RBC
Staff, GenAI Security Engineer (Global Security)
Full details on LinkedIn
The complete job description, requirements, and application details are available on the original posting.
About RBC
Royal Bank of Canada (RBC) is the largest bank in Canada by market capitalization and a prominent financial services provider in North America. Established in 1864 as the Merchants Bank of Halifax, it became the Royal Bank of Canada in 1901 and has since expanded through various mergers and acquisitions. RBC operates in 29 countries, with a strong presence in the US, Caribbean, Europe, and Latin America. RBC offers a wide range of financial services, including personal and commercial banking, wealth management, insurance, and corporate and investment banking. The bank is known for its retail banking services, consumer mortgages, and investment services through subsidiaries like RBC Dominion Securities. RBC has a history of innovation, being the first Canadian bank to engage in radio advertising and sponsoring the Olympics since 1947. With a balanced business model, RBC focuses on risk diversification and serves a diverse clientele across its global operations.
Security at RBC
Compiled from public job postings, careers pages, and company materials. Data may not reflect current state — verify during interviews.
Security Philosophy
- RBC's AppSec philosophy emphasizes safeguarding hybrid-cloud environments and views cybersecurity as more than just an IT concern.
- They aim to support secure agile application development and bring new security tools to developers.
- Their risk philosophy includes rapid risk assessments, third-party assurance, adversary emulation, threat hunting, and threat modeling.
- Stated goals include improving the security and quality of RBC applications and prioritizing and triaging SAST security scan results.
- However, no explicit public verbatim statements were found regarding a "security champions"program, specific SLAs/MTTR for remediation, or exact SAST/SCA/DAST vendor names.
Security Team
- The RBC AppSec team appears to be part of a centralized global security function, with "Global Security Operations"and "Application security and cloud"listed under RBC cybersecurity technology.
- Key public-facing leaders include Milos Stojadinovic, RBC Distinguished Engineer, who "leads a global team of 35 experts", and David Sfiligoi, Director, Application Security.
- As of May 14, 2025, the team size estimate is around 35 experts.
- A LinkedIn search query used was "site:linkedin.com RBC "application security" OR "Application Security"".
- As of November 14, 2025, at least one direct Application Security Consultant job posting was active, with additional related roles found.
- Common skill and tool patterns in job postings include "SAST, SCA and DAST", "triaging findings and refining scanning rules", and "Understanding of CI/CD, DevOps and DevSecOps approaches".
- No public organizational chart or explicit reporting chain (e.g., to CISO) was found.
Key Initiatives
No public evidence was found for a Security Champions Program. RBC practices "shift left"by aiming to "assist in the integration of application security processes and tools into existing enterprise development processes and pipelines"and to "bring new security tools for developers". Their vulnerability management process involves intake from SAST, SCA, and DAST testing techniques, with a focus on "support end users of application security testing tools, managing tickets through a ticketing platform"and "prioritizing and triaging SAST Security scan results". However, no public verbatim statements were found regarding remediation SLAs, MTTR, or ticket ownership beyond general ticket management. Secure SDLC artifacts are mentioned through required "Exposure to application security best practices such as secure coding, security testing techniques and Secure Software Development Lifecycle". Recent initiatives include a job posting for an Application Security Consultant and a newsroom article on advanced threat detection , but no specific AppSec-only program rollouts within the last six months were publicly identified. No public detailed process documents on triage SLAs, remediation workflows, or a formal Security Champions program were found.
Preparing for an AppSec interview?
Get the weekly briefing 2,000+ security pros trust.