The Lead Product Application Security Engineer is responsible for leading the design, development, and integration of an end-to-end security framework for the company's applications, systems, and products. This role involves anticipating and reconciling complex security challenges that arise from technological advancements, business requirements, and regulatory compliance. The incumbent will provide security recommendations based on experience, knowledge, and industry best practices, enhance existing security features, drive secure coding practices, and help to create systems that are secure by design.

This position is not hybrid/remote and will be located at our Cleveland Headquarters office.

At Sherwin-Williams, our purpose is to inspire and improve the world by coloring and protecting what matters. Our paints, coatings and innovative solutions make the places and spaces in our world brighter and stronger. Your skills, talent and passion make it possible to live this purpose, and for customers and our business to achieve great results. Sherwin-Williams is a place that takes its stability, growth and momentum and translates it to possibility for our people. Our people are behind the strength of our success, and we invest and support you in:

Life … with rewards, benefits and the flexibility to enhance your health and well-being
Career … with opportunities to learn, develop new skills and grow your contribution
Connection … with an inclusive team and commitment to our own and broader communities
It's all here for you... let's Create Your Possible

At Sherwin-Williams, part of our mission is to help our employees and their families live healthier, save smarter and feel better. This starts with a wide range of world-class benefits designed for you. From retirement to health care, from total well-being to your daily commute—it matters to us. A general description of benefits offered can be found at http://www.myswbenefits.com/. Click on “Candidates” to view benefit offerings that you may be eligible for if you are hired as a Sherwin-Williams employee.

Compensation decisions are dependent on the facts and circumstances of each case and will impact where actual compensation may fall within the stated wage range. The wage range listed for this role takes into account the wide range of factors considered in making compensation decisions including skill sets; experience and training; licensure and certifications; and other business and organizational needs. The disclosed range estimate has not been adjusted for the applicable geographic differential associated with the location at which the position may be filled. The wage range, other compensation, and benefits information listed is accurate as of the date of this posting. The Company reserves the right to modify this information at any time, with or without notice, subject to applicable law.

Qualified applicants with arrest or conviction records will be considered for employment in accordance with applicable federal, state, and local laws including with the Los Angeles County Fair Chance Ordinance for Employers and the California Fair Chance Act where applicable.

Sherwin-Williams is proud to be an Equal Employment Opportunity employer. All qualified candidates will receive consideration for employment and will not be discriminated against based on race, color, religion, sex, sexual orientation, gender identity, national origin, protected veteran status, disability, age, pregnancy, genetic information, creed, marital status or any other consideration prohibited by law or by contract.

As a VEVRAA Federal Contractor, Sherwin-Williams requests state and local employment services delivery systems to provide priority referral of Protected Veterans.

Please be aware, Sherwin-Williams recruiting team members will never request a candidate to provide a payment, ask for financial information, or sensitive personal information like national identification numbers, date of birth, or bank account numbers during the application process.

Minimum Requirements

• Must be at least 18 years of age
• Must be legally authorized to work in the country of employment without needing sponsorship for employment work visa status now or in the future

Education

Required

• Bachelor's degree or higher in Information Technology (e.g. Computer Science, Technology Management, Software Engineering, Application Development, Web Development and Design, etc.), or in lieu of a degree, at least 9 years of experience in application security, information security, software development? (Minimum Requirement)

Preferred

• CISSP, CSSLP or other relevant security certification preferred

Knowledge & Experience

Required

• 6-8 years of experience in security engineering, or application security
• Excellent with security technologies and standards including OWASP, SANS, and NIST
• Extensive knowledge of secure coding practices in various languages and environment (i.e., Java, .NET)
• Proven track record with security testing tools such as Fortify, IBM AppScan, or HP WebInspect and techniques such as SAST, DAST, and Penetration Testing
• Expertise in security architecture and design principles
• Excellent analytical, problem-solving and communication skills
• Proven experience with leading a collaborative team

Preferred

• Coordinates and compiles the list of Oracle fusion Cloud Roles, Data Access Sets and Assignments by working closely with Oracle Cloud IT Functional team.
• Coordinates with GPC team to facilitate SOD (segregation of duties) (SOX compliance) review for Oracle Cloud Roles assignment for both Business and IT teams.
• Coordinates with GPC/Security team to identify SOX compliance requirements for any other boundary applications in BIOS scope.
• Coordinates with Identity and Access Management team to integrate IDN with Oracle Cloud and any other needed boundary applications.
• Coordinates with Internal Audit team and BIOS Testing Lead to ensure that all identified controls are mapped to Test Scenarios for SIT/UAT. Also ensures that appropriate evidence are captured during testing to satisfy Audit control requirements.
• Act as a primacy contact point from BIOS team for Cyber Security, Identity & Access Management, GPC (Global Privacy) and Internal Audit Teams to clarify any project/initiative related questions and also to help with Jira/Zephyr Scale training or assistance.

• Oversee comprehensive security assessments for company products, including vulnerability and risk assessments, penetration testing, threat analysis, and secure code reviews to address potential design and implementation vulnerabilities
• Drive the development of innovative security features for products, including systems, applications, and/or solutions, ensuring alignment with industry best practices and organizational goals
• Manage the integration of new security features and updates into existing products, ensuring seamless integration
• Lead efforts to ensure the security of all products is maintained throughout the product lifecycle and mentor junior team members to drive excellence in security maintenance
• Ensure code security and standards are consistently enforced and in accordance with organizational policies, and monitor how quickly deviations are resolved
• Set high standard for team’s recommendations to ensure that integration and testing issues are resolved completely and accurately
• Supervise the development of a standardized set of security product requirements, and oversee the production of metrics to report performance against those requirements, providing strategic guidance to deliver best results
• Guide the entire process of reviewing and defining security diagnostics and tools, providing strategic direction and ensuring proper implementation across teams
• Manage and guide team as they detect and mitigate security risks, and share expertise with the team to enhance overall response capabilities
• Serve as the senior contact for customers regarding product security-related issues, applying expert communication skills and security knowledge to address complex concerns
• Lead the development and maintenance of a comprehensive application risk register, applying extensive experience in risk management and documentation
• Contribute to the development and maintenance of a disaster recovery plan, driving business continuity efforts in the product security field and ensuring organizational readiness
• Facilitate security architecture and design review meetings, sharing expertise and driving the decision-making processes

This position is not eligible for sponsorship for work authorization now or in the future, including conversion to H1-B visa.

Job duties include contact with other employees and access confidential and proprietary information and/or other items of value, and such access may be supervised or unsupervised. The Company therefore has determined that a review of criminal history is necessary to protect the business and its operations and reputation and is necessary to protect the safety of the Company’s staff, employees, and business relationships.