Role Summary/Purpose:Synchrony is seeking an
AVP, Product Security Architect to provide
enterprise-level product security architecture leadership across Synchrony's application and SaaS ecosystem. This role operates at L11 scope-
setting direction, defining standards, and driving adoption at scale-while partnering closely with product and engineering leaders to embed security into product strategy and modern software delivery.
The AVP will lead the definition of an
Application Security Blueprint (reference architectures, approved patterns, and engineering guardrails) and will influence outcomes across multiple portfolios by enabling teams to design and deliver software that is secure-by-design, resilient, and compliant.
Essential Responsibilities:- Set product security architecture direction for assigned portfolios, aligning security architecture decisions with Synchrony technology strategy, risk appetite, and regulatory expectations.
- Own and evolve the Application Security Blueprint: enterprise application security standards, reference architectures, reusable patterns, and guardrails that enable consistent secure engineering across teams.
- Serve as a strategic partner to product and engineering leadership, influencing roadmaps and operating models to ensure security is built-in (not bolted-on) and delivery teams can move quickly with well-defined paved roads.
- Lead architecture governance for product/application security:
- establish review criteria and decision frameworks
- perform design reviews and approve/drive remediation plans
- manage exceptions with documented risk acceptance, compensating controls, and time-bound closure
- Drive threat modeling at scale by defining methodology and minimum expectations, and by facilitating modeling for high-risk initiatives-explicitly documenting trust boundaries, data flows, abuse cases, and security requirements.
- Define and standardize API security architectures (north-south and east-west), including authentication/authorization, token strategy, schema and input validation, anti-automation protections, and rate limiting/throttling patterns.
- Define patterns for service-to-service security controls in distributed systems, including workload identity, authorization, mTLS, secrets handling, and policy enforcement-ensuring controls are practical for engineering adoption.
- Influence and enable secure SDLC and platform controls with engineering enablement in mind (security requirements, pipeline guardrails, dependency/supply-chain controls, secure configuration guidance), partnering with platform teams to operationalize.
- Establish and track measurable outcomes (e.g., blueprint adoption, recurring architecture risks, API posture improvements, exception burn-down, control coverage for critical apps) and provide clear executive-level reporting.
- Act as a coach and multiplier: mentor engineers and architects, elevate secure design skills across teams, and improve security decision-making through clear documentation and reusable assets.
- Perform other duties and/or special projects as assigned.
Qualifications/Requirements:- 7+ years in security architecture/engineering, with deep focus on application/product security in modern software environments.
- Demonstrated ability to operate at an enterprise influence level: setting standards, driving cross-team adoption, and aligning stakeholders with differing priorities.
- Strong hands-on knowledge of application and service security fundamentals: authentication/authorization, session/token security, cryptography concepts, secrets management, secure logging/monitoring design, and secure data handling.
- Proven experience leading threat modeling and producing strong architecture artifacts (DFDs, trust boundaries, security requirements, risk assessments).
- Strong knowledge of API security and common web/service risks (e.g., OWASP Top 10 / API Security Top 10), with the ability to translate risks into enforceable patterns.
- Excellent communication skills-able to present clearly to engineering teams and senior leaders, and to produce high-quality architecture documentation.
- Track record of driving security with product teams: embedding security into product planning, influencing roadmaps, defining "definition of done" security requirements, and improving time-to-market through paved-road patterns.
- Experience securing and integrating SaaS applications, including SSO/federation (SAML/OIDC), tenant and data isolation considerations, audit logging, and shared responsibility alignment.
- Experience implementing service-to-service security patterns at scale (workload identity, mTLS, authorization, policy-as-code concepts).
- Experience operationalizing security standards into engineering consumables (shared libraries, templates, reference implementations, runbooks).
- Familiarity with CI/CD-based security enablement (SAST/DAST/SCA, secrets scanning, gating/exception workflows) and vulnerability management operating models.
- Experience supporting regulated environments and mapping architecture controls to policies/standards.
- Certifications (preferred): CISSP, CCSP, CSSLP (or equivalent).
- Ability and flexibility to travel for business as required
Desired Characteristics:- Threat modeling tooling;
- API gateways/policy enforcement; identity and federation (SSO, SAML, OIDC);
- application security testing (SAST/DAST/SCA/secret scanning);
- CI/CD tooling (e.g., GitHub/Jenkins); vulnerability management platforms; logging/monitoring;
- service mesh/mTLS patterns; secrets management solutions
Grade/Level: 11The salary range for this position is
115,000.00 - 200,000.00 USD Annual and is eligible for an annual bonus based on individual and company performance.
Actual compensation offered within the posted salary range will be based upon work experience, skill level or knowledge.
Salaries are adjusted according to market in CA, NY Metro and Seattle.
Our Way of Working:We're proud to offer you flexibility. At Synchrony, our way of working allows you to have the option to work from home near one of our Hubs or come into one of our offices. You will be required to commute to your nearest Hub (either virtual or physical) for in-person engagement activities such as regular business or team meetings, training and culture events.
*Field Sales and some Commercial team roles may have varied location requirements based upon partner obligations or preferences.
Eligibility Requirements:- You must be 18 years or older
- You must have a high school diploma or equivalent
- You must be willing to take a drug test, submit to a background investigation and submit fingerprints as part of the onboarding process
- You must be able to satisfy the requirements of Section 19 of the Federal Deposit Insurance Act.
- New hires (Level 4-7) must have 9 months of continuous service with the company before they are eligible to post on other roles. Once this new hire time in position requirement is met, the associate will have a minimum 6 months' time in position before they can post for future non-exempt roles. Employees, level 8 or greater, must have at least 18 months' time in position before they can post. All internal employees must consistently meet performance expectations and have approval from your manager to post (or the approval of your manager and HR if you don't meet the time in position or performance expectations).
Job Family Group:Information Technology
