Platform Security Manager

Requisition ID # 168034 

Job Category: Information Technology 

Job Level: Manager/Principal

Business Unit: Information Technology

Work Type: Hybrid

Job Location: Oakland

Department Overview

The Cybersecurity organization works to protect our critical assets, highest risks, adapting and growing to meet the challenges from ever-evolving adversaries. The Security Engineers work closely with Project Managers, Risk Management and Cybersecurity Operations team to provide architecture design and implementation services. They intake functional & nonfunctional requirements; evaluate various solution or design options, document solution blueprint, and implementation steps. They ensure that the solution implemented meets our security standards and regulatory requirements.

The Cybersecurity team consists of security professionals in their chosen disciplines, including:

• Cybersecurity Services
• Risk Management
• Security Intelligence & Operations

Working together, we review the current cyber threat landscape and lend our expertise to help the company understand its security posture and act on the highest priority risks. The Cybersecurity team takes a proactive approach to security by focusing on the cyber risks PG&E faces. Our methodology and framework synthesize current legal, regulatory, and operating mandates with PG&E’s business goals and operations.

Position Summary

We are seeking an experienced Application Platform Security Manager to lead and oversee the DevSecOps Program (SHIELD) focused on securing large-scale strategic business platforms. This role will be pivotal in owning, implementing, and measuring the DevSecOps program and governance framework, ensuring security is seamlessly integrated into our key initiatives, including Propel, Elevate, and Customer Portfolio Application Platforms

The ideal candidate is a hands-on leader with deep expertise in cloud security, a passion for mentoring teams, and a proven track record of collaborating with cross-functional stakeholders to deliver secure, compliant, and innovative solutions.

PG&E is providing the salary range that the company in good faith believes it might pay for this position at the time of the job posting. This compensation range is specific to the locality of the job. The actual salary paid to an individual will be based on multiple factors, including, but not limited to, specific skills, education, licenses or certifications, experience, market value, geographic location, and internal equity. Although we estimate the successful candidate hired into this role will be placed between the entry point and the middle of the range, the decision will be made on a case-by-case basis related to these factors. This job is also eligible to participate in PG&E’s discretionary incentive compensation programs.

Pay range: $151,000 - $224,400

This position is hybrid, working from your remote office and the Oakland General Office (OGO) based on business needs.

Job Responsibilities

DevSecOps Leadership:

• Implement DevSecOps Strategy – establish security policies, standards, and processes that align with business goals, cybersecurity goals and industry best practices
• Design, implement, measure and report on DevSecOps program (SHIELD) and governance framework; drive measurable security outcomes across strategic platforms - Propel, Elevate, customer portfolio platforms like pge.com.
• Ensure security measures are in place throughout the entire application (‘Secure by design’, ‘Secure by default’) lifecycle, including secure coding practices, regular assessments, and incident response planning
• Collaborate with key stakeholders across cybersecurity and IT including but not limited to Cloud CoE, Cloud Security CoE, Salesforce CoE and other stakeholders to embed security into large-scale initiatives such as Propel, Elevate, and Customer Portfolio Application Platforms.
• Foster a security-first mindset across strategic application platform owners, promoting shared responsibility for cybersecurity (lead by cyber, owned by all)
• Incorporate early threat modeling and shift-left security practices to identify and mitigate risks proactively
• Apply protective and detective security controls based on risk posture, organizational security policies, and regulatory compliance requirements.
• Ensure documentation of approved patterns, practices across Propel, Elevate and customer portfolios.
• Drive continuous improvement in DevSecOps processes, including change management and service request handling, waste elimination following a Lean methodology
• Incorporate security metrics and KPIs, KRIs to track progress and demonstrate the value of security investments aligning with IT, Cyber L1, L2s

Strategic & Team Leadership:

• Achieve results by setting and communicating goals and metrics, monitoring progress, providing ongoing coaching and feedback, and reinforcing high-performance behaviors
• Work with critical platform owners of Propel, Elevate and customer portfolios to periodically review Security landscape & posture based on the Shared responsibility model
• Lead and manage a team of DevSecOps engineers, fostering a culture of security excellence, collaboration, and continuous improvement.

• Coach and mentor DevSecOps engineers, while establishing security education programs to keep teams updated on the latest trends and threats.
• Establish individual and team objectives aligned with cybersecurity team’s organizational goals.

• Implement PG&E practices for staffing, EEO, diversity, performance management, development, reward and recognition, and retention

Technical Skills & Competencies:

• Hands-on expertise in securing cloud platforms including AWS, Azure, Salesforce, MuleSoft, and SAP
• In-depth knowledge and understanding of implementing policy-as-code (PaC) & Compliance-as-Code (CaC), threat modeling, SCA, DAST, SAST and other key capabilities to secure CI/CD pipelines for key strategic platforms.
• Work with all internal stakeholders on CI/CD pipeline health, tool rationalization, tool oversight and responsible FinOps
• Good understanding of application and web security with an ability to clearly understand, articulate and implement OWASP TOP 10 controls for Applications, APIs and other target system.
• In-depth knowledge of security capabilities to protect data, applications, APIs and infrastructure within cloud and hybrid cloud environments including but not limited firewalls, endpoint protection tools, configuration management tools, CASB, CSPM, CWPP, CIEM, SIEM, SOAR, MFA etc., ensuring confidentiality, integrity, and availability
• Strong understanding of regulatory frameworks (e.g., NIST Cybersecurity Framework), SOX, CCPA, CPRA.
• Exceptional problem-solving abilities with a focus on operational excellence.

Qualifications

Minimum:

• Bachelors Degree in Computer Science or job-related discipline or equivalent experience
• 6 years of combined IT, critical infrastructure, intelligence, and/or cyber/information security work experience
• 3 years leadership experience
• CISSP-Certified Information Systems Security Professional certification, or other security certification, or equivalent

Desired:

• 5 years experience focused on Cybersecurity with experience leading or managing a team
• Strong expertise in Application security, SDLC, DevSecOps, cloud security, network security, endpoint protection, and operational security services

• Cloud security certifications (e.g., AWS Certified Security – Specialty, Salesforce Certified Technical Architect) are highly desired
• CISSP certification preferred; candidates without CISSP must commit to obtaining it within two years