Head of Product Security – CISO function - BPL in London

The Head of Product Security leads the pillar responsible for ensuring everything the company builds and ships is secure by design. This agile-facing pillar must embed into product squads without becoming a bottleneck, own the shift-left programme, manage the developer security toolchain, and provide assurance that releases meet the organisation’s security and compliance requirements. The role blends technical depth, developer empathy, and pragmatic risk management. The ideal candidate understands application security at a hands-on level, has run a security champions programme in an agile engineering organisation, and makes security a service that engineering teams want to use.

Key Responsibilities

• Own and drive the shift-left security programme, integrating security into the earliest stages of the software development lifecycle through threat modelling, secure design patterns, and automated tooling.
• Manage the security champions programme, recruiting, training, and supporting champions across all product squads.
• Own the developer security toolchain (SAST, DAST, SCA, secrets scanning) and integrate it into all CI/CD pipelines with minimal developer friction and calibrated thresholds.
• Establish and operate the vulnerability management lifecycle, including scanning orchestration, triage, prioritisation, SLA assignment, remediation tracking, and exception management.
• Chair the weekly Vulnerability Review Board, making prioritisation decisions on critical and high-severity findings with engineering leads.
• Define and publish the security engagement model for product and engineering teams, including trigger points, SLAs, and escalation paths.
• Oversee threat modelling for new services and major changes, ensuring completion before development progresses beyond initial design.
• Own the security sign-off process for production releases, providing risk-based release decisions rather than binary gates.
• Provide self-service security capabilities to product teams: threat model templates, security stories backlog, secure coding guides, and tooling documentation.
• Produce security assurance reporting for the CISO, including vulnerability trends, SDLC integration metrics, champion programme health, and developer satisfaction.
• Collaborate with Security Architecture and Engineering on secure defaults, patterns, and base images.
• Manage and develop the Product Security team, balancing deep technical capability with developer relations skills.

Key Deliverables

• Security champions programme with training curriculum, monthly meetup cadence, and recognition framework.
• Developer security toolchain fully operational and integrated into 100% of CI/CD pipelines.
• Vulnerability management dashboard with SLA tracking, ageing analysis, and trend reporting.
• Product security engagement model document (trigger points, SLAs, outputs, escalation paths).
• Security release certification process with standardised decision framework.
• Monthly product security report for CISO.
• Threat model register with completion tracking and findings remediation status.
• Secure coding standards documentation for all primary programming languages.
• Developer security training curriculum and workshop materials.

Required Skills And Experience

• CSSLP, OSCP or similar certifications.
• Experience with PCI Software Security Framework (SSF) and its application to payment processing software.
• Previous career as a software engineer or developer before moving into security.
• Experience with bug bounty programme management.
• Payments acquiring, FinTech, E-Pay application security experience.
• Contributions to open-source security tools, OWASP projects, or published security research.
• Experience with security tooling for Kubernetes-native applications.
• Several years of progressive experience in application security or product security, with a leadership role.
• Deep understanding of modern application security: OWASP Top 10, API security (REST, gRPC, GraphQL), microservices security, container security, and secure coding practices.
• Proven experience building and running a security champions programme in an agile engineering organisation.
• Hands-on experience with SAST, DAST, SCA, and secrets scanning tools integrated into CI/CD pipelines.
• Experience managing a vulnerability management programme with defined SLAs and stakeholder reporting.
• Strong developer empathy and partner orientation.
• Experience operating a security function within agile or DevOps delivery models.
• Understanding of PCI DSS software security requirements in cloud-native environments.
• Experience with threat modelling frameworks (STRIDE, PASTA, attack trees).
• Strong communication skills for influencing engineering leadership.