Job Description

We are hiring for this position out of our Toronto, Vancouver and Calgary offices. Successful candidates who apply outside of these areas will be expected to relocate and reside in a location that is within a commutable distance.

About the role:

We’re hiring a Senior DevSecOps Engineer with 8–10+ years of experience, deep multi-cloud expertise (AWS + Azure), strong Terraform and the ability to drive technical strategy across a regulated financial institution. This is a senior individual contributor role. You’ll set technical direction for DevSecOps, partner with the AVP of Corporate Information Security on strategy, mentor and grow the team, and personally own the hardest pieces of work. You’ll be a primary point of contact for engineering leadership, audit, and external regulators when DevSecOps topics come up.

About the day-to-day:

Technical leadership and strategy (~30%)

• Build and evolve the DevSecOps technical strategy across CI/CD, IaC, secure cloud architecture, detection, and compliance automation.
• Partner with the AVP of Corporate Information Security and the Team Lead, DevSecOps, on the security roadmap; translate risk decisions into engineering work.
• Collaborate on architecture decisions and ADRs for the DevSecOps platform. Champion paved roads and golden paths over one-off solutions.
• Lead vendor evaluations and POCs for security tooling. Make the build-vs-buy argument with the data to back it up.
• Develop and maintain a Security Centre of Excellence for all new products and substantial changes, ensuring security requirements are met before they reach production.
• Represent DevSecOps to engineering leadership, audit (internal and external), and regulators on technical questions.

Hands-on engineering (~40%)

• Personally architect and build the hardest pieces: the IaC pipeline that gates all production change, the cross-cloud detection fabric, the SBOM/supply-chain integrity program, the secrets management migration.
• Drive the AWS-to-Azure migration of applications as a senior security engineering owner: design target-state controls in Azure, run gap analysis against AWS, validate equivalence before workload cutover.
• Architect and review Terraform at scale: module strategy, state isolation, workspace patterns, drift detection, breaking-change management.
• Implement and operate policy-as-code across the SDLC: PR-time, pipeline-time, deploy-time, and runtime enforcement.
• Lead implementation of supply-chain security: signed builds (Sigstore/cosign), SBOM generation and storage, SLSA-aligned provenance, dependency pinning, runner isolation.
• Integrate, monitor, and tune SAST/DAST platforms across CI/CD pipelines.
• Build out Zero Trust patterns: workload identity federation, conditional access, just-in-time access and microsegmentation.
• Publish and disseminate CI/CD best practices, patterns, and solutions across product engineering teams.

Compliance, audit, and risk (~20%)

• Own the threat-modeling program: set the methodology (STRIDE, LINDDUN, attack-tree, MITRE ATT&CK-mapped), train others on it, ensure outputs become real backlog items.
• Be an engineering owner of control evidence for SOC 2, PCI-DSS and applicable Canadian regulatory expectations.
• Automate audit evidence collection wherever feasible: replace screenshot-based evidence with API-pulled, signed, dated artifacts.
• Contribute to the cybersecurity risk register and risk treatment plans; partner with GRC and Operational Risk Management.
• Make the case to regulators and auditors that controls are designed effectively and operating effectively.
• Stay current on emerging threats and regulatory changes in cloud security, AI, and automation; apply innovative solutions to enhance the security framework.

People and team (~10%)

• Mentor Intermediate and Junior DevSecOps engineers: set development goals, do code reviews that teach, sponsor stretch projects.
• Build the team's documentation and onboarding so it scales with hires.
• Contribute to a healthy on-call culture: sustainable rotations, blameless retros, runbook quality.

Nice to have / differentiators:

• Canadian regulated financial services experience (banking, trust company, credit union, fintech sponsor bank).
• Active certifications: CISSP, CCSP, OSCP/CPTS, AWS Security Specialty, Azure SC-100, AZ-500, AZ-400, CKS, HashiCorp Terraform Associate/Pro.
• Prior Security Centre of Excellence experience: stood one up, or served as the lead engineer inside one.
• Supply-chain security: Sigstore, in-toto, SLSA, SBOM (CycloneDX/SPDX), Dependency Track.
• Offensive security background: OSCP, real red-team/purple-team engagements, CTF placement.
• AI/LLM security experience: secure agent design, prompt-injection defenses, model supply-chain integrity.

About us:

Peoples Group is a trusted financial services company for the innovators at the forefront of Canada’s economic future. With offices in Vancouver, Calgary and Toronto, we are driving change by working alongside challenger banks, fintechs, brokers, and merchants to foster a dynamic and competitive financial ecosystem.

Our culture is built on four core behaviors: Grit to Grow, Connect to Collaborate, Putting Clients First, and Owning the Outcome We believe people do not simply choose a company to work for—they choose a company that makes a positive impact in the lives of Canadians. Above all, we value people, build meaningful relationships, focus on individual strengths, and approach our work with passion.

About the work environment:

Peoples Group offers a flexible and hybrid work environment. In this role you will work a combination of in-office and remotely from home. Typically, you'll be working regular business hours, Monday to Friday between 8:00am and 4:30pm with flexibility around start/end times.

The role requires the candidate to participate in on-call, acting as an escalation path in the event of a severe incident.

We offer:

• A hybrid work environment, enabling you to balance your personal and professional life seamlessly.

• Competitive salaries, profit sharing, RRSP matching and benefits from day one.

• Generous paid time off to help achieve a healthy work-life balance.

• A strengths-based approach, ensuring we work together more effectively.

• A commitment to your well-being in five key areas: Financial, Physical, Social, Career, and Community.

Hiring process:

If your application is selected, you will be invited for a first interview with one of our Talent Acquisition Business Partners. Depending on the role, interviews may be conducted virtually or in-person. The hiring team will communicate any in-person requirements throughout the process.

Compensation:

The expected salary for this role is approximately $125,000.00 - $145,000.00 annually. Actual compensation may vary based on experience, skills, and qualifications.

NOTE: This job posting is for an existing vacancy. Peoples Group is an Equal Employment Opportunity employer. Please accept our utmost appreciation for your interest; however, only those applicants under consideration will be contacted.

We value and celebrate individuality while fostering an inclusive workplace for everyone. If there's any way we can support or accommodate you during the selection process, please don't hesitate to let us know.