The Software Supply Chain SME serves as the technical authority responsible for securing the end-to-end software supply chain, ensuring the integrity, provenance, and risk posture of all code, dependencies, and artifacts across the SDLC. This role defines and enforces security standards, integrates controls within CI/CD pipelines, and leads enterprise initiatives such as SBOM adoption, artifact signing, and open-source risk management. The SME partners with AppSec, DevSecOps, and engineering teams to embed secure development practices, drive vulnerability remediation, and enhance developer enablement—while providing governance, metrics, and strategic guidance to reduce supply chain risk at scale.

Core Responsibilities

• Define and own enterprise software supply chain security strategy, roadmap, and governance

• Establish policies and guardrails for SBOM, artifact signing, provenance, and dependency usage

• Embed security controls across SDLC, CI/CD pipelines, and artifact repositories

• Implement and enforce SBOM generation, validation, and artifact integrity controls

• Collaborate with stakeholders and lead risk-based vulnerability management for open-source and third‑party components

• Collaborate with stakeholders and define remediation workflows, SLAs, and exception handling for supply chain risks

• Own tooling strategy for SCA, container scanning, and supply chain security automation

• Integrate and optimize security tooling within CI/CD for scalable enforcement

• Maintain inventory and visibility of dependencies, SBOMs, and third-/fourth-party exposure

• Partner with AppSec, DevSecOps, and platform teams to drive secure development adoption

• Enable developers via playbooks, guardrails, and self-service secure consumption patterns

• Define metrics and report on supply chain risk posture, remediation effectiveness, and maturity

Nice-to-Have

• Experience with AI/ML pipeline security

• Exposure to AIBOM / advanced SBOM evolution

• Knowledge of zero-trust supply chain models

Qualifications

• Minimum of five years related work experience.

• Undergraduate degree or equivalent combination of training and experience. Graduate degree preferred.

• 7–10+ years in AppSec / DevSecOps / platform security

• Hands-on experience with SCA + pipeline security

• Certifications preferred (CISSP, CSSLP, AAISM or equivalent etc.)

• Programming/scripting (Python, Java, YAML)

Special Factors

Sponsorship

Vanguard is not offering visa sponsorship for this position.

About Vanguard

At Vanguard, we don't just have a mission—we're on a mission.

To work for the long-term financial wellbeing of our clients. To lead through product and services that transform our clients' lives. To learn and develop our skills as individuals and as a team. From Malvern to Melbourne, our mission drives us forward and inspires us to be our best.

How We Work

Vanguard has implemented a hybrid working model for the majority of our crew members, designed to capture the benefits of enhanced flexibility while enabling in-person learning, collaboration, and connection. We believe our mission-driven and highly collaborative culture is a critical enabler to support long-term client outcomes and enrich the employee experience.