Basic information
Job Name:
Manager, Application & Data Security
Location:
Washington, DC
Line of Business:
Global Technology & Solutions
Job Function:
Investor Services
Date:
Tuesday, May 12, 2026
Manager, Application & Data Security
The Carlyle Group
Washington, USA
USD 160k-180k / year
Posted on May 21, 2026
Position Summary
The Application Security Engineer is a manager-level role within The Carlyle Group's Information Security organization, reporting to the VP of Security Assurance. This individual will serve as a hands-on technical leader responsible for driving the execution of the firm's Application Security (AppSec) program while concurrently owning the Infrastructure Security function — including enterprise-wide vulnerability management.
The role demands a practitioner who is equally adept at working with software engineering teams to embed security into the CI/CD pipeline as they are at operating vulnerability management platforms, interpreting cloud security posture findings, and conducting emerging AI-based application security testing. As a manager-level contributor, this individual will influence program direction, mentor peers, and serve as a subject-matter expert (SME) across AppSec and infrastructure security disciplines.
In-Office Requirement: 4 days per week
Responsibilities
Application Security Program Execution
- Lead the day-to-day execution of The Carlyle Group's Application Security program, translating strategic direction from senior leadership into measurable, operational outcomes.
- Own and continuously mature the firm's Secure Software Development Lifecycle (SSDLC), partnering closely with engineering, DevOps, and architecture teams.
- Drive adoption and optimization of AppSec tooling, including SAST, SCA, and secret scanning workflows, with direct ownership of the Cycode platform:
- Configure and tune Cycode SAST rules and policies to minimize false positives while maximizing signal fidelity.
- Manage Cycode SCA findings, prioritize open-source vulnerability remediation, and enforce software composition policy.
- Operationalize Cycode Secrets Detection to prevent credential and key leakage across source repositories.
- Integrate security gates into GitHub Actions CI/CD pipelines, ensuring security scans run automatically on pull requests, merges, and releases.
- Establish and manage AppSec SLAs for vulnerability remediation, tracking and reporting metrics to senior leadership and engineering stakeholders.
- Conduct threat modeling sessions for new applications and significant architectural changes; document findings and drive risk-based remediation.
- Perform or oversee penetration testing and secure code reviews for internally developed and third-party applications.
- Maintain and evolve the firm's vulnerability disclosure and responsible disclosure processes.
Infrastructure Security & Vulnerability Management
- Own the firm's enterprise vulnerability management program end-to-end — from scanning through prioritization, remediation tracking, and reporting.
- Operate and administer the Rapid7 InsightVM platform:
- Manage scan schedules, asset coverage, and credentialed scanning configurations across on-premises and cloud environments.
- Build executive and operational dashboards and reports, tracking vulnerability SLAs by severity and business unit.
- Integrate Rapid7 findings into ticketing and remediation workflows in partnership with IT and infrastructure teams.
- Operate and administer the Wiz Cloud Security Platform:
- Continuously assess cloud security posture across AWS and Azure environments for misconfiguration and vulnerability risks.
- Triage and manage Wiz Issues, applying risk-based prioritization to cloud workload vulnerabilities and toxic risk combinations.
- Leverage Wiz CIEM capabilities to identify and remediate over-privileged cloud identities and IAM misconfigurations.
- Correlate findings across Rapid7 and Wiz to build unified vulnerability risk reporting for leadership consumption.
- Develop and maintain vulnerability management KPIs and OKRs; present monthly and quarterly metrics to the CISO and senior stakeholders.
- Partner with cloud engineering and infrastructure teams to drive timely remediation, define exception processes, and enforce patching SLAs.
- Evaluate and integrate additional infrastructure security tooling as the security stack evolves.
AI-Based Application Security Testing
- Lead the firm's emerging capability in AI-powered application security testing, establishing methodology, tooling, and governance.
- Perform security assessments of AI and LLM-integrated applications, identifying risks aligned with the OWASP LLM Top 10, including:
- Prompt injection and jailbreaking vulnerabilities in LLM-integrated workflows.
- Training data poisoning and model extraction attack vectors.
- Insecure plugin and tool integration in LLM-based agents.
- RAG (Retrieval-Augmented Generation) pipeline security — data exfiltration, context manipulation, and access control gaps.
- Design and execute red team exercises targeting AI/ML systems, including agentic AI applications being developed or procured by the firm.
- Partner with the AI governance and data science teams to embed security review into the AI model procurement, development, and deployment lifecycle.
- Stay current on AI security research, threat intelligence, and evolving frameworks (MITRE ATLAS, OWASP LLM Top 10, NIST AI RMF) to ensure the firm's testing methodology remains industry-leading.
- Document AI security testing findings using standardized report formats and present risk-rated findings to application owners and senior leadership.
Cross-Functional Collaboration & Governance
- Serve as the Information Security SME for application and infrastructure security in cross-functional project meetings, design reviews, and technology governance forums.
- Mentor and guide junior security team members and security champions embedded in engineering teams.
- Contribute to the development and maintenance of security policies, standards, and guidelines relevant to AppSec and infrastructure security.
- Support audit and compliance activities (e.g., SOC 2, ISO 27001, SEC cybersecurity rules) by providing documentation of AppSec and vulnerability management controls.
- Manage relationships with external security vendors and service providers supporting the AppSec and vulnerability management functions.
Qualifications
Education & Certificates
- Bachelor’s degree, required
- Concentration in computer science, Information Security, or related technical field, preferred
- Relevant certifications such as CISSP, CISSP-ISSAP, CSSLP, SABSA, TOGAF, CCSP, or cloud security certifications (AWS) preferred
Professional Experience
- Minimum of 6 years of overall relevant experience, required
- Progressive experience in information security, with a minimum of 4 years focused on application security and/or infrastructure security, preferred
- Demonstrable, hands-on experience operating AppSec tooling in an enterprise environment — SAST, SCA, and secrets scanning platforms (Cycode experience strongly preferred).
- Proven experience managing CI/CD-integrated security pipelines, specifically within GitHub Actions workflows.
- Hands-on operational experience with Rapid7 InsightVM or equivalent enterprise vulnerability management platform.
- Hands-on operational experience with Wiz or an equivalent cloud security posture management (CSPM) platform.
- Experience in financial services, private equity, asset management, or other highly regulated industries is strongly preferred.
- Application Security: SAST, DAST, SCA, secrets detection, secure code review, threat modeling, OWASP Top 10, API security (OWASP API Top 10).
- CI/CD Security: GitHub Actions workflow configuration, pipeline security gates, artifact signing, dependency pinning, and supply chain security.
- Vulnerability Management: Rapid7 InsightVM (scan configuration, asset management, remediation workflows), Wiz (CSPM, CIEM, IaC scanning, workload protection).
- Cloud Security: AWS, Azure, or GCP security posture, IAM least privilege, network security groups, container/Kubernetes security fundamentals.
- AI Security: Familiarity with OWASP LLM Top 10, MITRE ATLAS, prompt injection testing, LLM application architecture, and RAG pipeline security.
- Scripting and Automation: Python, Bash, or equivalent scripting capability to automate security workflows, build integrations, and parse tool outputs.
- Penetration Testing: Web application and API penetration testing methodology; familiarity with Burp Suite Pro, OWASP ZAP, or similar tooling.
- Experience with Cycode or equivalent unified AppSec platform (Snyk, Veracode, Checkmarx, or similar) at an enterprise scale.
- Experience conducting AI/LLM red team exercises or security assessments of generative AI applications.
- Knowledge of financial services regulatory requirements with cybersecurity implications: SEC Cybersecurity Disclosure Rules, DORA, SOC 2 Type II, ISO 27001, NIST CSF.
- Familiarity with infrastructure-as-code security scanning (Terraform, CloudFormation, Bicep) via Wiz IaC or equivalent.
- Experience with container security scanning and Kubernetes security hardening.
Competencies & Attributes
- Previous experience in a management or lead role with demonstrated ability to influence without direct authority.
- Strong enterprise and application architecture design capability
- Ability to balance security rigor with business enablement
- Strategic mindset with pragmatic execution discipline
- Strong documentation and governance orientation
- Analytical, risk-based decision-making approach
- High integrity and accountability
- Collaborative leadership style
Benefits/Compensation
The compensation range for this role is specific to Washington, DC and takes into account a wide range of factors including but not limited to the skill sets required/preferred; prior experience and training; licenses and/or certifications.
The anticipated base salary range for this role is $160,000 to $180,000.
In addition to the base salary, the hired professional will enjoy a comprehensive benefits package spanning retirement benefits, health insurance, life insurance and disability, paid time off, paid holidays, family planning benefits and various wellness programs. Additionally, the hired professional may also be eligible to participate in an annual discretionary incentive program, the award of which will be dependent on various factors, including, without limitation, individual and organizational performance.
Due to the high volume of candidates, please be advised that only candidates selected to interview will be contacted by Carlyle.
Company Information
The Carlyle Group (NASDAQ: CG) is a global investment firm with $475 billion of assets under management, across 678 investment vehicles as of March 31, 2026. Founded in 1987 in Washington, DC, Carlyle has grown into one of the world's largest and most successful investment firms, with more than 2,500 professionals operating in 28 offices in North America, Europe, the Middle East, Asia and Australia.
Carlyle’s purpose is to connect people, ideas, and capital to fuel growth for companies and performance for investors, which range from public and private pension funds to wealthy individuals and families to sovereign wealth funds, unions and corporations. Carlyle invests across three segments – Global Private Equity, Global Credit and Carlyle AlpInvest – and has deep expertise across industries, markets, and geographies.
At Carlyle, we believe that a wide spectrum of experiences and viewpoints drives performance and success. Our CEO, Harvey Schwartz, has stated that, "To build better businesses and create value for all of our stakeholders, we are focused on assembling leadership teams with the strongest insights from a range of perspectives." Reflecting this view, emphasis is placed on development, retention and inclusion through our internal processes and seven Employee Resource Groups (ERGs). We cultivate a culture where ideas are openly shared and challenged, connecting diverse expertise and perspectives to drive enduring value.