Sr. Security Engineer

Ready to make your next big professional move? Join us on our journey to achieve our big dream of building the most loved restaurant brands in the world.

Restaurant Brands International Inc. is one of the world's largest quick service restaurant companies with nearly $45 billion in annual system-wide sales and over 32,000 restaurants in more than 120 countries and territories.

RBI owns four of the world's most prominent and iconic quick service restaurant brands - TIM HORTONS, BURGER KING, POPEYES, and FIREHOUSE SUBS. These independently operated brands have been serving their respective guests, franchisees and communities for decades. Through its Restaurant Brands for Good framework, RBI is improving sustainable outcomes related to its food, the planet, and people and communities.

RBI is committed to growing the TIM HORTONS, BURGER KING, POPEYES and FIREHOUSE SUBS brands by leveraging their respective core values, employee and franchisee relationships, and long track records of community support. Each brand benefits from the global scale and shared best practices that come from ownership by Restaurant Brands International Inc.

We are seeking a Senior Security Engineer to lead the design and implementation of robust security practices across our engineering and cloud infrastructure. This role plays a critical part in securing our development lifecycle, infrastructure, and cloud-native environments. You will be responsible for building secure pipelines, improving detection capabilities, and mentoring team members, while continuously identifying and remediating security gaps.

Role & Responsibilities:

• Lead secure software development lifecycle (SDLC) practices across engineering teams.
• Design, implement, and maintain secure CI/CD pipelines, integrating tools for SAST, DAST, and dependency scanning (e.g., CodeQL, GitHub Advanced Security).
• Configure and maintain security in source control systems, preferably GitHub.
• Develop, maintain, and monitor security controls across cloud environments, with a strong preference for AWS.
• Configure and manage security logging and monitoring solutions, particularly SIEM tools.
• Guide secure infrastructure using Terraform and other Infrastructure-as-Code (IaC) tools.
• Ensure security in serverless environments and API-based architectures.
• Implement and support Zero Trust Network Architecture, working with SASE platforms and identity-based access controls.
• Deploy and manage DLP (Data Loss Prevention) strategies across cloud services, endpoints, and email.
• Build and maintain Standard Operating Procedures (SOPs) and engineering documentation, including internal guides, playbooks, and runbooks.
• Identify security gaps in systems, workflows, or architecture and develop actionable solutions to address them.
• Perform security investigations and respond to alerts; fine-tune detection rules to reduce false positives and increase detection accuracy.
• Build and implement automation to streamline and optimize repetitive security tasks and incident response procedures.
• Conduct threat modeling, risk assessments, and vulnerability management activities.
• Lead incident response and forensic investigations on both Windows and Linux systems.
• Work collaboratively with IT, DevOps, and engineering teams to drive security best practices.
• Guide and mentor junior team members, fostering a knowledge-sharing culture.
• Educate developers and engineers on OWASP Top 10 and secure coding standards.
• Stay current with evolving threats, tools, and techniques in cybersecurity and cloud computing.

Qualifications:

• 5+ years in security engineering with a strong application and cloud security background.
• Deep understanding of secure development practices and integrating security into the Software Development Life Cycle (SDLC).
• In-depth knowledge of OWASP Top 10, CWE, and secure web practices.
• Hands-on experience with:
• Code scanning tools: CodeQL, SAST/DAST, dependency scanners.
• CI/CD tooling: GitHub Actions, Jenkins, or similar.
• SIEM: Implementation and log ingestion (e.g., Splunk, ELK, or equivalent).
• Cloud security: AWS preferred; experience with IAM, VPCs, KMS, and other AWS services.
• Proven experience designing and implementing Zero Trust architectures and working with SASE platforms (e.g., Zscaler, Netskope, or Prisma Access).
• Strong experience with DLP solutions across endpoints, cloud, and messaging platforms.
• Strong grasp of networking protocols, TLS, DNS, HTTP, and web application architectures.
• Strong experience with both Linux and Windows environments.
• Experience with email security (e.g., DMARC, SPF, DKIM, phishing detection).
• Ability to create and maintain technical documentation, SOPs, playbooks, and automation scripts.
• Proficiency in scripting or programming languages (Python, Bash, JS, etc.).
• Familiarity with bug bounty platforms or responsible disclosure programs.
• Experience with security frameworks like Zero Trust, NIST 800-207, or ISO 27001.
• Infrastructure as Code: Terraform (primary), CloudFormation or others.
• Containers and orchestration: Docker, Kubernetes, including RBAC, pod security policies, etc.
• Serverless architectures: AWS Lambda or similar.

Benefits at all of our global offices are focused on physical, mental and financial wellness. We offer unique and progressive benefits, including a comprehensive global paid parental leave program that supports employees as they expand their families, free telemedicine and mental wellness support.

Restaurant Brands International and all of its affiliated companies (collectively, RBI) are equal opportunity and affirmative action employers that do not discriminate on the basis of race, national origin, religion, age, color, sex, sexual orientation, gender identity, disability, or veteran status, or any other characteristic protected by local, state, provincial or federal laws, rules, or regulations. RBI's policy applies to all terms and conditions of employment. Accommodation is available for applicants with disabilities upon request.