Bayer
Senior Cyber Security Engineer
Full details on LinkedIn
The complete job description, requirements, and application details are available on the original posting.
About Bayer
Bayer AG is a German multinational company that operates in the chemical, pharmaceutical, and life sciences sectors. Founded in 1863, Bayer has its headquarters in Leverkusen and has a rich history that includes the invention of aspirin and significant contributions to pharmaceuticals and agricultural chemicals. The company initially started as a dyestuffs producer and has since expanded its portfolio to include a wide range of products. Bayer's offerings encompass pharmaceuticals, consumer health products, crop science, and chemicals. Notable pharmaceutical products include aspirin and sulfa drugs, while its consumer health division features over-the-counter medications. In agriculture, Bayer is recognized for its herbicides and insecticides, including those developed through its acquisition of Monsanto. The company emphasizes innovation across its various sectors, contributing to advancements in healthcare and agriculture.
Security at Bayer
Compiled from public job postings, careers pages, and company materials. Data may not reflect current state — verify during interviews.
Security Philosophy
“Information is a key factor in Bayer's success. Bayer partners with development teams to proactively evangelize and communicate product security requirements, having rolled out a platform-based model across their IT estate. Their assurance and advancement platform focuses on risk and compliance, delivering cybersecurity, digital products, and services in an agile way to allow the business to work at speed. Stated pain points include 'the pace of change' and goals to 'find efficiency in how we deliver that compliance' and 'automate workflows to efficiently track and manage the growing volume of software vulnerabilities.' No public, verbatim statements located explicitly label Bayer's AppSec approach as 'developer-first' or 'security sign-off.' Information not publicly available.”
Security Team
Bayer has 'rolled out a platform-based model across all our IT estate.' However, no public, verbatim evidence details the AppSec team's exact reporting chain or whether AppSec is centralized vs. embedded. Key public-facing leaders include Kevin Jones, Group CISO, who states 'cybersecurity is a collective responsibility,' and Bill Horn, Principal Product Security Architect, described as an IT professional with 'over 20 years of experience driving DevOps, secure SDLC, cloud security, and security architecture initiatives.' Team size estimate is not publicly available. As of, at least two active AppSec job postings were found: 'Product Security Architect' and 'Senior Product Security Engineer -- Remote-Eligible.' Common skill patterns from job postings include liaising with tooling teams for 'appropriate lifecycle security' in development environments and deployment pipelines, and 'Experience with Agile, Scrum, Kanban or similar software development practices.' Specific tool names (SAST/SCA/DAST, secrets detection) are not listed in public job descriptions or corporate pages.
Key Initiatives
No public evidence was found for a Security Champions Program. For 'Shift Left' in practice, Bayer is 'integrating DevSecOps as the security part throughout the lifecycle' and 'Partners with development teams to proactively evangelize and communicate product security requirements.' The Vulnerability Management Process includes intake from 'vulnerability management, threat intelligence and hunting' and leveraging 'information about software flaws reported by security researchers.' No public, verbatim evidence describes triage SLAs, MTTR targets, or ticketing ownership. Secure SDLC Artifacts focus on 'ensuring appropriate lifecycle security of the SDLC and SSDLC,' but 'annual penetration testing' or 'threat modeling' specific to AppSec were not found. No public evidence of new AppSec-specific programs, tool rollouts, or policy changes was found for recent initiatives (last 6 months). Public materials emphasize platform model, DevSecOps integration, and supply-chain/SBOM work, but do not provide granular AppSec workflow artifacts.
Preparing for an AppSec interview?
Get the weekly briefing 2,000+ security pros trust.