Senior DevSecOps Engineer
Company Overview
Westaim and CC Capital have joined forces to strategically transform Westaim from a holding company into a global alternative credit asset manager with a unique, integrated insurance platform, branded as The Westaim Corporation. This partnership supports a long-term vision to deliver innovative, customized financial solutions across alternative credit and insurance, creating scalable growth and meaningful client impact.
Ceres USA Holdings, LLC, part of the insurance platform within The Westaim Corporation strategy, is the parent company of Ceres Life Insurance, a fast-growing, technology-driven annuity carrier startup. Ceres is focused on redefining retirement security by combining modern fintech capabilities, top-tier talent, and strong vendor partnerships to deliver exceptional annuity solutions and digital experiences.
Ceres is deeply committed to a client-centered culture. Through its Digital Contact Center and advisor-facing platforms, the company delivers proactive, personalized, and technology-enabled support that empowers clients and advisors while maintaining the highest standards of trust, security, and regulatory compliance.
About the Role
We are looking for a Senior DevSecOps Engineer to join the Information Security team and work closely with the Office of the CISO to help secure a modern, cloud-based insurance platform supporting annuity products and financial operations.
This is a hands-on role for someone who enjoys securing cloud infrastructure, software delivery workflows, code repositories, infrastructure as code, CI/CD pipelines, APIs, and application environments. You will work closely with engineering, infrastructure, data, product, and security stakeholders to embed security into development and cloud operations.
This role is ideal for a technically strong engineer with a background in software engineering, cloud security, AWS, infrastructure as code, and secure SDLC practices. The right candidate can learn new platforms quickly, understand how engineering systems fit together, and translate security findings into practical remediation and improved security patterns.
This is not a purely advisory or architecture-only role. You will be expected to review, configure, implement, document, troubleshoot, and help remediate security issues in partnership with the CISO, Deputy CISO, engineering teams, platform owners, and security partners.
Key Responsibilities
Secure Cloud and Engineering Environments
Design, implement, and improve security controls across cloud infrastructure, application environments, developer workflows, and engineering platforms
Review cloud architecture, infrastructure as code, APIs, integrations, and application design for security risks
Help identify, prioritize, and remediate cloud misconfigurations, infrastructure weaknesses, and security findings
Support secure configuration of cloud services, identity and access controls, network security controls, and service-level security settings
Maintain documentation of cloud and engineering security decisions, control patterns, remediation actions, and operational procedures
Strengthen Secure SDLC and DevSecOps Practices
Implement and improve security controls across code repositories, CI/CD pipelines, and software delivery workflows
Support branch protection, repository permissions, secrets scanning, code scanning, dependency review, and secure development practices
Partner with engineering teams to embed security into the development lifecycle without unnecessarily slowing delivery
Coordinate remediation of vulnerabilities identified through cloud security platforms, code scanning, penetration testing, application security reviews, infrastructure-as-code review, and audit findings
Help define repeatable secure development, deployment, and remediation patterns
Support Application, API, and Software Supply Chain Security
Review applications, APIs, integrations, and platform designs for security risks and practical remediation options
Help improve software supply chain security, dependency management, secrets handling, and secure deployment workflows
Provide practical guidance to engineers on secure coding, secure cloud usage, access control, logging, monitoring, and remediation priorities
Collaborate with engineering and platform teams to ensure security findings are understood, prioritized, and resolved
Strengthen Security Governance and Audit Readiness
Help prepare the organization for Internal Audit, external audits, regulatory reviews, and control assessments
Support security control implementation and evidence gathering for frameworks and expectations such as SOC 2, ISO 27001, NAIC, and other relevant standards
Ensure security work is documented, repeatable, reviewable, and aligned with control requirements
Follow change management processes and support appropriate review and approval of security configuration changes
Partner with the Office of the CISO to prioritize cloud, application, and SDLC security improvements and reduce operational risk
Provide Practical Cloud and SDLC Security Architecture Input
Provide hands-on security architecture input for cloud infrastructure, application platforms, APIs, CI/CD workflows, and engineering practices
Identify security design gaps and recommend practical, implementable improvements
Help define secure patterns for cloud services, infrastructure as code, source control, CI/CD, secrets management, and application delivery
Advise on secure use of emerging technologies and AI-enabled development or automation tools where relevant
Required Qualifications
7+ years of experience in cybersecurity engineering, DevSecOps, cloud security, software engineering, infrastructure engineering, or a related field
Strong hands-on experience securing cloud environments, preferably AWS
Experience with infrastructure as code, especially Terraform or similar tools
Experience securing code repositories, CI/CD pipelines, developer workflows, or software delivery platforms
Familiarity with secure SDLC practices, application security, API security, vulnerability remediation, and software supply chain security
Experience coordinating remediation of security findings with engineering teams
Strong understanding of cloud IAM, network security controls, secrets management, logging, monitoring, and secure configuration
Experience working in regulated environments or environments with formal audit, compliance, or control requirements
Self-motivated learner who proactively researches emerging technologies, security trends, and evolving threats without waiting for direction
Ability to learn a new platform and quickly become proficient
Strong written and verbal communication skills, including the ability to document technical decisions and explain security concepts clearly to engineering and business stakeholders
Nice-to-Have Qualifications
Experience supporting financial services, insurance, annuity, fintech, or other regulated environments
Experience with cloud security posture management, cloud vulnerability management, or infrastructure security tooling
Experience with GitHub security controls, GitHub Advanced Security, code scanning, secret scanning, dependency review, or similar capabilities
Experience with penetration test remediation, application security review, threat modeling, or secure architecture review
Familiarity with frameworks and requirements such as SOC 2, ISO 27001, NAIC, NIST, or similar control frameworks
Experience with developer security enablement, security champions, engineering training, or secure SDLC rollout
Certifications such as CISSP, cloud security certifications, AWS security certifications, or other relevant security or engineering certifications
Who This Role Is Ideal For
This role may be a strong fit for someone who has a software engineering, cloud engineering, platform engineering, or infrastructure-as-code background and has moved into security. It is also a fit for a hands-on cloud security or application security engineer who enjoys working directly with engineering teams and remediating real findings.
The ideal candidate enjoys solving practical cloud and software security problems, learning new platforms quickly, working directly with developers and platform teams, and turning security priorities into implemented controls and measurable risk reduction.
What This Role Is Not
This is not a pure architect role, a policy-only role, or a governance-only role. It is also not primarily a Microsoft 365, endpoint administration, corporate SaaS administration, or SOC operations role.
This role will provide practical cloud, application, and SDLC security architecture input when needed, but the day-to-day expectation is hands-on security engineering, review, remediation, documentation, and operational improvement.
Internal Audit and Control-Readiness Expectations
Ceres expects to continue maturing its internal audit and control environment. This role will help ensure cloud, application, and SDLC security controls are implemented, documented, monitored, and improved over time.
The Senior DevSecOps Engineer will help the Office of the CISO prepare for internal audit, external audit, regulatory reviews, and security control assessments by supporting evidence collection, remediation tracking, secure configuration, change management, and control documentation across cloud and engineering workflows.
Why Join Us?
Be part of a fast-growing, innovative insurance business dedicated to delivering modern annuity solutions and exceptional advisor and client experiences
Make a direct impact on the security, resilience, and control maturity of a growing regulated company
Work closely with the Office of the CISO and engineering teams on meaningful, hands-on cloud and SDLC security initiatives
Help shape secure engineering practices while working across modern cloud, code, infrastructure-as-code, and DevSecOps platforms
Join a collaborative startup environment focused on technology, digital tools, and advisor enablement
Competitive compensation package with PTO, health benefits, and career growth opportunities