Our Purpose
At Xero, we’re here to help you supercharge your business. We do this by automating routine tasks, surfacing actionable insights and connecting businesses with the right data, advisors and apps. When that happens, we’re not only making life better for small business, we’ll be building a stronger economy that can change the world.
How you’ll make an impact
As the Team Lead - Application Security, you will be responsible for establishing and leading two specialised AppSec teams: Application Security Consulting and Application Security Engineering and. Your role is pivotal in creating and driving the successful execution of Application Security in Xero. You will own the delivery of the AppSec roadmap. You will ensure a proactive approach to embedding security into Xero’s software development lifecycle (SDLC). You will create an environment where your teams can perform at their best, predictably and sustainably, by fostering a strong secure-by-design/ secure-by-default culture and empowering Xero’s engineers to ship secure code at scale. Your work will directly impact reducing software security risks and improving the overall security posture of Xero's internally developed applications.
You will create an environment where your teams can perform at their best, predictably and sustainably, by fostering a strong secure-by-design/secure-by-default culture and empowering Xero’s engineers to ship secure code at scale. Your work will directly impact reducing software security risks and improving the overall security posture of Xero's internally developed applications.
What you'll do
- Build and lead the Application Security Engineering and Application Security Consulting teams, ensuring alignment with Xero’s security and engineering strategy.
- Develop and execute the Application Security roadmap in partnership with the Security Product team, embedding security best practices throughout Xero’s software development lifecycle, from architecture and design to testing and deployment.
- Drive the implementation and maintenance of security tools and technologies, and automate security processes within CI/CD pipelines through the AppSec Engineering team.
- Oversee the AppSec Engineering team in conducting security testing and vulnerability assessments focused on internally developed applications.
- Guide the AppSec Consulting team in the design of secure application infrastructure, the development of security frameworks and best practices, and collaboration with development teams on secure design patterns.
- Partner with engineering teams to shift security left, integrating automated security testing, secure coding practices, and DevSecOps methodologies.
- Provide technical oversight and mentorship, ensuring application security risks are well-understood, prioritised, and mitigated effectively.
- Work closely with product and engineering teams to balance application security requirements with developer productivity and business agility.
- Collaborate with the Sec-Education team to provide regular workshops and training on application security matters, enhancing understanding of application risks for relevant employees.
- As required, lead, develop, and grow high-performing AppSec Engineering and AppSec Consulting teams by providing coaching, mentorship, and setting a clear direction by connecting their work to the Technology and Xero’s strategic objectives.
- Foster a culture of security enablement, where developers and engineers feel supported in building secure products.
- Collaborate closely with security, engineering, and product teams to embed security at every stage of the development process.
- Champion continuous improvement, leveraging industry best practices and emerging trends to refine application security approaches.
- Promote a culture of psychological safety and inclusion, ensuring all team members feel empowered to contribute and raise concerns.
Success looks like
- Your team implements developer-friendly security practices that reduce software security risks without slowing down development.
- Successfully delivers on the Application Security roadmap, embedding secure coding, threat modeling for projects, and automated security testing.
- Drives proactive application security initiatives that reduce the attack surface across Xero’s applications.
- Provides strategic and technical guidance to ensure robust security measures are maintained for all applications.
- Works closely with engineering and platform teams to automate security practices within the development lifecycle.
- Provides insights on application security posture, ensuring leadership has clear visibility of risk trends and remediation progress relevant to applications.
- Your reports clearly understand how their work contributes to Xero’s security and business success.
- Clearly understand their areas of development and their personal growth. Feel supported in their career growth and technical development.
- Actively collaborate with engineering teams, breaking down silos and fostering a culture of shared security responsibility.
- Are empowered and challenged to do their best work and their skills are continuously being developed through new learnings and experiences.
- Contribute to security knowledge-sharing across Xero, empowering product teams to take ownership of security within their domains.
- Are recognised and celebrated for good performance, and effectively managed when performing poorly.
- Are supported to produce the best work of their lives by your understanding and ability to remove barriers.
What you'll bring with you
- Strong domain expertise in Application Security (AppSec) with experience in securing modern software applications.
- Experience with security tooling, including SAST, DAST, SCA, and security automation within CI/CD pipelines.
- Coach and mentor – utilising software delivery, technical experience and expertise, offering the right knowledge, at the right time in the right way – understanding why and how people learn.
- Growth mindset – understanding that competency is not fixed but is enhanced through dedication and hard work. Demonstrating a love of learning and resilience to adversity that is essential for great accomplishment.
- High EQ – self-aware, self-regulated, motivated and empathetic, with great interpersonal skills.
- Leading and living the vision and values – building and fostering an inclusive and positive team culture. Keeping the team’s vision and values at the forefront of decision-making.
- Deep understanding of secure coding practices, DevSecOps, threat modeling, security architecture, and application risk management.
- Proven track record of leading teams to deliver high-quality software in a fast-paced environment, leveraging lean-agile techniques, while managing competing priorities and ensuring alignment with strategic goals.
- Excellent grasp of modern software delivery practices and life cycle.
- Proven ability to balance the needs of the individual with the needs of the business.
- Experience with coaching and mentoring.
- Strong stakeholder management skills, with the ability to influence without authority and align security priorities with business needs.
- Passion for developer enablement, making security accessible and empowering engineers to write secure code.
- Communicate and help others understand the importance of the vision and values. Translate the vision and values into day-to-day activities and behaviors.
- Have a good understanding of the importance of Xero's Engineering standards and practices and are able to coach teams to adhere to them.
- People leadership – demonstrating honesty and integrity. Providing clear objectives, guiding career development and fostering an inclusive environment that promotes psychological safety and teamwork. Clearly communicating expectations. Having an open mind and the flexibility to change opinions. Developing and supporting others.
- Teamwork – working with peers and stakeholders to establish an overall collaborative relationship.
- Outstanding communication and time management skills.
Why Xero?
Offering very generous paid leave to use however you’d like (plus statutory holidays!), dedicated paid leave to care for your physical and mental wellbeing as well as an Employee Assistance Program to access mental health care for you and your family. Health insurance, life insurance, and income protection.
We offer wellbeing and sports programmes, employee resource groups, 26 weeks of paid parental leave for primary caregivers, an Employee Share Plan, beautiful offices, flexible working, career development, and many other benefits that reflect our human value.
You’ll do the best work of your life at Xero!
Report job
