Director, Product Security Architecture

About The Position

Requirements

• Significant experience (typically 10+ years) leading software, architecture, or application security initiatives in high-velocity R&D organizations, with a strong grounding in building and evolving complex software systems
• Strong application security and secure design literacy, whether from direct AppSec roles or from owning secure delivery of large-scale systems, including familiarity with common vulnerability classes, modern software architectures, and practical mitigation patterns
• Deep understanding of systemic product security risks in large-scale platforms, with expertise in at least some of: CI/CD and pipeline security, software supply chain security, identity and access management (AuthN/Z), AI/ML security, or multi-tenant SaaS architectures
• Proven ability to operate effectively in constrained environments: balancing business goals and risk reduction, focusing attention on the highest-impact, hardest-to-reverse decisions, and framing options in terms of risk, cost, and customer impact rather than absolutes.
• Demonstrated success building trust with Product and Engineering Directors/VPs, influencing multi-quarter roadmaps, and co-owning outcomes rather than acting solely as a gate.
• Experience designing and rolling out scalable security patterns—standards, “paved roads,” and secure-by-default configurations—that reduce risk while minimizing additional toil for product and engineering teams.
• Experience collaborating with Compliance, Audit, and Security Operations on the definition, implementation, and demonstration of security controls and security-related quality standards, and translating technical designs into clear language for auditors, engineers, and senior leaders.
• Experience supporting organizations through significant technology and architectural change (e.g., adoption of new languages and frameworks, or evolution from monoliths toward microservices or domain-oriented architectures) while maintaining or improving security posture.
• Ability to operate at multiple altitudes—from executive-level strategy and stakeholder alignment down to detailed technical design discussions when necessary—with excellent written and verbal communication in an all-remote, asynchronous environment.
• Comfort with AI-augmented workflows and enthusiasm for leveraging tools like GitLab Duo to scale the Product Security Architecture function, along with strong alignment to GitLab’s values and a track record of thriving in a highly collaborative, remote-first culture.

Nice To Haves

• Experience with security requirements and frameworks relevant to GitLab’s customers (e.g., FedRAMP, ISO 27001, SOC 2, PCI-DSS)
• prior experience in organizations undergoing significant scaling, reorganization, or operating model transformation

Responsibilities

• Lead, develop, and mentor a team of Product Security Architects and closely-aligned specialists who are dedicated to major product functional areas (e.g., Sec Section, AI, Core DevOps)
• Own and continuously evolve the Product Security Architecture strategy and partnership model, shifting architects from embedded consultants to accelerators of secure architecture delivery, and serve as a strategic partner to Product and Engineering Directors/VPs
• Oversee and mature the Product Security Risk Register, ensuring systemic product security risks are clearly articulated, prioritized with Product and Engineering, and paired with multi-quarter risk reduction plans that reduce long-term product security debt.
• Operate Product Security Architecture in a risk-aligned, business-enabling way that focuses Security Architects on the highest-impact, hardest-to-change architectural decisions, helping teams make clear, informed tradeoffs without slowing delivery.
• Define and drive security visions, standards, “paved roads,” and secure-by-default platform behaviors and configurations that enable product teams to make sound security decisions with minimal overhead, including evolving existing behaviors over time to strengthen the baseline security posture.
• Lead the Product Security AI strategy for scaling, including adoption of AI-assisted and platform-level investments that expand security review coverage, reduce toil, and support non-linear developer gains while enabling developer velocity.
• Partner with Application Security, Infrastructure Security, Security Research, Security Operations, Security Risk, and Security Compliance on end-to-end risk reduction, including security-related controls, quality standards, and integration of research and operational learnings into architectures.
• Define and track meaningful architecture-related metrics and Key Risk Indicators, and represent Product Security in cross-functional forums, clearly articulating risk, tradeoffs, and recommended paths forward.

Benefits

• Benefits to support your health, finances, and well-being
• Flexible Paid Time Off
• Team Member Resource Groups
• Equity Compensation & Employee Stock Purchase Plan
• Growth and Development Fund
• Parental leave
• Home office support