation lifecycle management. + Strong technical depth across modern application architectures (cloud, microservices, containers, APIs, mobile, web). + Demonstratable knowledge on the use of AI developer tools and how to use them securely in an enterprise environment. + Experience partnering with Risk/Compliance/Audit in regulated environments (financial services preferred). + Ability to communicate complex security topics clearly to executives and non-technical stakeholders. **Preferred Qualifications** + Experience with large-scale engineering transformation (DevSecOps, platform engineering, cloud migration). + Familiarity with secure software supply chain practices and dependency governance. + Recognized security certifications (e.g., CISSP, CISM, CSSLP, OSCP/OSWE, GIAC) are a plus. + Experience defining application risk tiering models and security launch criteria. + Experience with AI developer tools and technologies and how to use them responsibly and securely. **Core Competencies** + Executive presence and ability to influence at CISO/CTO/CIO levels + Strong program management and operational rigor + Ability to balance risk reduction with delivery enablement ("security as an accelerator") + Talent development and building high-trust, high-performance teams + Data-driven decision making and metrics-based storytelling **Current INTERNAL home-based associates:** While this role is posted as hybrid, **if selected and accepted, you may retain your home-based status** . Edward Jones intends in good faith to continue offering the role as home-based, though future business or regulatory needs may require on-site work. ****Candidates that live within a commutable distance from our Tempe, AZ and St. Louis, MO home office locations are expected to work in the office four days per week effective June 1, 2026. Before June 1, 2026, candidates that live within a commutable distance from our Tempe, AZ and St. Louis, MO home office locations are expected to work in the office three days per week, with preference for Tuesday through Thursday.**** Read More About Skills/Requirements **Awards & Accolades** At Edward Jones, we are building a place where everyone feels like they belong. We're proud of our associates' contributions to the firm and the recognitions we have received. Check out our U.S. awards and accolades: Insights & Information Blog Postings about Edward Jones (https://careers.edwardjones.com/blog/?\_sft\_category=awards-accolades) Check out our Canadian awards and accolades: Insights & Information Blog Postings about Edward Jones (https://careers.edwardjones.com/en-CA/blogs/?\_sft\_category=awards-accolades-en-ca) Read More About Awards & Accolades **About Us** Join a financial services firm where your contributions are valued. Edward Jones is a Fortune 500¹ company where people come first. With over 9 million clients and 20,000 financial advisors across the U.S. and Canada, we're proud to be privately-owned, placing the focus on our clients rather than shareholder returns. Behind everything we do is our purpose: We partner for positive impact to improve the lives of our clients and colleagues, and together, better our communities and society. We are an innovative, flexible, and inclusive organization that attracts, develops, and inspires performance excellence and a sense of belonging. People are at the center of our partnership. Edward Jones associates are seen, heard, respected, and supported. This is what we believe makes us the best place to start or build your career. View our Purpose, Inclusion and Citizenship Report (https://careers.edwardjones.com/blog/edward-jones-releases-annual-purpose-inclusion-and-citizenship-report/?codes=DIRECT&utm\_source=DIRECT) . ¹Fortune 500, published June 2024, data as of December 2023. Compensation provided for using, not obtaining, the rating. Edward Jones does not discriminate on the basis of race, color, gender, religion, national origin, age, disability, sexual orientation, pregnancy, veteran status, genetic information or any other basis prohibited by applicable law. \#LI-HO