AppSec Jobs
← Back to all jobs

Mass General Brigham

Information Security Engineer III, Application and Cloud Security Lead

Somerville, MAWebsite

Full details on LinkedIn

The complete job description, requirements, and application details are available on the original posting.

About Mass General Brigham

Mass General Brigham (MGB) is a not-for-profit, integrated health system based in Greater Boston, founded in 1994 by Massachusetts General Hospital and Brigham and Women's Hospital. With approximately $20.6 billion in operating revenue and around 82,000 employees, it is the largest private employer in Massachusetts. MGB serves as a teaching affiliate of Harvard Medical School and operates 16 member institutions, including community and specialty hospitals, health centers, and a physician network. The system is recognized for providing comprehensive healthcare services across various specialties, including cancer, neurology, cardiology, and pediatrics. Its five Harvard-affiliated hospitals are consistently ranked among the best in the U.S. and globally. MGB also has a strong research focus, contributing to significant medical advancements and operating Mass General Brigham Ventures, which supports new life science technologies. The organization serves a diverse patient base, welcoming individuals from over 120 countries and collaborating with international partners to improve healthcare standards worldwide.

Industry

hospital & health care

Employees

NaN

308 engineers

Revenue

$NaNK

Website

Visit →

Security at Mass General Brigham

Compiled from public job postings, careers pages, and company materials. Data may not reflect current state — verify during interviews.

3 Intel Signals

Security Philosophy

  • Mass General Brigham's AppSec philosophy centers on collaboratively designing programs to meet organizational needs while maintaining a secure software development lifecycle (SSDLC).
  • The team emphasizes developer enablement by collaborating closely with development, operations, and DevOps teams rather than acting as a strict gatekeeper.
  • Their risk philosophy is rooted in an Enterprise Information Security Program (EISP) aligned with international standards like ISO 27001 and NIST 800-53.
  • Key goals include the implementation and maintenance of a comprehensive suite of code analysis tools including SAST, DAST, IAST, and SCA.

Security Team

The AppSec team operates under an Enterprise Information Security Program (EISP) that reports to the Chief Information Security and Privacy Officer (CISPO) via an annual report. A key public-facing leader is Bonnie Michelman, Vice President and Chief Security Officer. As of February 2026, there is at least one active lead-level job posting for Application and Cloud Security. The team seeks skills in DevSecOps, Secure Code Development, CI/CD Pipeline Hardening, and CSPM. Explicit team size and detailed internal org charts are not publicly available.

Key Initiatives

Active initiatives include the establishment and maintenance of a Secure SDLC (SSDLC) that incorporates security checkpoints, threat modeling, and secure coding standards. The team is also focused on 'Shift Left' practices through close collaboration with DevOps teams to harden CI/CD pipelines. There is no public evidence of a formal Security Champions program, bug bounty program, or specific remediation SLAs. No new major initiatives have been publicly announced in the last six months.

Preparing for an AppSec interview?

Get the weekly briefing 2,000+ security pros trust.