Summary: As Banamex's Security Architect, define the next-generation security fabric for a modern, secure, cloud-first financial platform, leading architectural transformation and embedding resilience, privacy, and compliance. Highlights: 1. Report to the CTO and shape bank-wide technology strategy. 2. Secure mission-critical platforms used across Mexico. 3. Accelerate delivery with strong security guardrails. **Security Architect — Banamex** Banamex is transforming—and we’re doing it from the inside out. We’re rebuilding one of Mexico’s most iconic banks into a **modern, secure, cloud\-first financial platform** that moves at fintech speed but with the scale and trust of a national institution. As our **Security Architect**, you’ll report directly to the **CTO** and become the **architectural backbone** of that transformation. Your mission: design the next\-generation security fabric that protects millions of customers while empowering engineers to deliver faster, safer, and smarter. You won’t be maintaining controls—you’ll be **defining what secure banking looks like for the next decade**. From **Zero Trust architecture and DevSecOps pipelines** to **SPEI/CoDi payments, cloud workloads, and digital identity**, you’ll embed resilience, privacy, and compliance into every product we launch. This is a role for someone who wants to **build patterns that outlive them**, influence architectural decisions at the highest level, and see their work ripple across the entire Mexican financial ecosystem. If you want to make impact—not noise—this is where it happens. **What you’ll own** * **Target Security Architecture:** Define and evolve reference architectures, control patterns, and guardrails for on\-prem, cloud (AWS/Azure/GCP), and hybrid environments. * **Design Authority:** Lead architecture reviews and formal threat modeling (STRIDE/LINDDUN); document risk\-based decisions that stand up to audit. * **Zero\-Trust \& Identity:** Drive identity\-centric designs (OIDC/OAuth2/SAML, MFA, PAM), workload identity, micro\-segmentation, and continuous verification. * **Data Security:** Standardize encryption at rest/in transit, KMS/HSM usage, tokenization, data classification, DLP, and secrets management. * **Cloud \& Container Security:** Patterns for Kubernetes, serverless, and IaC (Terraform); adopt policy\-as\-code (OPA/Conftest), image signing, and runtime protections. * **DevSecOps Enablement:** Embed SAST/DAST/IAST/SCA and IaC scanning into CI/CD; create reusable modules and golden paths developers love. * **Payments \& Channels:** Architect controls for SPEI/CoDi rails, card issuing/acquiring, mobile/web apps, and open banking APIs. * **Third\-Party \& SaaS:** Intake standards, vendor architecture reviews, compensating controls, and continuous monitoring. * **Detection \& Response Architecture:** Telemetry standards and use cases for SIEM/SOAR/EDR/NDR aligned to MITRE ATT\&CK. * **Compliance by Design:** Map controls and evidence to CNBV/Bank of Mexico expectations, PCI DSS, ISO 27001, SOX/GLBA equivalents, and FFIEC\-aligned practices. * **Executive Storytelling:** Translate technical risk into business impact for the CTO, Architecture Board, and senior leadership. **What makes this opportunity special** * **Direct impact at the top:** Report to the CTO and shape bank\-wide technology strategy. * **National scale:** Your patterns secure mission\-critical platforms used across Mexico. * **Modernization with purpose:** Move fast with strong guardrails—security that accelerates delivery, not slows it. * **Growth \& visibility:** Present to executive forums, mentor engineers, and build the bank’s security pattern library. **What you’ve done (Required)** * 10\+ years in security engineering/architecture; 3\+ designing enterprise systems in regulated industries (banking/fintech preferred). * Owned reference architectures and security patterns across cloud \+ on\-prem. * Depth in identity (OAuth2/OIDC/SAML), IAM/PAM, Zero Trust, and secrets management. * Practical cryptography (TLS/mTLS, key mgmt, HSM/KMS), data protection, and classification. * DevSecOps experience integrating SAST/DAST/SCA, container/K8s security, and IaC scanning into pipelines. * Designed logging/telemetry for SIEM/SOAR with clear detection use cases. * Proven track translating regulatory requirements into automated, auditable controls. * Excellent documentation (C4/sequence diagrams) and executive communication. **Nice to have** * Payments (SPEI/CoDi), open banking APIs, card rails, fraud\-signal integration. * Mobile/web AppSec (OWASP ASVS/MASVS) and customer identity (CIAM). * Mainframe or legacy modernization security patterns. * Certifications: CISSP, CCSP, ISSAP, CSSLP, OSCP, AWS/Azure Security Specialty (or equivalent experience). \- **Job Family Group:** Technology \- **Job Family:** Digital Software Engineering \- **Time Type:** Full time \- **Most Relevant Skills** Please see the requirements listed above. \- **Other Relevant Skills** For complementary skills, please see above and/or contact the recruiter. \- *Citi is an equal opportunity employer, and qualified candidates will receive consideration without regard to their race, color, religion, sex, sexual orientation, gender identity, national origin, disability, status as a protected veteran, or any other characteristic protected by law.* *If you are a person with a disability and need a reasonable accommodation to use our search tools and/or apply for a career opportunity review* *Accessibility at Citi**.* *View Citi’s* *EEO Policy Statement* *and the* *Know Your Rights* *poster.*