About Us:
With $295.0 billion of gross assets under management, as of March 31, 2025, British Columbia Investment Management Corporation (BCI) is the provider of investment management services for British Columbia’s public sector and one of the largest asset managers in Canada. BCI seeks investment opportunities around the world and across a range of asset classes that convert savings into productive capital. Our investment returns play a significant role in helping our institutional clients build a financially secure future for their beneficiaries.
Headquartered in Victoria, British Columbia, and with teams spanning Vancouver, New York, London, and Mumbai.
BCI integrates environmental, social, and governance (ESG) factors into all investment decisions to meet clients' risk and return requirements. Our people shape employee-focused initiatives, creating a strong culture. To learn more about our culture and values, visit our BCI Values in Action page.
This role is for builders, not gatekeepers. If you’ve built security programs with limited resources, conducted hands-on risk assessments for vendors, SaaS platforms, AI solutions, and software products, and earned your credibility by saying “yes, and here is how safely” rather than defaulting to “no,” you will feel at home here. We are looking for someone whose instincts were sharpened in a leaner, more entrepreneurial setting where resourcefulness and partnership mattered more than inherited process and where you owned the work end to end. A background in software development will set you apart. This is a working leadership role at the head of a small, high-impact team, and we have a strong preference for someone excited to be based at BCI’s headquarters in Victoria, BC, one of Canada’s most livable cities.
The Technology department is BCI's innovation catalyst and digital transformation engine, pioneering the future of institutional investment through cutting-edge technology solutions. We architect next-generation platforms powered by AI and cloud-native technologies that drive investment excellence and operational efficiency.
As a strategic partner across all areas of BCI's business, we don't just implement technology—we envision breakthrough digital experiences of the future. Our department leads digital transformation initiatives, creates intelligent automation solutions, and builds secure, scalable infrastructure that supports everything from identifying investment opportunities and decision-making, portfolio management to risk analysis, trade processing, and regulatory reporting.
We cultivate digitally empowered workplaces through advanced collaboration ecosystems and productivity platforms, enabling our Technology and business teams to thrive in tomorrow's investment landscape.
Reporting to the Vice President, Cyber Security, the Senior Manager, Cyber Security Product & Innovation is a senior leadership role with an explicit mandate to position security as an enabler of innovation at BCI. This role serves as the primary security partner for product, data, AI, business and technology initiatives, engaging early in the design and requirements phases to ensure that security is embedded into new capabilities rather than applied as a late-stage gate.
The Senior Manager leads a team responsible for application security, vendor, product and AI risk assessments, DevSecOps integration, and the development of reusable secure-by-design patterns. The role operates with a "yes, and here is how safely" orientation, translating security risk into plain-language, business-navigable options that allow BCI's technology and innovation teams to move with speed and confidence.
This role owns the security advisory relationship with BCI's product, data engineering, and innovation functions and is accountable for resolving security impasses at the working level, escalating to the VP, Cyber Security only where risk falls outside approved appetite thresholds.
Degree, diploma, or certification in Computer Science, Information Security, or an equivalent combination of education and relevant experience
8+ years of progressive experience in cyber security, with a minimum of 3 years in a people leadership role
Demonstrated experience in application security, DevSecOps, or product security within a complex technology environment
Proven ability to translate technical security risk into business-relevant language and options for non-technical stakeholders
Strong relationship management and influencing skills, with experience working across product, engineering, and business functions
Experience conducting security risk assessments for systems, applications, and AI/ML solutions
Relevant certifications such as CISSP, CISM, CSSLP, or equivalent are an asset
Technical Skills
A combination of knowledge and/or hands-on experience is desired across the following areas:
Application security principles and practices including OWASP, threat modelling, secure SDLC, and DevSecOps integration
Security risk assessment methodologies for systems, applications, SaaS platforms, and AI/ML solutions
Knowledge of AI governance frameworks, model risk considerations, and data handling requirements for AI use cases
Cloud security principles, particularly in Azure and SaaS environments
Familiarity with security frameworks and standards including NIST CSF, ISO 27001, CIS Controls, and Zero Trust architecture
Experience with DevSecOps tooling and CI/CD pipeline security integration
Understanding of API security, identity and access management principles, and data classification frameworks
Experience with vendor risk assessment processes and third-party security evaluation
Security Partnership & Business Enablement
Acts as the primary security liaison and embedded partner for BCI's product, data, AI, technology and innovation teams, engaging at the requirements and design phase of initiatives, not solely at go live gates
Adopts a "yes, and here is how safely" stance in all engagements; starts from the legitimacy of the business goal and shapes secure pathways forward; uses risk-based refusal sparingly and always with clear rationale and alternatives
Participates in product and innovation planning ceremonies, architecture reviews, and sprint planning to ensure security is considered as part of delivery, not separate from it
Proactively brings forward safe AI and emerging technology recommendations to business and technology stakeholders, acting as an advocate for innovation as much as a risk manager
Application Security & DevSecOps
Oversees BCI's application security program, including security design reviews, threat modelling, secure code practices, and DevSecOps pipeline integration
Leads and develops the application security engineer(s) responsible for AppSec assessments and DevSecOps support
Ensures that application security findings are communicated in tiered, risk-prioritized formats that enable product owners to make informed decisions efficiently
Establishes and maintains a library of reusable secure-by-design patterns for common technology categories including SaaS onboarding, AI solution deployment, API integrations, and cloud-native development
Product & AI Risk Assessment
Owns the security risk assessment process for new software, vendor onboarding, and AI use cases, ensuring assessments are completed within defined SLA targets by risk tier
Develops and maintains a tiered review model that distinguishes between low, medium, and high risk technology requests, providing fast track pathways for lower risk items and focused scrutiny for higher risk ones
Produces clear, business-ready risk assessment outputs that identify residual risk, recommend controls, and present risk acceptance decisions to the appropriate decision owner
Maintains accountability for the Security Risk Assessment Contractor relationship, ensuring vendor assessments are completed to standard and on time
Delivery Coordination & Intake
Oversees the security intake and delivery coordination function, ensuring that new technology and AI requests are triaged, prioritized, and progressed through a visible and predictable queue
Manages the Security Engineer responsible for sprint and quarterly planning and intake coordination, ensuring the team's delivery cadence is transparent to technology and business stakeholders
Establishes and publishes SLA commitments for security reviews by risk tier and monitors performance against these commitments
Risk Communication & Escalation
Frames all security risk in terms of business impact, likelihood, regulatory implication, and cost, providing decision ready recommendations rather than problem statements
Exercises delegated authority to approve residual risk within BCI's defined risk appetite thresholds, escalating out-of-appetite risks to the VP, Cyber Security with a clear recommendation
Reduces the volume of security impasses escalated to the VP, Cyber Security by resolving working-level conflicts through facilitated risk acceptance, pattern reuse, or phased implementation approaches
Team Leadership & Culture
Leads, coaches, and develops a small team of security professionals with a focus on building business acumen, communication skills, and collaborative problem-solving alongside technical capability
Models and reinforces a security culture characterized by partnership, pragmatism, and proactive engagement
Performs other related duties and special projects as required
This role will be based in our office in downtown Victoria, BC. We are an in-person collaborative organization with the flexibility to work remotely one day a week.
The annualized base salary range for this Victoria-based role is CAD $135,000-$160,000.
BCI offers a competitive total rewards package, including a performance-based incentive plan, comprehensive health & dental benefits, a defined benefit pension plan, and paid time off. We pay our people competitively in the markets in which we operate and with consideration for internal equity and job structure. The base salary will consider factors such as the individual's skill set, experience, and internal equity. We aim for actual pay to be around the market median for expected performance and the upper quartile for excellent performance. Actual salaries may vary based on experience and expertise.
Next Steps:
To apply online, please submit your resume promptly. Applications will be actively reviewed, and those selected for an interview will be contacted. We welcome all qualified candidates who are legally authorized to work in the country where this job is located. If you do not have authorization, or if your work permit has restrictions or is due to expire within 12 months, please inform our recruitment team if shortlisted.
At BCI, we value diversity and foster an inclusive culture where all employees can thrive. We are performance and client-focused, valuing integrity, and we want to know you if you share these values. We recognize that some skills can be learned on the job and encourage everyone to apply. If you require accommodations for the recruitment process, such as alternate formats of materials or accessible meeting rooms, please contact us at [email protected].
To learn more about working with BCI, including our comprehensive benefits packages, our commitment to equity, diversity and inclusion and the recruitment process visit our BCI Careers Page.
BCI does not accept unsolicited resumes or candidate submissions from third-party recruitment agencies, executive search firms, or staffing suppliers unless they have an existing contractual agreement with our organization. Our approved vendor relationships are established for particular recruitment requirements and do not extend to general job postings on our website or other platforms. Any candidate information or resumes submitted by suppliers not approved by BCI will be deemed unsolicited and will not be reviewed or considered. BCI will not be liable for any fees, commissions, or charges related to unsolicited candidate submissions or recruitment services.
