At Lilly, the work is demanding because patients are waiting. We unite caring with discovery to help make life better for people around the world, knowing that every decision, every detail, and every day matters. Headquartered in Indianapolis, Indiana, our over 50,000 employees around the globe take on complex challenges to discover and deliver life-changing medicines, strengthen how health is understood and managed, and support the communities we serve. This is hard, urgent, selfless work-but it's work worth doing. If you're driven by purpose and ready to bring your best to work that truly matters for patients, we invite you to join us.
What You'll Be Doing:
As a Sr. Principal Security Engineer, you will serve as a senior technical leader within the Security Architecture & Engineering (SAE) organization, leading strategy and architecture across Lilly's Application Security program. You will provide architectural direction, lead tool evaluation and selection, drive critical security transformation initiatives and serve as a trusted technical advisor to the Director of Application Security on program-level execution risk. This is a high-judgment, senior individual contributor role for someone who can operate at the strategic and architectural level while remaining credible in technical depth.
How You'll Succeed:
Architectural thinking: You design security solutions at a program level-defining reference architectures, evaluating build vs. buy tradeoffs, and ensuring that platform decisions made today don't create constraints tomorrow. You can translate a business or compliance requirement into an architectural pattern engineers can execute against.
Strategic tool evaluation: You know how to run a rigorous evaluation of security tooling-SAST, DAST, SCA, penetration testing platforms, and AI-augmented security tools. You can define criteria, structure a proof of concept, assess vendor capability against Lilly's environment, and make a defensible recommendation to leadership.
Program-level risk judgment: You identify where AppSec execution is at risk before things go wrong. You surface those risks clearly and come with options, not just concerns.
Enterprise transformation experience: You have led or architected large-scale security or identity migrations and understand the full scope of what breaks when a foundational platform changes. You know how to sequence a program-level effort, run dependencies, and keep security coverage intact through the transition.
Engineering credibility: You can engage at a technical level with security engineers and software developers alike. You understand CI/CD pipelines, developer workflows, and how AppSec controls interact with the systems they protect.
Developer partnership: You build trust with engineering teams by understanding their constraints and framing security requirements as solvable engineering problems-not mandates.
Key Responsibilities:
AppSec Strategy & Architecture
Define and maintain the architectural direction for Lilly's Secure SDLC program, including SAST, DAST, SCA, secrets management, and software supply chain capabilities.
Partner with the Director of Application Security to identify and communicate program-level execution risks and dependencies.
Translate regulatory, compliance, and audit requirements into security architecture that engineering teams can implement and sustain.
Tool Evaluation & Selection
Lead structured evaluations of security tooling across SAST, DAST, SCA, penetration testing, and AI-augmented security platforms.
Define evaluation criteria, design proof-of-concept engagements, assess vendor capabilities against Lilly's environment and scale, and produce recommendation packages for leadership decision-making.
Maintain awareness of the AppSec tooling landscape and advise on emerging capabilities-including AI-driven security tools-that warrant evaluation or adoption.
Partner with procurement, legal, and engineering collaborators to support vendor selection and contract alignment.
Enterprise Platform Security Transformation
Serve as the AppSec architecture lead for platform transformations, owning security architecture decisions and ensuring AppSec requirements are represented.
Assess and document the security impact of the migration on existing AppSec controls-identifying gaps in SAST, secrets scanning, and CI/CD security coverage that the migration creates and defining the remediation path.
Partner with engineering and platform teams to ensure security requirements are embedded into migration sequencing and cutover planning-not addressed after the fact.
Define security readiness criteria for each phase of the transformation and serve as the AppSec authority on go/no-go decisions at key transition points.
AppSec Execution Support
Provide senior technical guidance to AppSec engineers on complex implementation challenges, architecture decisions, and remediation approaches.
Conduct security reviews for high-risk applications, platforms, and infrastructure changes.
Support threat modeling engagements for major product initiatives and platform changes across Lilly's development ecosystem.
Contribute to Lilly's Secure SDLC standards and vulnerability management policy, ensuring policy is grounded in architectural reality and can be implemented through platform and pipeline controls.
Your Basic Qualifications:
Bachelor's Degree in Computer Science, Information Security, Software Engineering, or a related field.
At least 5 years of experience in application security, security architecture, or a closely related discipline.
Demonstrated experience leading or architecting a large-scale security, identity, or platform migration in an enterprise environment.
Hands-on experience with GitHub enterprise environments, including GitHub Actions, CI/CD security controls, and identity and access management patterns.
Experience evaluating and selecting enterprise security tooling, including SAST, DAST, or SCA platforms.
Familiarity with threat modeling methodologies and application security fundamentals (OWASP Top 10, CWE, secure coding practices).
What You Should Bring:
Deep familiarity with GitHub's identity and access model, including experience with or strong understanding of GitHub Enterprise Managed Users (EMU), SAML/OIDC federation, PAT governance, and GitHub Actions security controls.
Experience assessing the security implications of platform migrations-understanding what breaks, what coverage gaps are created, and how to sequence remediation.
Strong expertise in application security fundamentals-OWASP Top 10, CWE, secure coding practices, threat modeling, and vulnerability management.
Working knowledge of AppSec tooling ecosystems: SAST (Checkmarx or equivalent), DAST, SCA, and secrets scanning platforms.
Ability to communicate optimally to produce architectural documentation and present risk and recommendation to senior leadership.
Familiarity with secrets management platforms and software supply chain security patterns.
Awareness of AI-augmented security tooling and the ability to evaluate where AI meaningfully improves AppSec workflows versus where it introduces risk.
Working knowledge of cloud environments (AWS preferred) and containerized workloads in the context of security architecture.
Ability to operate as a senior individual contributor-providing architectural leadership and program-level judgment without requiring direct management authority to drive outcomes.
Location & Work Flexibility
This role is based at our Corporate Center in Indianapolis, IN. We offer a flexible hybrid work model, with three days onsite and two days working remotely each week, supporting both collaboration and work‑life balance.
We are also open to considering fully remote candidates based on role requirements and business needs.
Lilly is dedicated to helping individuals with disabilities to actively engage in the workforce, ensuring equal opportunities when vying for positions. If you require accommodation to submit a resume for a position at Lilly, please complete the accommodation request form (https://careers.lilly.com/us/en/workplace-accommodation) for further assistance. Please note this is for individuals to request an accommodation as part of the application process and any other correspondence will not receive a response.
Lilly is proud to be an EEO Employer and does not discriminate on the basis of age, race, color, religion, gender identity, sex, gender expression, sexual orientation, genetic information, ancestry, national origin, protected veteran status, disability, or any other legally protected status.
Our employee resource groups (ERGs) offer strong support networks for their members and are open to all employees. Our current groups include: Africa, Middle East, Central Asia (AMECA), Black Employees at Lilly (BE@Lilly), Chinese Culture Network (CCN), EnAble, Evolve, Lilly Indian Network (LIN), Organization of Latinx at Lilly (OLA), Pride (LGBTQ+ Allies), Veterans Leadership Network (VLN) and Women's Initiative for Leading at Lilly (WILL).
Actual compensation will depend on a candidate's education, experience, skills, and geographic location. The anticipated wage for this position is
$126,000 - $224,400
Full-time equivalent employees also will be eligible for a company bonus (depending, in part, on company and individual performance). In addition, Lilly offers a comprehensive benefit program to eligible employees, including eligibility to participate in a company-sponsored 401(k); pension; vacation benefits; eligibility for medical, dental, vision and prescription drug benefits; flexible benefits (e.g., healthcare and/or dependent day care flexible spending accounts); life insurance and death benefits; certain time off and leave of absence benefits; and well-being benefits (e.g., employee assistance program, fitness benefits, and employee clubs and activities).Lilly reserves the right to amend, modify, or terminate its compensation and benefit programs in its sole discretion and Lilly's compensation practices and guidelines will apply regarding the details of any promotion or transfer of Lilly employees.
#WeAreLilly