BANAMEX - Head of Security Architecture

Security Architect — Banamex

Banamex is transforming—and we're doing it from the inside out.

We're rebuilding one of Mexico's most iconic banks into a modern, secure, cloud-first financial platform that moves at fintech speed but with the scale and trust of a national institution.

As our Security Architect, you'll report directly to the CTO and become the architectural backbone of that transformation. Your mission: design the next-generation security fabric that protects millions of customers while empowering engineers to deliver faster, safer, and smarter.

You won't be maintaining controls—you'll be defining what secure banking looks like for the next decade. From Zero Trust architecture and DevSecOps pipelines to SPEI/CoDi payments, cloud workloads, and digital identity, you'll embed resilience, privacy, and compliance into every product we launch.

This is a role for someone who wants to build patterns that outlive them, influence architectural decisions at the highest level, and see their work ripple across the entire Mexican financial ecosystem.

If you want to make impact—not noise—this is where it happens.

What you'll own

• Target Security Architecture: Define and evolve reference architectures, control patterns, and guardrails for on-prem, cloud (AWS/Azure/GCP), and hybrid environments.
• Design Authority: Lead architecture reviews and formal threat modeling (STRIDE/LINDDUN); document risk-based decisions that stand up to audit.
• Zero-Trust & Identity: Drive identity-centric designs (OIDC/OAuth2/SAML, MFA, PAM), workload identity, micro-segmentation, and continuous verification.
• Data Security: Standardize encryption at rest/in transit, KMS/HSM usage, tokenization, data classification, DLP, and secrets management.
• Cloud & Container Security: Patterns for Kubernetes, serverless, and IaC (Terraform); adopt policy-as-code (OPA/Conftest), image signing, and runtime protections.
• DevSecOps Enablement: Embed SAST/DAST/IAST/SCA and IaC scanning into CI/CD; create reusable modules and golden paths developers love.
• Payments & Channels: Architect controls for SPEI/CoDi rails, card issuing/acquiring, mobile/web apps, and open banking APIs.
• Third-Party & SaaS: Intake standards, vendor architecture reviews, compensating controls, and continuous monitoring.
• Detection & Response Architecture: Telemetry standards and use cases for SIEM/SOAR/EDR/NDR aligned to MITRE ATT&CK.
• Compliance by Design: Map controls and evidence to CNBV/Bank of Mexico expectations, PCI DSS, ISO 27001, SOX/GLBA equivalents, and FFIEC-aligned practices.
• Executive Storytelling: Translate technical risk into business impact for the CTO, Architecture Board, and senior leadership.

What makes this opportunity special

• Direct impact at the top: Report to the CTO and shape bank-wide technology strategy.
• National scale: Your patterns secure mission-critical platforms used across Mexico.
• Modernization with purpose: Move fast with strong guardrails—security that accelerates delivery, not slows it.
• Growth & visibility: Present to executive forums, mentor engineers, and build the bank's security pattern library.

What you've done (Required)

• 10+ years in security engineering/architecture; 3+ designing enterprise systems in regulated industries (banking/fintech preferred).
• Owned reference architectures and security patterns across cloud + on-prem.
• Depth in identity (OAuth2/OIDC/SAML), IAM/PAM, Zero Trust, and secrets management.
• Practical cryptography (TLS/mTLS, key mgmt, HSM/KMS), data protection, and classification.
• DevSecOps experience integrating SAST/DAST/SCA, container/K8s security, and IaC scanning into pipelines.
• Designed logging/telemetry for SIEM/SOAR with clear detection use cases.
• Proven track translating regulatory requirements into automated, auditable controls.
• Excellent documentation (C4/sequence diagrams) and executive communication.

Nice to have

• Payments (SPEI/CoDi), open banking APIs, card rails, fraud-signal integration.
• Mobile/web AppSec (OWASP ASVS/MASVS) and customer identity (CIAM).
• Mainframe or legacy modernization security patterns.
• Certifications: CISSP, CCSP, ISSAP, CSSLP, OSCP, AWS/Azure Security Specialty (or equivalent experience).

-

Job Family Group:

Technology

-

Job Family:

Digital Software Engineering

-

Time Type:

Full time

-

Most Relevant Skills

Please see the requirements listed above.

-

Other Relevant Skills

For complementary skills, please see above and/or contact the recruiter.

-

Citi is an equal opportunity employer, and qualified candidates will receive consideration without regard to their race, color, religion, sex, sexual orientation, gender identity, national origin, disability, status as a protected veteran, or any other characteristic protected by law.

If you are a person with a disability and need a reasonable accommodation to use our search tools and/or apply for a career opportunity review Accessibility at Citi.

View Citi's EEO Policy Statement and the Know Your Rights poster.