About the Role
_________________
Position Summary:
As a Senior Manager in League Office CyberSecurity department, the Gen AI Security & DevSecOps Engineer builds and operates the security infrastructure, automation, and governance that keep the NBA's software delivery and AI adoption secure. The role spans three domains: DevSecOps (securing the CI/CD pipelines and software development lifecycle that ship NBA applications), Gen AI Security (securing the organization's growing use of Generative AI, agents, and AI developer tools), and Cloud Security (securing the cloud, Kubernetes, and secrets posture that those applications run on). This is a hands-on engineering role: the candidate designs DevOps processes, administers and builds security tooling across the software development lifecycle, embeds security testing and policy enforcement into the pipeline, and owns security review and runtime controls for AI.
Major Responsibilities
- Secure CI/CD pipelines at scale across the organization's CI/CD platforms with standardized security templates and automated policy enforcement, embedding static analysis (SAST), software composition analysis (SCA), container, infrastructure as code (IaC), and secrets scanning, with break build enforcement on critical and high severity findings.
- Administer the enterprise SAST and SCA platform (scan engine infrastructure, query tuning, severity calibration, finding triage) and maintain the exploitability knowledge base that distinguishes true positives from false positives to keep security fast and low friction.
- Build automated compliance tooling that detects required scans, validates pipeline configuration, and flags coverage gaps; audit pipeline posture across platforms and drive remediation directly with engineering teams.
- Support secure SDLC practices and security gates (SAST, SCA, container, IaC, DAST), threat modeling, SBOM generation, and dependency verification; coordinate with the DAST and penetration testing functions and act on bug bounty findings.
- Design and build the enterprise security operations platform and the automation that orchestrates DevSecOps workflows (scan state changes, triage, exemptions, intake, notifications), including AI-assisted vulnerability triage with appropriate guardrails, audit trails, and human oversight.
- Define and report security risk metrics, lead security audits and assessments, conduct supply chain and CVE incident response across the estate, and mentor junior team members.
- Lead security reviews of Generative AI applications, agentic workflows, and AI developer tools submitted through the enterprise AI intake process, assessing against OWASP Top 10 for LLM Applications, OWASP Top 10 for Agentic Applications, NIST AI RMF, MITRE ATLAS, and NBA Gen AI security policy and standards.
- Author and maintain NBA Generative AI security policy and standards, including controls for AI data protection, model and prompt security, agentic AI, MCP (Model Context Protocol) integration, and AI developer tooling.
- Evaluate and onboard Gen AI security tooling such as runtime guardrails, AI red teaming, browser and DLP controls, and MCP governance, and design and operate runtime AI security controls integrated into application pipelines and runtime.
- Govern enterprise security over AI developer tooling and the MCP server approval workflow, and partner with the Enterprise Gen AI, Cloud Infrastructure, GRC, Legal, and Privacy functions to align AI security controls with broader AI governance.
- Administer and operate the enterprise cloud security platform across a large multi-cloud estate (cloud posture, container, and IaC scanning); detect, prioritize, and drive remediation of misconfigurations and vulnerabilities against defined SLAs with infrastructure and application teams.
- Own cloud security scanning policy configuration and service account governance (scope, least privilege, credential rotation), lead platform lifecycle work, and perform technical security configuration assessments of cloud platforms.
- Own the Kubernetes security posture across a large cluster footprint, including admission control, RBAC, namespace isolation, network policies, and Pod Security Standards, and execute admission controller enforcement programs that move policies from audit to block in staged, owner-communicated rollouts with exception and rollback processes.
- Design and operate automated credential rotation across cloud identity and key management services (cross-account role assumption, grace periods, owner notifications) and lead the initiative to eliminate static access keys in favor of OAuth 2.0, OIDC, and role-based authentication.
- Manage the secrets lifecycle across cloud and pipeline secret stores with detection, alerting, and automated rotation, and build reporting that surfaces aging and non-compliant secrets.
Required Education & Professional Experience
- Bachelor's degree in a technical discipline (or equivalent work experience).
- Minimum of seven years in IT (a minimum of five years in information security).
- Hands-on experience administering and integrating modern security tooling across the DevSecOps toolset, including SAST, SCA, DAST, container, IaC, and secrets scanning.
- Hands-on experience designing and securing CI/CD pipelines on modern CI/CD platforms.
- Strong programming and scripting ability, with the ability to build integrations, automation, and tooling against platform APIs.
- Solid hands-on implementation of cloud security across at least one major cloud provider, including identity and access management, secrets management, network security, and posture management, guided by frameworks such as CIS Benchmarks, Cloud Security Alliance, and the NIST SP 800-53 and 800-190/800-204 series.
- Working knowledge of Kubernetes and container security, including RBAC, admission control, namespace isolation, network policies, and Pod Security Standards.
- Familiarity with AI and LLM security frameworks (OWASP Top 10 for LLM Applications, OWASP Top 10 for Agentic Applications, NIST AI RMF, MITRE ATLAS) and the controls that mitigate Generative AI risks such as prompt injection, sensitive data disclosure, and excessive agency (preferred).
- Understanding of governance applied to cloud and AI computing in terms of risk, exposure, impact, and policy; experience writing architectural plans, standards, and guidelines for enterprise platforms.
- One or more industry security certifications, such as GIAC (GCSA), a cloud security certification (CCSP, CCSK, or a cloud provider security certification), or an application or offensive certification (CEH, OSCP, or CySA+).
Salary Range:
$145,000-$165,000
Job Posting Title:
Senior ManagerEmployees currently are eligible to receive an annual discretionary performance bonus, awarded at the sole discretion of the Company and subject to any terms and conditions set by the Company. Employees and/or eligible dependents may be eligible to participate in the following Company-sponsored employee benefit programs: medical; dental; vision; life/AD&D insurance; short- and long-term disability; fertility and family-forming assistance; wellbeing allowance; educational assistance; mental health coaching/therapy; tax advantaged accounts such as HSA and healthcare/dependent care FSAs; a 401(k) retirement plan; and time off benefits that include vacation, sick time, and personal days.
We Consider Applicants For All Positions On The Basis Of Merit, Qualifications And Business Needs, And Without Regard To Race, Color, National Origin, Religion, Sex, Gender Identity, Age, Disability, Alienage Or Citizenship Status, Ancestry, Marital Status, Creed, Genetic Predisposition Or Carrier Status, Sexual Orientation, Veteran Status, Familial Status, Status As A Victim Of Domestic Violence Or Any Other Status Or Characteristic Protected By Applicable Federal, State, Or Local Law.
The NBA is committed to providing a safe and healthy workplace. To safeguard our employees and their families, our visitors, and the broader community from COVID-19, and in consideration of recommendations from health authorities and the NBA’s own advisors, any individual working onsite in our New York and New Jersey offices must be fully vaccinated against COVID-19. The NBA will discuss accommodations for individuals who cannot be vaccinated due to a medical reason or sincerely held religious belief, practice, or observance.
About the NBA
The National Basketball Association (NBA) is a global sports and media organization with the mission to inspire and connect people everywhere through the power of basketball. Built around five professional sports leagues: the NBA, WNBA, NBA G League, NBA 2K League and Basketball Africa League, the NBA has established a major international presence with games and programming available in 214 countries and territories in 60 languages, and merchandise for sale in more than 200 countries and territories on all seven continents. NBA rosters at the start of the 2024-25 season featured a record-tying 125 international players from a record-tying 43 countries. NBA Digital’s assets include NBA TV, NBA.com, the NBA App and NBA League Pass. The NBA has created one of the largest social media communities in the world, with more than 2.3 billion likes and followers globally across all leagues, team and player platforms. NBA Cares, the NBA’s global social responsibility platform, partners with renowned community-based organizations around the world to address important social issues in the areas of education, inclusion, youth and family development, and health and wellness.