Banamex - Head of Security Architecture

**Security Architect — Banamex**

Banamex is transforming—and we’re doing it from the inside out.
We’re rebuilding one of Mexico’s most iconic banks into a **modern, secure, cloud-first financial platform** that moves at fintech speed but with the scale and trust of a national institution.

As our **Security Architect**, you’ll report directly to the **CTO** and become the **architectural backbone** of that transformation. Your mission: design the next-generation security fabric that protects millions of customers while empowering engineers to deliver faster, safer, and smarter.

You won’t be maintaining controls—you’ll be **defining what secure banking looks like for the next decade**. From **Zero Trust architecture and DevSecOps pipelines** to **SPEI/CoDi payments, cloud workloads, and digital identity**, you’ll embed resilience, privacy, and compliance into every product we launch.

This is a role for someone who wants to **build patterns that outlive them**, influence architectural decisions at the highest level, and see their work ripple across the entire Mexican financial ecosystem.
If you want to make impact—not noise—this is where it happens.

**What you’ll own**
- **Target Security Architecture**: Define and evolve reference architectures, control patterns, and guardrails for on-prem, cloud (AWS/Azure/GCP), and hybrid environments.
- **Design Authority**: Lead architecture reviews and formal threat modeling (STRIDE/LINDDUN); document risk-based decisions that stand up to audit.
- **Zero-Trust & Identity**: Drive identity-centric designs (OIDC/OAuth2/SAML, MFA, PAM), workload identity, micro-segmentation, and continuous verification.
- **Data Security**: Standardize encryption at rest/in transit, KMS/HSM usage, tokenization, data classification, DLP, and secrets management.
- **Cloud & Container Security**: Patterns for Kubernetes, serverless, and IaC (Terraform); adopt policy-as-code (OPA/Conftest), image signing, and runtime protections.
- **DevSecOps Enablement**: Embed SAST/DAST/IAST/SCA and IaC scanning into CI/CD; create reusable modules and golden paths developers love.
- **Payments & Channels**: Architect controls for SPEI/CoDi rails, card issuing/acquiring, mobile/web apps, and open banking APIs.
- **Third-Party & SaaS**: Intake standards, vendor architecture reviews, compensating controls, and continuous monitoring.
- **Detection & Response Architecture**: Telemetry standards and use cases for SIEM/SOAR/EDR/NDR aligned to MITRE ATT&CK.
- **Compliance by Design**: Map controls and evidence to CNBV/Bank of Mexico expectations, PCI DSS, ISO 27001, SOX/GLBA equivalents, and FFIEC-aligned practices.
- **Executive Storytelling**: Translate technical risk into business impact for the CTO, Architecture Board, and senior leadership.

**What makes this opportunity special**
- **Direct impact at the top**: Report to the CTO and shape bank-wide technology strategy.
- **National scale**: Your patterns secure mission-critical platforms used across Mexico.
- **Modernization with purpose**: Move fast with strong guardrails—security that accelerates delivery, not slows it.
- **Growth & visibility**: Present to executive forums, mentor engineers, and build the bank’s security pattern library.

**What you’ve done (required)**
- 10+ years in security engineering/architecture; 3+ designing enterprise systems in regulated industries (banking/fintech preferred).
- Owned reference architectures and security patterns across cloud + on-prem.
- Depth in identity (OAuth2/OIDC/SAML), IAM/PAM, Zero Trust, and secrets management.
- Practical cryptography (TLS/mTLS, key mgmt, HSM/KMS), data protection, and classification.
- DevSecOps experience integrating SAST/DAST/SCA, container/K8s security, and IaC scanning into pipelines.
- Designed logging/telemetry for SIEM/SOAR with clear detection use cases.
- Proven track translating regulatory requirements into automated, auditable controls.
- Excellent documentation (C4/sequence diagrams) and executive communication.

**Nice to have**
- Payments (SPEI/CoDi), open banking APIs, card rails, fraud-signal integration.
- Mobile/web AppSec (OWASP ASVS/MASVS) and customer identity (CIAM).
- Mainframe or legacy modernization security patterns.
- Certifications: CISSP, CCSP, ISSAP, CSSLP, OSCP, AWS/Azure Security Specialty (or equivalent experience).**Job Family Group**:
Technology
- **Job Family**:
Digital Software Engineering
- **Time Type**:
Full time
- **Most Relevant Skills**

Please see the requirements listed above.
- **Other Relevant Skills**

For complementary skills, please see above and/or contact the recruiter.-
- View Citi’s _EEO Policy Statement_ and the _Know Your Rights_ poster._