AI Product Security Manager

Thomson Reuters•Toronto, ON

6d•Hybrid

About The Position

This position is open due to an existing vacancy to support our evolving business needs. Are you excited by the opportunity to secure products used by millions of professionals around the world? Join Thomson Reuters as a Manager, Product Security, where you will lead a senior team building the platforms, programs, and tooling that secure our products end-to-end. The Product Security Manager leads our Product Security Core team, a group of senior engineers responsible for scaling security across Thomson Reuters' product portfolio. In this role, you will own the Secure Software Development Lifecycle for products, including threat modeling, security testing, software supply chain integrity, vulnerability identification and remediation, and secure design patterns. You will also lead our Secure AI program for AI-powered features shipped to customers, including how we review, red-team, and protect AI capabilities in production. You will partner closely with product engineering, platform engineering, Security Architecture, GRC, IAM, Detection & Response, and business leaders to make security a seamless developer experience. This includes building self-service tools, automation, APIs, and AI-powered security capabilities that help thousands of engineers ship securely.

Requirements

8+ years of experience in product security, application security, or software security engineering, including experience leading or managing senior security engineers.
Demonstrated ownership of a Secure SDLC program across a multi-product engineering organization, including threat modeling, secure design, security testing, vulnerability management, and software supply chain security.
Hands-on experience with at least one major cloud platform, such as AWS, Azure, or Google Cloud, including identity, networking, secrets management, data protection, and logging.
Strong software engineering instincts, with the ability to read and write code in Python, Go, or similar languages and engage credibly with senior engineers on design and implementation.
Working knowledge of GenAI and LLM security, including prompt injection, model and data integrity, agent and tool-use security, and AI supply chain considerations.
Experience scaling security through developer-friendly tools, APIs, automation, self-service platforms, and CI/CD-native controls.
Excellent written and verbal communication skills, with the ability to influence senior engineering leaders and translate technical risk into business decisions.

Nice To Haves

Hands-on familiarity with Google Cloud security.
Experience securing AI/ML platforms, such as Claude Agent SDK, Vertex AI, SageMaker, Bedrock, Azure AI, or self-hosted environments.
Experience building or operating AI security capabilities, including AI red teaming, automated threat modeling, LLM security testing, or AI agents for security automation.
Knowledge of software supply chain security, including SBOM, SLSA, provenance, attestation, and workload identity.
Familiarity with industry frameworks such as OWASP ASVS/SAMM, NIST CSF and SSDF, OWASP LLM Top 10, and MITRE ATLAS.
Experience with security at scale across containers, Kubernetes, Infrastructure as Code such as Terraform or CDK, and modern CI/CD environments.
Relevant security certifications such as OSCP, OSWE, CKA/CKS, GCP Professional Cloud Security Engineer, or AWS Security Specialty.
Industry contributions such as open-source projects, conference talks, working group participation, including CoSAI or OWASP, or research publications.

Responsibilities

Lead and grow the Product Security team, managing, coaching, and developing a team of senior Product Security Engineers covering the full Secure SDLC across Thomson Reuters' product portfolio.
Own and execute the Product Security program, including threat modeling, secure design, secure code reviews, security testing, software supply chain security, and vulnerability remediation across multiple products and cloud platforms.
Lead Secure AI for products, defining how Thomson Reuters secures AI-powered customer features through Secure AI design reviews, AI red teaming, runtime protections, and actionable security patterns.
Build and operate security automation and AI-enabled capabilities, including automated threat modeling, AI remediation agents, LLM security testing, and MCP-based capabilities for engineering teams.
Scale security as a developer experience by delivering self-service security tooling, APIs, CI/CD-native controls, clear standards, implementation guidance, and security champion programs.
Operate a security data and analytics layer that supports risk-based prioritization and measurable security outcomes across the enterprise.
Partner across security, engineering, and the business to align priorities, support compliance requirements, and translate technical risk into business impact for senior leaders.

Benefits

Flexible hybrid working environment (2-3 days a week in the office depending on the role)
Flex My Way policies designed to help manage personal and professional responsibilities
Work from anywhere for up to 8 weeks per year
Career Development and Growth opportunities
Grow My Way programming
Skills-first approach
Flexible vacation
Two company-wide Mental Health Days off
Access to the Headspace app
Retirement savings
Tuition reimbursement
Employee incentive programs
Resources for mental, physical, and financial wellbeing
Two paid volunteer days off annually
Opportunities to get involved with pro-bono consulting projects and Environmental, Social, and Governance (ESG) initiatives