Lead and develop a high-performing team responsible for WAF operations and API security.
Define the roadmap for web and API security and control enhancements.
Act as a trusted advisor on secure web and API design patterns and governance; provide reusable standards and templates.
Own the operational effectiveness of WAF and API Security Tools; manage vendor relationships and integrations.
Partner with Network Security to strengthen the security of external connections from a web application security perspective, ensuring appropriate edge controls, policies, and monitoring are defined, implemented, and continuously improved.
Implement and operate API security monitoring for external and internal services (discovery, posture assessment, anomaly detection).
Partner with API platform owners to define guardrails (authentication/authorization, token lifecycles, rate limits, schema validation, gateway policies).
Build threat intelligence feedback loops: map observed attack patterns, drive root cause analysis for recurring issues, and propose updates to detection and prevention logic.
Work with Risk/Compliance to meet financial services regulatory expectations and audit requirements.
Develop standards and playbooks for WAF and API policies, exception handling, and change control.
Participate in incident response for application-layer events, supporting detection, containment, and post-incident improvements.
Evaluate new capabilities; lead POCs and onboarding to close coverage gaps and improve security signal fidelity.
Define and track KPIs (e.g., false positive reduction, protected endpoint coverage, API inventory accuracy, time-to-tune, time-to-mitigate) and KRIs to demonstrate control effectiveness and trends to leadership.

Requirements

Bachelor’s degree in computer science or equivalent education and experience
Minimum of ten (10) years in information technology, including at least three (3) years managing technical teams in Security
Minimum of three (3) years of hands-on experience with WAF and API security in large enterprise environments
Strong understanding of: Web security controls: authentication/authorization, session management, input validation, bot management, DDoS mitigation, CDN/edge policies
API security principles: OAuth2/OIDC, JWT, mTLS, rate limiting, schema validation, threat detection, inventory/discovery
Threat modeling for web/API threats and common attack vectors (OWASP Top 10, API Top 10)
WAF and API platforms/tools such as Akamai, Cloudflare, F5, cloud-native WAF, Apigee
Initiative, creativity, and autonomy: you pro-actively seek resources and information for informed decisions, manage expectations and articulate problems while looking at continuous improvement
Excellent communication skills with the ability to influence senior stakeholders and guide engineering teams
Strong ethical principles and understanding of business and information security ethics
One of these certifications would be a considerable asset: CISSP, CISA, CISM, CGEIT, CRISC, GSEC, GISP
French is an asset - For candidates located in Quebec, bilingualism is required considering the necessity to interact on a regular basis with English speaking colleagues across the country.

Benefits

Flexible work arrangements and a hybrid work model
Possibility to purchase up to 5 extra days off per year
Multiple benefits offered to support physical and mental wellbeing, including telemedicine, Wellness account and much more
Share plan & other savings: up to 12% of salary or even more (ask how you could earn guaranteed income for life)

Applicant Tracking System Keywords

Tip: use these terms in your resume and cover letter to boost ATS matches.

Hard Skills & Tools

WAF securityAPI securityweb security controlsauthenticationauthorizationthreat modelingDDoS mitigationrate limitingschema validationthreat detection

Soft Skills

initiativecreativityautonomycommunicationinfluenceproblem-solvingcontinuous improvementleadershipcollaborationstakeholder management

Certifications

CISSPCISACISMCGEITCRISCGSECGISP