Posted: 12-May-26
Location: Victoria, Canada
Type: Full Time
Salary: $125,000 to $150,000.
Categories:
Currency:
Region:
About Us
British Columbia Investment Management Corporation (BCI) offers an exceptional opportunity to work at a world-class organization while living in a west coast setting. With $295.0 billion of gross assets under management, as of March 31, 2025, British Columbia Investment Management Corporation (BCI) is the provider of investment management services for British Columbia’s public sector and one of the largest asset managers in Canada. BCI seeks investment opportunities around the world and across a range of asset classes that convert savings into productive capital. Our investment returns play a significant role in helping our institutional clients build a financially secure future for their beneficiaries.
POSTING CLOSE DATE: June 2, 2026
BCI’s Cyber Security team is looking for a specialized Application Security Engineer to embed alongside development teams and help secure the software BCI builds, from design through deployment. Based in Vancouver or Victoria, this role sits at the intersection of software engineering and security, requiring deep hands-on experience with application security practices including AI assisted development.
THE OPPORTUNITY
Reporting to the Senior Manager, Cyber Security Product & Innovation, the Security Engineer is responsible for ensuring all software solutions built by BCI conform to best practices for writing secure software. The Security Engineer will be instrumental in developing security requirements and designing and implementing security solutions.
The Security Engineer collaborates and communicates with business and technology teams in an Agile hybrid environment and enables the effective and efficient delivery of secure, quality products.
This role has a specialized focus on application security engineering, a discipline that goes beyond general security engineering to address how software is built, tested, and defended throughout its full lifecycle. Application security engineers bring specific expertise to securing development environments, pipelines, and Including AI enabled and low-code/no-code environments Candidates are expected to be actively tracking these developments and to have explored the security implications they introduce, whether through enterprise experience or hands-on self-directed learning.
WHAT YOU BRING
- Bachelor’s degree in Technology, Engineering, Computer Science, or a related field
- A minimum of 5 years of experience in progressively senior technical roles with responsibility focused on information security processes, products, and projects
- Very strong knowledge in engineering secure systems
- Experience with securing cloud environments (MS Azure)
- Must have excellent documentation, customer-service, listening, communication and problem-solving skills
- Must be able to implement programs, security technologies and solutions to measure and sustain the security posture of large, complex environments
- Experience with Agile methods (Scrum) and DevOps practices is an asset
- Professional certifications such as Global Information Assurance Certification (GIAC), Certified Information Systems Security Professional (CISSP), Offensive Security Certified Professional (OSCP), Certified Information Security Manager (CISM) or equivalent experience is essential
TECHNICAL SKILLS REQUIREMENTS
Must have some combination of strong hands-on experience with at minimum 4 or 5 of the following skills or technologies:
- Identity and access management systems for hybrid environments
- Secure coding practices
- Systems engineering
- Ethical vulnerability research and threat modeling
- Windows, UNIX, and Linux operating systems security, virtualization technology security, container security and serverless computing security
- Privileged access management systems for hybrid environments
- EDR and/or other endpoint protection technologies
- Zero Trust system design
- Cloud Native Application Protection Platform (CNAPP) systems
- Secure application design principles
- Data Classification and DLP solutions
- Enterprise vulnerability management, including vulnerability assessment, remediation, and reporting
- Phishing and social engineering
WHAT YOU WILL DO
- Development of new and innovative ways to solve existing production security issues as well as evaluate new technologies and processes that enhance security capabilities
- Develops technical security requirements for new products, tools and services envisioned for implementation at BCI
- Help and guide projects during solution design phase
- Collaborates and coordinates with application, operations, and product teams to provide guidance on the development of secure product designs that meet security requirements
- Ability to communicate complex security issues and develop security user stories in language that non-technical stake holders can understand
- Ability to respond to information security issues at each stage of a project’s lifecycle
- Proactively identifies risks and issues and proposes solutions to remove barriers
- Undertakes special projects or assignments as required
- Ability to document designs as well as produce technical reports in support of security initiatives
Application Security:
- Consults on designs, implementations, and maintenance of DevSecOps pipelines that integrate security testing (SAST, DAST, SCA) into CI/CD workflows
- Works with DevSecOps to develop and maintain secure coding standards, guidelines, and training materials for development teams
- Conducts application security assessments, threat modeling sessions, and architecture reviews for new and existing applications
- Champions security culture by embedding into Agile development teams as a security subject matter expert
- Triages and prioritizes application security vulnerabilities, working with development teams on remediation strategies
- Develops and maintains security testing automation to enable continuous assurance of application security posture
- Monitors emerging application security threats, vulnerabilities, and attack techniques to proactively address risks
- Experience with application security testing tools including Static analysis/SAST, Dynamic analysis/DAST, IAST, and Software Composition Analysis (SCA)
- Knowledge of secure API design, authentication patterns (OAuth 2.0, OpenID Connect), and API gateway security
- Experience with Infrastructure as Code (IaC) security scanning (Terraform, ARM templates, CloudFormation)
- Proficiency in programming languages such as Python, JavaScript/TypeScript, Java, C#, or Go
- Knowledge of AI/ML application security considerations, including prompt injection prevention and model security
- Professional certifications such as GWAPT, GWEB, CSSLP, CEH, OSWE, or equivalent experience is an asset
- Leads and completes security risk reviews on software, SaaS, third party and written code
- Monitors emerging AI and ML security threats, vulnerabilities and attack techniques and proposes new solutions to emergent risks in these areas
- Performs other related duties as required
WHERE YOU WILL WORK
There is a strong preference for Victoria, BC; however, we will consider Vancouver, BC for the right candidate, with the expectation of occasional travel to Victoria. We are an in-person collaborative organization with the flexibility to work remotely one day a week.
SALARY RANGE
The annualized base salary range for this Victoria or Vancouver based role is CAD $125,000 to $150,000.
Our recruitment process requires that the successful candidate agrees to undergo a criminal record search, education and designation verification; to provide a declaration of no previous or current criminal status; and to comply with our corporate Code of Ethics & Professional Conduct.
Interested in joining our team and want to learn of other career opportunities with BCI? Create a profile and sign up for job alerts at: https://bci.wd10.myworkdayjobs.com/BCI_Careers.
