MTS Manager

About The Position

Requirements

• Bachelor's degree in Computer Science, Mathematics, Physical Sciences, Electrical/Computer Engineering, or equivalent demonstrable experience and certifications.
• Minimum 8 years of relevant experience in product security, embedded/connected device security, application security, or offensive security — a meaningful portion delivered in a customer-facing services, consulting, or managed services context.
• Minimum 4 years of direct people management experience, including hiring, performance management, mentorship, and team development.
• Demonstrated experience standing up new service offerings or productizing technical capabilities within a managed services or information technology environments is strongly preferred.
• Hands-on technical depth in two or more of: binary/firmware analysis, penetration testing of embedded or IoT systems, threat modeling and TARA, SBOM and software composition analysis, vulnerability management and disclosure (CVE/CNA workflows), PSIRT/ESIRT operations.
• Deep working knowledge of connected and embedded device security, including firmware, microcontrollers, wireless SoCs, RTOS environments, and integrated IoT systems.
• Hands-on familiarity with binary and firmware analysis tooling and methodology (Ghidra, IDA, Binary Ninja, radare2, and platform-driven equivalents).
• Strong understanding of SBOM standards (SPDX, CycloneDX), VEX, software composition analysis, and vulnerability correlation against CVE/CPE/PURL.
• Strong understanding of vulnerability disclosure and PSIRT operating models, including ISO/IEC 29147 (vulnerability disclosure) and ISO/IEC 30111 (vulnerability handling), CVSS v3.1/v4, and CNA operating procedures.
• Familiarity with offensive security methodology applied to embedded systems, including hardware-adjacent attacks (fault injection, side-channel concepts, debug interface exploitation) at a depth sufficient to scope, review, and quality-control the work.
• Working knowledge of TARA methodologies (ISO/SAE 21434 for automotive, IEC 62443-3-2 for industrial, MITRE ATT&CK and EMB3D where applicable).
• Working knowledge of applied cryptography, secure protocols, secure boot, secure update, and key management as applied to embedded systems.
• Ability to ramp quickly on AI and agentic AI platforms and productivity systems; familiarity with the automated firmware/binary analysis platform category and AI-assisted vulnerability triage is preferred.
• Working knowledge of EU Cyber Resilience Act (CRA), including Annex I essential requirements, vulnerability handling obligations, conformity assessment routes, and post-market surveillance expectations.
• Working knowledge of IEC 62443, ETSI EN 303 645, NIST IR 8259 series, NIST SSDF (SP 800-218), and US Executive Order 14028 / OMB M-22-18 SBOM requirements.
• Familiarity with ISO 27001, SOC 2 Type I/II, and adjacent compliance regimes as they apply to a managed services delivery organization.
• Demonstrated ability to design and operate service delivery functions to defined SLAs, SLOs, and quality standards.
• Demonstrated ability to manage utilization, capacity, and engagement profitability in a billable services context.
• Strong project and program management capability.
• Excellent written and verbal communication skills; operates fluently with executives, technical individual contributors, customer technical staff, customer executives, regulators, and partners.
• Strong people leadership: hiring, coaching, performance management, conflict resolution, and team building in a fully remote environment.
• Demonstrated ability to translate technical findings into business and regulatory consequences for non-technical stakeholders.
• Customer-facing executive presence: owns escalations, leads difficult conversations, and represents Finite State at the most senior levels of customer organizations.
• One or more of the following is required: CISSP, CSSLP, CCSP, GIAC (GPEN/GXPN/GREM/GICSP), OSCP, or equivalent demonstrated technical depth.
• Familiarity with vulnerability analysis and reverse engineering tools.
• Familiarity with SAST/DAST/IAST tooling categories.
• Familiarity with offensive security tooling.
• Familiarity with collaboration and delivery tooling.
• Comfort operating in a fully remote, cloud-only company environment.

Nice To Haves

• Advanced degree desirable.
• One or more of the following is desirable: CISM, CRISC, CISA, ISO/IEC 27001 Lead Auditor or Lead Implementer, IEC 62443 Cybersecurity Expert, PMP/PgMP, ITIL Foundation or higher.

Responsibilities

• Manages day-to-day execution of all active managed technical services customer engagements, ensuring delivery quality, technical accuracy, schedule adherence, and consistent application of Finite State methodology.
• Owns the full engagement lifecycle: scoping, statement of work, kickoff, execution, deliverable review, customer communications, and renewal/expansion planning.
• Establishes, maintains, and continuously improves service delivery playbooks, technical methodologies, deliverable templates, peer review gates, and quality acceptance criteria.
• Drives consistent integration of Finite State automation platform into every engagement, ensuring platform capabilities are leveraged and field experience feeds the platform roadmap.
• Defines, monitors, and reports Service Level Agreements (SLAs), Service Level Objectives (SLOs), and engagement-level KPIs including billable utilization, time-to-deliverable, defect/escape rates, customer satisfaction (CSAT/NPS), and renewal rate.
• Acts as senior technical escalation point for engagement issues, customer concerns, and complex or contested technical findings.
• Leads operational design and standup of new product security managed service offerings — PSIRTaaS, EU CRA sustainable compliance, and other emerging services — including process design, runbook authoring, tooling integration, staffing model, pricing inputs, contractual scaffolding, and SLA framework.
• Partners with Product to ensure platform capabilities required for new managed services are scoped, prioritized, instrumented, and operationalized for service delivery.
• Designs and operates the customer-facing PSIRTaaS function: continuous vulnerability monitoring, automated and human-assisted triage, advisory issuance, CVE coordination, customer disclosure workflow, remediation tracking, and post-disclosure verification.
• Builds the operating model for sustainable EU CRA compliance services: conformity assessment support, Annex I essential requirements mapping, vulnerability handling obligations, technical documentation maintenance, and post-market surveillance support.
• Hires, onboards, develops, mentors, and retains a team of product security engineers and analysts across multiple technical disciplines.
• Sets individual performance objectives aligned to team and company OKRs; conducts regular 1:1s, delivers ongoing performance feedback, runs formal review cycles, and addresses performance issues directly and constructively.
• Builds and maintains team capacity plans and skills inventories; identifies gaps and drives hiring, cross-training, certification, and external training plans to close them.
• Manages utilization across the team to balance billable engagement work, capability development, and reserved capacity for new service launches and surge demand.
• Cultivates a culture of technical excellence, intellectual honesty, customer empathy, peer review, and continuous learning; fosters psychological safety in a fully remote operating environment.
• Serves as senior delivery contact and trusted technical advisor for strategic customer accounts; owns the technical health of those relationships.
• Leads recurring service reviews, escalation discussions, and quarterly business reviews; ensures customer outcomes are visible, measurable, and tied to renewal and expansion narratives.
• Partners with Sales on scoping, statements of work, pricing alignment, and pre-sales technical engagement; provides expert input to deal qualification and risk.
• Identifies and qualifies expansion opportunities (additional products, additional service lines, multi-year commitments) and works with Sales to convert them.
• Owns operational delivery against the Services ARR plan; accountable for margin discipline, utilization targets, and forecast accuracy.
• Provides input to pricing, packaging, and capacity planning for current and new service offerings.
• Tracks and reports delivery cost, gross margin per engagement, write-down and write-off rates, and other services-economics metrics; surfaces structural issues with concrete remediation proposals.
• Produces timely, accurate forecasts of staffing, hiring, and external contractor needs against the demand pipeline.

Benefits

• Equity
• Benefits