Ready to make your next big professional move? Join us on our journey to achieve our big dream of building the most loved restaurant brands in the world.
Restaurant Brands International Inc. is one of the world's largest quick service restaurant companies with nearly $45 billion in annual system-wide sales and over 32,000 restaurants in more than 120 countries and territories.
RBI owns four of the world's most prominent and iconic quick service restaurant brands – TIM HORTONS®, BURGER KING®, POPEYES®, and FIREHOUSE SUBS®. These independently operated brands have been serving their respective guests, franchisees and communities for decades. Through its Restaurant Brands for Good framework, RBI is improving sustainable outcomes related to its food, the planet, and people and communities.
RBI is committed to growing the TIM HORTONS®, BURGER KING®, POPEYES® and FIREHOUSE SUBS® brands by leveraging their respective core values, employee and franchisee relationships, and long track records of community support. Each brand benefits from the global scale and shared best practices that come from ownership by Restaurant Brands International Inc.
The Principal Engineer, Application Security is a senior member of RBI’s Cybersecurity Engineering organization, responsible for designing, implementing, and continuously improving the application and product security program across RBI’s global brands and shared digital platforms (including Tim Hortons Digital).
This role serves as the security focal point for all product and cloud application security, partnering with global engineering and IT teams to ensure that security is embedded into every phase of the SDLC — from design and build to deployment and operation. The successful candidate will combine deep technical security expertise with strong leadership, program management, and collaboration skills to advance RBI’s secure-by-design culture.
This position is based in
Toronto, ON and is in the office
5 days a week.
Role & Responsibilities
Program Leadership
- Lead the end-to-end Cloud and Application Security program, including strategy, tools, processes, and governance.
- Develop and maintain a balanced AppSec program aligned with enterprise risk priorities and industry standards (NIST CSF, PCI DSS, OWASP SAMM).
- Establish and manage AppSec metrics, dashboards, SLAs, and KPIs to measure risk reduction and program maturity.
- Own and operate the Security Champions Program to drive secure coding practices across development teams.
Secure Development & SDLC Integration
- Partner with software engineering, DevOps, and QA teams to integrate security into the SDLC and CI/CD pipelines.
- Lead threat modeling, secure code reviews, and automated scanning (SAST, DAST, SCA, secret scanning, dependency management).
- Define security requirements for application design, access, and data protection aligned with role-based access control and least privilege principles.
- Maintain and enhance security testing pipelines integrated with modern development frameworks (Agile, Scrum, Kanban).
Vulnerability Management & Incident Response
- Manage vulnerability detection, triage, and remediation workflows in tools such as Jira and GHAS.
- Conduct or advise on application penetration testing, vulnerability analysis, and validation.
- Support incident response for application-related vulnerabilities, ensuring appropriate containment, communication, and root cause analysis.
Cloud Security & Architecture
- Collaborate with Enterprise Architecture and Cloud teams to ensure AWS security best practices are applied consistently across environments.
- Support AWS IAM governance, account structure (AWS Organizations), and services such as GuardDuty, Shield, and Inspector.
- Evaluate and recommend application security tools and services for cloud and on-prem environments.
Compliance & Risk Management
- Partner with Product, IT, and Compliance teams to support audits and assessments (PCI DSS, NIST, SOX).
- Provide evidence, documentation, and technical validation for internal and external audits.
- Participate in third-party risk reviews, ensuring secure integration of vendor applications and APIs.
Qualifications & Skills
- 7+ years’ experience in Application Security, Secure Software Development, or Software Architecture.
- Strong understanding of cloud-native architectures (AWS required; GCP or Azure a plus).
- Proficiency in at least one programming language (e.g., Python, Node.js, JavaScript).
- Solid grasp of application architectural patterns (Microservices, Event-driven, RESTful APIs).
- Demonstrated experience leading AppSec toolchains (SAST, DAST, SCA, secrets scanning).
- Proven ability to collaborate across teams (Security, Engineering, QA, Compliance, Enterprise Architecture).
- Strong analytical, problem-solving, and communication skills across both technical and executive audiences.
- Certifications: CISSP, CCSP, CISM, or AWS Security Specialty preferred
- Experience developing or managing CI/CD-integrated security tooling.
- Familiarity with vulnerability scoring and management frameworks (CVSS, KEVs, CVDs).
- Experience establishing software development and security policies across a global enterprise.
- Prior experience working with security automation and orchestration tools.
#TimHortons
Benefits at all of our global offices are focused on physical, mental and financial wellness. We offer unique and progressive benefits, including a comprehensive global paid parental leave program that supports employees as they expand their families, free telemedicine and mental wellness support.
Restaurant Brands International and all of its affiliated companies (collectively, RBI) are equal opportunity and affirmative action employers that do not discriminate on the basis of race, national origin, religion, age, color, sex, sexual orientation, gender identity, disability, or veteran status, or any other characteristic protected by local, state, provincial or federal laws, rules, or regulations. RBI's policy applies to all terms and conditions of employment. Accommodation is available for applicants with disabilities upon request.
