Scotiabank
Director, Security Solutions and Engineering
Full details on LinkedIn
The complete job description, requirements, and application details are available on the original posting.
About Scotiabank
Scotiabank, officially known as The Bank of Nova Scotia, is a prominent global financial services provider founded in 1832 in Halifax, Nova Scotia, Canada. The bank operates in personal, commercial, corporate, and investment banking, offering a wide range of financial products and services, including financial advice, banking solutions, lending, deposit accounts, cash management, trade finance, and wealth management. With a rich history of expansion, Scotiabank has grown to become one of Canada's largest banks, with a significant international presence. It serves a diverse customer base, including retail clients, small businesses, and large corporations, through an extensive network of branches, ATMs, and digital platforms. The bank has a strong presence in North America, the Caribbean, Central and South America, and operations in Europe, Asia, and Australia, with key markets in Mexico, Peru, Chile, Colombia, and Uruguay. Headquartered in Toronto, Scotiabank is recognized for its commitment to innovation and customer service excellence.
Security at Scotiabank
Compiled from public job postings, careers pages, and company materials. Data may not reflect current state — verify during interviews.
Security Philosophy
- Scotiabank's AppSec mission states that its Application Security Operation team has global accountability and is expanding its scope to cover Cloud Native Application Protection Platforms. Their approach to developer enablement involves working closely with application development groups to integrate AppSec and CNAPP processes, utilizing Agile, DevSecOps, and other secure SDLC methodologies, and championing shift-left testing, CI/CD integration, and test-driven development practices.
- The risk philosophy includes leading the operational team responsible for integrating both application and cloud-native security practices.
- Stated goals include managing the triage of findings, streamlining reporting and metrics, and providing a way for the security research community to contact them through a responsible disclosure program.
- Gaps in publicly available information include explicit statements about "security as an enabler"versus "security sign-off"as a formal philosophy distinction, and public, bank-issued statements quantifying scanner noise reduction, automation of remediation, or developer training metrics.
Security Team
Scotiabank's Application Security Operation team has global accountability, with an operational team responsible for integrating both application and cloud-native security practices. Key public-facing leaders include Jeff Ponte, Senior Manager Application Security and CNAPP Operations, who leads the operational team, and Neha Mudalgikar, Managing Director, Cyber & IT Risk, who leads global technology engagements requiring formulation of InfoSec strategies. A team size estimate is not publicly available. As of, one AppSec-specific job posting was found (AppSec and CNAPP Operation Analyst), with related security/cloud postings also identified. Common skill and tool patterns mentioned in job postings and profiles include SAST, SCA, DAST, CNAPP, Container Security, Agile, DevSecOps, and other secure SDLC methodologies. A consolidated public list of specific tool vendors is not publicly available.
Key Initiatives
No public evidence was found for a Security Champions Program. "Shift Left"practices are evident through working closely with application development groups to integrate AppSec and CNAPP processes, and championing shift-left testing, CI/CD integration, and test-driven development practices. The Vulnerability Management Process includes an intake mechanism via a responsible disclosure program, and triage/remediation involves managing the triage of findings and streamlining reporting and metrics. Explicit SLAs, MTTR targets, ticketing systems, and remediation ownership directives are not publicly available. Secure SDLC Artifacts involve utilizing Agile, DevSecOps, and other secure SDLC methodologies, and integrating AppSec and CNAPP processes with development groups. Explicit public descriptions of mandatory security review gates, threat modeling schedules, or official secure-by-design checklist documents are not publicly available. Recent initiatives (last 6 months) show an expansion to CNAPP and cloud-native coverage. Information on program launch dates, adoption metrics, or tool rollout timelines for CNAPP is not publicly available.
Preparing for an AppSec interview?
Get the weekly briefing 2,000+ security pros trust.