Truist
Cybersecurity Principal Engineer - Cloud Security
Full details on LinkedIn
The complete job description, requirements, and application details are available on the original posting.
About Truist
BB&T Corporation, originally known as Branch Banking and Trust Company, was a prominent American banking and financial services firm founded in 1872 in Wilson, North Carolina. The company evolved from a local merchant bank into a large regional bank, expanding its operations across multiple states. Over the years, BB&T grew through strategic mergers and acquisitions, notably merging with Southern National Corporation in 1995, which significantly increased its branch network. BB&T offered a wide range of financial services, including retail and commercial banking, mortgage lending, insurance services, investment and wealth management, and trust and asset management. The bank catered to a diverse customer base, serving individual consumers, small and medium-sized businesses, and large corporations. In 2019, BB&T merged with SunTrust Banks to form Truist Financial Corporation, continuing its legacy under the Truist name.
Security at Truist
Compiled from public job postings, careers pages, and company materials. Data may not reflect current state — verify during interviews.
Security Philosophy
“Truist's stated AppSec mission involves "Operational management and strategic maturity of Dynamic Application Security Testing (DAST)". The company's risk philosophy focuses on "risk identification, awareness, and remediation". A stated pain point or goal is that the company "values training, which is understated and underappreciated". Information regarding developer enablement versus gatekeeping is not publicly available. Gaps include no public verbatim statements explicitly positioning AppSec as "developer-first"or "gatekeeping", and no public, recent statements describing measurable AppSec KPIs (e.g., MTTR SLAs).”
Security Team
Regarding the organizational structure, Christy Kushner "joined the CTOC on the ground floor". The reporting chain for AppSec and whether it reports to CISO/CTO is not publicly stated. Key public-facing leaders include Patrick Guin, Senior Application Security Manager, and Christy Kushner, Senior Cybersecurity Manager, who is "leading the Dynamic Application Security Testing (DAST) Team". The team size estimate is not publicly available. As of, there are 4 active AppSec job postings, including roles like Cybersecurity Engineer - Automation and Cybersecurity Manager (ServiceNow Enablement / Adoption). Common skill/tool patterns mentioned are "Dynamic Application Security Testing (DAST)", "Static Code Analysis (SAST)", "Software Composition Analysis (SCA)", "penetration testing", and "Vulnerability Response (VR)". Gaps include no public, centralized org chart or reporting-line document for AppSec, and no authoritative public headcount.
Key Initiatives
The status of a Security Champions Program is "No Evidence Found. Information not publicly available."For "Shift Left"in practice, activities are described as being "for all phases of the SDLC lifecycle". The Vulnerability Management Process includes intake from "application security testing (DAST)"and "penetration testing". Evidence describing SLAs, MTTR, or ticket ownership for triage/remediation is not publicly available, though "Vulnerability Response (VR)"tooling/process is mentioned. Secure SDLC Artifacts also cover "for all phases of the SDLC lifecycle", but specific artifacts (e.g., mandatory threat modeling, security sign-offs) are not publicly described. Information on recent initiatives (last 6 months) is not publicly available. Gaps include no public artifacts describing formal Security Champions, security gating, or measured remediation SLAs.
Preparing for an AppSec interview?
Get the weekly briefing 2,000+ security pros trust.