Director of Product Security
SailPoint is seeking a forward-leaning Director of Product Security to provide leadership and execution for an industry-leading Product Security program. As a provider of both SaaS and enterprise software for some the world’s most prestigious organizations, SailPoint strives for best-in-class security for its product offerings. This critical leadership role will be responsible for directing the Product Security team in order to achieve seamless integration of security with the Product Development organization. As part of a dynamic and impactful leadership team, you will be on point to ensure that SailPoint continues to deliver excellence in Product Security.
The ideal candidate will be highly collaborative and customer service oriented; driven to make security integration a near-frictionless experience for our developer community. The ideal candidate will have deep subject matter expertise in SSDLC, DevSecOps and Product or Application Security.
This is a challenging and impactful role with security responsibilities that span multiple product offerings. You will be directly responsible for delivering a comprehensive Product Security program (to include architecture, engineering, and operations (testing and vulnerability response)). This role reports directly to the CISO and can be remote or based in Austin, TX.
Responsibilities:
- Design and execute against a Product Security target operating model (people, process, and technology) that incorporates forward-leading SSDLC and DevSecOps best practices.
- Set the tone for the Product Security team culture leveraging best practices in highest performing team building.
- Partner closely with peers in Product Development to integrate security while also ensuring developer enablement.
- Direct the analysis, evaluation, and enhancement of the effectiveness of Product Security posture at procedural and technological levels.
- Use knowledge of current Product Security best practices and industry trends to lead the implementation of Product Security solutions.
- Provide strategic and technical leadership with respect to the development and execution of key Product Security services to our developer community, including:
- Conducting security assessments of applications (web, cloud, mobile) using range of manual and automated penetration testing and source code review techniques;
- Performing security architecture reviews of applications in design and production phases;
- Identifying potential threats and attacks to applications systems through threat modeling identifying security recommendations and aligning them to appropriate risk ranking systems.
Requirements:
- Extensive knowledge of the current Product Security threat landscape and industry best practices.
- Proven track record of solving complex Product Security issues and protecting products using a risk-based approach.
- Experience evaluating DevSecOps programs to determine how to embed security activities within and partnering to evolve development programs to embed Product Security tooling and processes.
- Experience working in Agile development, Product Security, Application Security, DevSecOps, or DevOps role, with experience in the following technologies:
- Containers (Docker, Kubernetes, or similar)
- Infrastructure as code (Vagrant, Docker, Ansible, Chef, Terraform, or similar)
- Continuous integration (Jenkins, Bamboo, Hudson, or similar.)
- Integration of Security testing tools into pipeline
- Defect tracking (Jira, Bugzilla, ServiceNow , or similar.)
- Source code management (GitLab, GitHub, BitBucket, or similar.)
- QA Testing tools (nUnit, jUnit, Selenium, Cucumber, or similar.)
- Application security testing tools (SAST, DAST, IAST, OSA, or similar.)
- Various *nix distributions
- Cloud environment (AWS, Azure, or similar)
- Experience in all of the following:
- Developing enterprise applications or scripts (writing code)
- Demonstrated ability to learn and adapt to different CI/CD systems and leverage them for automation as needed
- Performing manual application penetration testing
- Performing manual security code reviews
- Experience with compliance frameworks such as ISO27001, SOC2, SOX, GDPR.
- Experience supporting recruiting and team development.
- Ability to innovate and find creative solutions that balance the needs of the business with the needs of security.
- Effective executive functioning and presentation skills.
- Minimal travel (<10%).
Preferred:
- Bachelor’s degree in Computer Science, IT Security, Information Systems, Engineering, or related field and 7 years of related work experience, or a Master’s degree in Computer Science, IT Security, Information Systems, Engineering, or a related field and 5 years of related work experience.
- 2+ years of senior Product Security leadership experience.
- Certification as a Certified Information Security Systems Security Professional (CISSP), Certified DevSecOps Professional (CDP), GIAC Certified Web Application Defender (GWEB), GIAC Cloud Security Automation (GCSA), GIAC Web Application Penetration Tester (GWAPT), Certified Application Security Engineer (CASE), Certified Application Security Specialist (CASS), or Certified Secure Software Lifecycle Professional (CSSLP).
#LI-REMOTE
SailPoint is an equal opportunity employer and we welcome everyone to our team. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, disability, or veteran status.