Product Security Lead

About The Position

Requirements

• Bachelor's degree in Cybersecurity, Computer Science, Software Engineering, or a related field (Master's preferred)
• 7+ years of experience in cybersecurity, with at least 4 years focused on product security, application security, or secure development programs
• Proven track record implementing SSDLC in agile/DevOps environments, including threat modeling (e.g., STRIDE) and tool integration
• Strong knowledge of web, mobile, cloud-native, and API security, plus supply chain risks (e.g., SBOMs, SLSA)
• Excellent leadership and communication skills to influence product roadmaps and educate cross-functional teams
• Aptitude for understanding internal organizational environments and products and their relationship to the external business environment
• Ability to develop a full and deep understanding of the Aven Hospitality business operations and product suite
• Able to effectively analyze risk within the context of business problems

Nice To Haves

• Certifications such as CISSP, CSSLP, OSCP, CASE, or relevant AppSec/DevSecOps credentials are highly desirable
• Experience with identifying AI security risks
• Familiarity with AI governance in products, software supply chain hardening, and automated vulnerability management

Responsibilities

• Serve as an initial point of contact and liaison between the Cybersecurity team and other Aven Hospitality business departments for security related topics (non-incidents)
• Partner with product, commercial, and development teams to get strategic security projects prioritized and committed on the development roadmap
• Participate in cybersecurity compliance work and risk and security assessments
• Lead the implementation and maturation of the Secure Software Development Lifecycle (SSDLC/SDL), integrating security activities such as threat modeling, secure coding standards, SAST/DAST/SCA scanning, and penetration testing into DevSecOps pipelines
• Partner with GRC and SOC teams for product security risk assessments, vulnerability management, and incident response for product-related vulnerabilities
• Coordinate software supply chain security, including SBOM generation, third-party component risk analysis, and emerging AI Bill of Materials (AI BOM) practices for AI-integrated products
• Collaborate with product owners, managers, engineering, and DevOps teams to embed security requirements, conduct architecture reviews, and champion secure-by-design principles
• Evaluate and integrate AppSec tools (e.g., SAST, DAST, SCA, IAST) and automate security controls in CI/CD workflows
• Drive compliance with secure development standards (e.g., OWASP, ISO 27001) and regulatory requirements for product security (e.g., PCI-DSS, EU AI Act, DORA)
• Partner with GRC team for security training for developers, product teams, and stakeholders on current threats, including AI-generated code risks and supply chain attacks
• Track and report on product security metrics, vulnerabilities, and posture to leadership
• Stay ahead of trends like AI/ML vulnerabilities, post-quantum readiness in products, and software provenance verification
• Lead cross-functional initiatives for product security improvements

Benefits

• Very competitive compensation
• Generous Paid Time Off (25 PTO days)
• 8 Hours Annually Volunteer Time Off (VTO)
• We offer a comprehensive medical, dental and Wellness Program
• 12 weeks paid parental leave
• An infrastructure that allows flexible working arrangements
• Formal and informal reward, recognition and acknowledgement programs