Bilingual Senior Specialist, Security Applications
Job Requisition ID: 12213
Position Status: Permanent Full Time
Position Type: Hybrid
Office Location: Ottawa (ON); Montreal (QC)
Travel Requirement: Limited
Language Designation: Bilingual
Language Skill Levels (Read/Write/Speak): CBC
Security Requirement: Reliability Status
Salary: Our salaries generally range from $ 104,180.28 to $ 130,225.36 and are based on qualifications and experience.
About CMHC
The work you do and the work we do together matters. We come to work every day with a common purpose: to contribute to a well-functioning housing system.
At CMHC, we hold ourselves accountable for our results and support our colleagues in their achievements. We thrive on collaboration, connecting across CMHC and involving the right people to get our work done. Our leadership style is guided by trust, where our leaders favour an adaptive approach based on the needs of their teams.
Join us and be part of a team that's committed to making a real difference and be part of something meaningful.
What’s in it for you
We’ve got the purpose, the people and the perks you need for a fulfilling career. Here’s the comprehensive and generous benefits you get when you’re a permanent employee:
- Annual Paid vacation.
- Annual individual performance incentive.
- Defined benefit pension plan.
- Comprehensive group insurance plan to support your well-being from day one.
- Support towards your personal and professional growth with training, mentorship and more.
- An inclusive workplace culture and environment.
About the role
Join the Technology and Business Transformation team, in the Bilingual Senior Specialist, Application Security. You'll be responsible for the enterprise Application Security (AppSec) program, including the definition of mandatory controls, standards, and governance mechanisms that ensure applications and software services are designed, built, tested, and operated in alignment with organizational risk tolerance, security strategy, and regulatory obligations across the full SDLC/SSDLC.
What you’ll do:
- Owns the enterprise Application Security control framework, including policies, standards, and minimum control requirements for application design, development, testing, deployment, and runtime, ensuring alignment with enterprise architecture, cloud security posture, privacy obligations, and regulatory frameworks.
- Defines and governs mandatory SDLC/SSDLC security requirements and assurance activities, including secure design reviews, application security testing (SAST, DAST, SCA, IAST, penetration testing), secure configuration standards, and formal risk acceptance and exception processes with defined compensating controls and lifecycle management.
- Exercises enterprise-level accountability for application security risk posture, including identification, assessment, and communication of risks in business terms; provides authoritative guidance on control selection, vulnerability severity, remediation prioritization, and risk treatment strategies, including acceptance and compensating controls.
- Establishes and enforces security requirements within Agile and DevSecOps delivery models, including security gates and assurance expectations, ensuring consistent and measurable integration of security into software delivery without direct ownership of delivery execution.
- Acts as the senior authority and escalation point for complex vulnerabilities, design-level security risks, and disputed risk or exception decisions, providing binding guidance within delegated authority.
- Owns application security program assurance and performance management, including definition and monitoring of KRIs/KPIs, oversight of assurance quality (internal and third-party), and reporting of risk posture, systemic issues, and trends to senior management and governance bodies.
- Exercises delegated decision-making authority over minimum control requirements, vulnerability severity alignment, and treatment expectations, and recommends risk acceptance or policy exceptions, with escalation of decisions exceeding authority to formal governance bodies.
What you should have:
- An undergraduate degree in Information Technology, Computer Science, Cybersecurity, or related field. an equivalent combination of education and progressively responsible experience.
- A minimum of 7 years of progressive experience in application security, including enterprise-level governance and DevSecOps integration.
- Demonstrated expertise in secure coding, application security testing, cloud-native architectures, CI/CD pipelines, and application of recognized frameworks (ISO, NIST, ITSG‑33).
- A proven ability to influence senior stakeholders and translate technical security risks into defensible, risk-based decisions within a complex or regulated environment.
- Strong communication and stakeholder management skills in both official languages (English and French), with proven experience operating in complex, cross functional environments.
It would be great if you also had:
- Experience working in large‑scale, complex, or regulated environments is an asset.
- Professional certifications (e.g., CISSP, CSSLP, GIAC).
Posting closing date: Note, the competition will remain active until filled.
Our commitment to diversity, equity, and inclusion
We’re committed to employment equity and encourage women, Indigenous Peoples, persons with disabilities, veterans and persons of all races, ethnicities, religions, abilities, sexual orientations, and gender identities and expressions to apply. We also welcome applications from non-Canadians who are eligible to work in Canada.
CMHC is an inclusive workplace where diversity of thought – and of people – are recognized, valued, and considered essential to achieving our mission.
Learn more about our commitment to diversity and inclusion
What happens after you apply
We know that applying for a new job can be both exciting and daunting, and we appreciate your effort. Learn more about our hiring process. If you are selected for an interview or testing, please advise us if you require an accommodation.
If you applied before and you were not successful don’t worry – we're always posting new positions, so don’t hesitate to give it another shot. We’re excited to see what you bring to the table this time around!