Director, Product Security & Incident Response

About The Position

Requirements

• Minimum of 10+ years of progressive experience in Information Security, with at least 5 years in a senior leadership role (Director/VP) managing multi-disciplinary teams (e.g., Offensive Security, AppSec, Incident Response).
• Demonstrable experience developing and executing a multi-year security roadmap that aligns technical controls with enterprise business objectives and risk tolerance.
• Proven ability to communicate complex technical risks and metrics (e.g., detection coverage, drift rate, remediation velocity) to executive leadership (ELT) and the Board of Directors, effectively translating security posture into business language.
• Deep, hands-on experience leading and maturing an Offensive Security (Red Team) function, specifically conducting Adversary Simulation and Threat-Led Defense operations.
• Expertise in Cloud-Native Security Architecture across major providers (AWS and/or Azure)
• Extensive experience designing, implementing, and running a risk-based Vulnerability Management (VM) program at scale.
• Comprehensive knowledge of Secure Software Development Lifecycle (SSDLC) principles, including the successful implementation and integration of automated security testing tools (SAST, DAST, SCA) into CI/CD pipelines.
• Expert-level understanding of Incident Response (IR) and CSIRT operations, including owning the IR process, coordinating complex incidents, and driving continuous improvement through post-mortem analysis and rigorous drilling.
• Direct experience with "Purple Teaming" methodologies to improve the efficacy of detection and response capabilities in collaboration with security engineering and operations teams.
• Exceptional talent acquisition, development, and retention skills, with a focus on mentoring high-performing, specialized security professionals in highly competitive domains (e.g., Offensive Security, AppSec).
• Demonstrated ability to build a positive, high-trust team culture that emphasizes psychological safety, continuous learning, and cross-functional collaboration.
• Proven ability to drive consensus and influence change across engineering and product organizations without direct authority.
• Experience in aligning security practices with regulatory and compliance frameworks such as SOC 2, ISO 27001, or similar.

Responsibilities

• Unified Security Vision: Develop and execute a roadmap that integrates the Secure SDLC with continuous adversary simulation. Ensure that findings from Offensive Security (Red Team) exercises are directly incorporated into the Product Security backlog.
• Board-Level Communication: Translate complex technical metrics (Drift, Detection Coverage) into business risk narratives for the executive leadership team (ELT) and the Board of Directors.
• Talent Development: Recruit, mentor, and retain top-tier talent in highly competitive fields (Offensive Security, AppSec). Build a culture of psychological safety where failure is viewed as a learning opportunity.
• Resilience Testing: Lead the Offensive Security team to conduct "Threat-Led Defense" operations. Simulate realistic APT campaigns to test the organization's ability to withstand and recover from attacks.
• CSIRT Readiness: Own the Incident Response capability for the company. Drive continuous improvement in incident response through rigorous drilling and automation.
• Drift Management: Implement automated systems to measure and remediate Configuration Drift and Detection Drift across the enterprise.
• Purple Teaming: Institutionalize collaboration among Offensive Security Analysts, CSIRT analysts, the broader Security Department, and other parts of the company to validate and tune detection logic in real time.
• Secure Infrastructure: Direct the security architecture for our cloud-native environment (AWS and Azure), ensuring immutable infrastructure and strict IAM governance.
• Vulnerability Management (VM): Oversee a risk-based VM program that prioritizes remediation based on exploitability and asset criticality.
• Regulatory Alignment: Ensure the product architecture supports SOC 2 and other regulatory requirements through partnership with our Governance team.
• AppSec Integration: Champion the use of automated security testing (SAST/DAST/SCA) within our engineering pipelines.

Benefits

• 100% remote work environment - since our founding in 2015
• Generous paid time off policy, including vacation, sick time, and paid holidays
• 12 weeks of paid parental leave
• Highly competitive and comprehensive medical, dental, and vision benefits plans
• 401(k) with a 5% contribution regardless of employee contribution
• Life and Disability insurance plans
• Stock options for all full-time employees
• One-time $500 reimbursement for building/upgrading home office
• Annual allowance for education and professional development assistance
• $75 USD/month digital reimbursement
• Access to the BetterUp platform for coaching, personal, and professional growth