Sr Security Engineer - NY

Role summary
Own security architecture and implementation for Citi’s AI-led banker workstation across mobile (hybrid/WebView + native modules) and desktop, with emphasis on offline authentication/MFA, encrypted offline data, headless CRM integrations, and LLM/agentic workflows in a highly regulated IB environment.

• Offline Auth/MFA Architecture: Design and implement secure offline authentication and authorization aligned to Citi IAM (EPF/SSO/AD + MFA/BIND ID), including token lifecycle, biometric unlock patterns, recovery flows, and policy compliance.
• Mobile Security Engineering: Secure the hybrid shell + WebView model, define secure bridging patterns for native modules, harden the in-house wrapper, and ensure safe storage and key management on device.
• Offline Data Protection: Define and enforce encryption and data handling for offline use (IndexedDB + BlackBerry UEM constraints), including data minimization, retention, wipe policies, and secure sync patterns.
• API & Integration Security: Establish secure patterns for headless CRM read/write, service-to-service auth, least-privilege access, and secure data contracts for clients/deals/coverage/calls/notes.
• AI/LLM Security & Governance: Implement guardrails for agentic workflows—PII handling, redaction, prompt/data injection defenses, auditability, output controls, and secure logging/monitoring.
• Threat Modeling & Reviews: Lead threat modeling for mobile/offline/AI workflows, conduct security design reviews, and drive remediation across engineering teams.
• Security Testing & Compliance Readiness: Define security test strategy (SAST/DAST, mobile app pentest readiness, dependency/secret scanning), and support InfoSec review cycles and regulatory expectations.
• Incident Response & Observability: Establish security telemetry, anomaly detection, and incident response playbooks for mobile apps, backend services, and AI endpoints.

• 8+ years in application security / platform security, with deep experience in mobile security (iOS/Android, WebView/hybrid apps).
• Strong knowledge of enterprise IAM patterns (SSO, OIDC/SAML concepts, MFA integration, token/session management) and secure auth flows.
• Hands-on expertise with device security: secure enclave/keystore/keychain, biometric gating patterns, cryptographic key management, certificate pinning, secure storage.
• Experience securing offline-first apps: encrypted local data stores, sync strategies, conflict handling, secure caching, remote wipe, and data minimization.
• Strong understanding of API security: OAuth2/JWT, mTLS, zero trust patterns, secrets management, least privilege, rate limiting, and secure logging.
• Practical experience securing LLM/AI systems: data governance, PII controls, prompt injection defenses, evaluation/monitoring, and audit requirements.
• Ability to lead threat modeling and security reviews and to influence architecture decisions across teams.

• Experience in financial services / investment banking environments (conflict management, audit trails, restricted data controls).
• Familiarity with UEM controls (e.g., BlackBerry UEM) and enterprise mobile governance.
• Experience with Glassbox or comparable analytics tooling from a privacy/security perspective.
   

• Compensation, Benefits and Duration

  Minimum Compensation: USD 41,000
  Maximum Compensation: USD 145,000
  Compensation is based on actual experience and qualifications of the candidate. The above is a reasonable and a good faith estimate for the role.
  Medical, vision, and dental benefits, 401k retirement plan, variable pay/incentives, paid time off, and paid holidays are available for full time employees.
  This position is not available for independent contractors
  No applications will be considered if received more than 120 days after the date of this post