Engineer -security engineering (Victoria)

British Columbia Investment Management Corporation (BCI) offers an exceptional opportunity to work at a world‑class organization while living in a west coast setting. With $295.0 billion of gross assets under management, as of March 31, 2025, British Columbia Investment Management Corporation (BCI) is the provider of investment management services for British Columbia’s public sector and one of the largest asset managers in Canada. BCI seeks investment opportunities around the world and across a range of asset classes that convert savings into productive capital. Our investment returns play a significant role in helping our institutional clients build a financially secure future for their beneficiaries. BCI’s Cyber Security team is looking for a specialized Application Security Engineer to embed alongside development teams and help secure the software BCI builds, from design through deployment. Based in Vancouver or Victoria, this role sits at the intersection of software engineering and security, requiring deep hands‑on experience with application security practices including AI assisted development. Reporting to the Senior Manager, Cyber Security Product & Innovation, the Security Engineer is responsible for ensuring all software solutions built by BCI conform to best practices for writing secure software. The Security Engineer will be instrumental in developing security requirements and designing and implementing security solutions. The Security Engineer collaborates and communicates with business and technology teams in an Agile hybrid environment and enables the effective and efficient delivery of secure, quality products. Bachelor’s degree in Technology, Engineering, Computer Science, or a related field A minimum of 5 years of experience in progressively senior technical roles with responsibility focused on information security processes, products, and projects Very strong knowledge in engineering secure systems Must have excellent documentation, customer‑service, listening, communication and problem‑solving skills Must be able to implement programs, security technologies and solutions to measure and sustain the security posture of large, complex environments Experience with Agile methods (Scrum) and DevOps practices is an asset Professional certifications such as Global Information Assurance Certification (GIAC), Certified Information Systems Security Professional (CISSP), Offensive Security Certified Professional (OSCP), Certified Information Security Manager (CISM) or equivalent experience is essential TECHNICAL SKILLS REQUIREMENTS Secure coding practices Windows, UNIX, and Linux operating systems security, virtualization technology security, container security and serverless computing security Data Classification and DLP solutions Phishing and social engineering Development of current and innovative ways to solve existing production security issues as well as evaluate new technologies and processes that enhance security capabilities Develops technical security requirements for new products, tools and services envisioned for implementation at BCI Collaborates and coordinates with application, operations, and product teams to provide guidance on the development of secure product designs that meet security requirements Ability to communicate complex security issues and develop security user stories in language that non‑technical stake holders can understand Ability to respond to information security issues at each stage of a project’s lifecycle Proactively identifies risks and issues and proposes solutions to remove barriers Undertakes special projects or assignments as required Ability to document designs as well as produce technical reports in support of security initiatives Application Security: Consults on designs, implementations, and maintenance of DevSecOps pipelines that integrate security testing (SAST, DAST, SCA) into CI/CD workflows Works with DevSecOps to develop and maintain secure coding standards, guidelines, and training materials for development teams Conducts application security assessments, threat modeling sessions, and architecture reviews for new and existing applications Champions security culture by embedding into Agile development teams as a security subject matter expert Triages and prioritizes application security vulnerabilities, working with development teams on remediation strategies Develops and maintains security testing automation to enable continuous assurance of application security posture Monitors emerging application security threats, vulnerabilities, and attack techniques to proactively address risks Experience with application security testing tools including Static analysis/SAST, Dynamic analysis/DAST, IAST, and Software Composition Analysis (SCA) Knowledge of secure API design, authentication patterns (OAuth 2.0, OpenID Connect), and API gateway security Experience with Infrastructure as Code (IaC) security scanning (Terraform, ARM templates, CloudFormation) Knowledge of AI/ML application security considerations, including prompt injection prevention and model security Professional certifications such as GWAPT, GWEB, CSSLP, CEH, OSWE, or equivalent experience is an asset Leads and completes security risk reviews on software, SaaS, third party and written code Monitors emerging AI and ML security threats, vulnerabilities and attack techniques and proposes new solutions to emergent risks in these areas for the right candidate, with the expectation of occasional travel to Victoria. We are an in‑person collaborative organization with the flexibility to work remotely one day a week. The annualized base salary range for this Victoria or Vancouver based role is CAD $125,000 to $150,000. # Apply on Kit Job: kitjob.ca/job/2prqwa