Head of Product Security – CISO function - BPL

The Head of Product Security leads the pillar responsible for ensuring everything the company builds and ships is secure by design. This is the most agile-facing pillar in the CISO function — it must embed into product squads without becoming a bottleneck, own the shift-left programme, manage the developer security toolchain, and provide assurance that releases meet the organisation’s security and compliance requirements. The role requires a blend of technical depth, developer empathy, and pragmatic risk management. The ideal candidate is someone who understands application security at a hands-on level, has run a security champions programme in an agile engineering organisation, and knows how to make security a service that engineering teams want to use rather than a gate they try to avoid. You will work more closely with engineering leadership than with regulators — this is a builder’s role, not an auditor’s role.

Key Responsibilities

• Own and drive the shift-left security programme, ensuring security is integrated into the earliest stages of the software development lifecycle through threat modelling, secure design patterns, and automated tooling.
• Manage the security champions programme, recruiting, training, and supporting champions across all product squads.
• Own the developer security toolchain (SAST, DAST, SCA, secrets scanning) and ensure it is integrated into all CI/CD pipelines with minimal developer friction and calibrated thresholds to avoid noise.
• Establish and operate the vulnerability management lifecycle, including scanning orchestration, triage, prioritisation, SLA assignment, remediation tracking, and exception management.
• Chair the weekly Vulnerability Review Board, making prioritisation decisions on critical and high-severity findings in collaboration with engineering leads.
• Define and publish the security engagement model for product and engineering teams, including trigger points (new service, new integration, pre-release), SLAs, and escalation paths.
• Oversee threat modelling for new services and major changes, ensuring threat models are completed before development progresses beyond initial design.
• Own the security sign-off process for production releases, providing risk-based release decisions (approved, approved with conditions, deferred, escalated) rather than binary pass/fail gates.
• Provide self-service security capabilities to product teams: threat model templates, security stories backlog, secure coding guides, and accessible tooling documentation.
• Produce security assurance reporting for the CISO, including vulnerability trends, SDLC integration metrics, champion programme health, and developer satisfaction with security.
• Collaborate with Security Architecture and Engineering on the “paved road” of secure defaults, patterns, and base images that product teams build upon.
• Manage and develop the Product Security team, balancing deep technical capability with developer relations skills.

Key Deliverables

• Security champions programme with training curriculum, monthly meetup cadence, and recognition framework.
• Developer security toolchain fully operational and integrated into 100% of CI/CD pipelines.
• Vulnerability management dashboard with SLA tracking, ageing analysis, and trend reporting.
• Product security engagement model document (trigger points, SLAs, outputs, escalation paths).
• Security release certification process with standardised decision framework.
• Monthly product security report for CISO (vulnerability trends, tooling adoption, champion coverage, developer satisfaction).
• Threat model register with completion tracking and findings remediation status.
• Secure coding standards documentation for all primary programming languages.
• Developer security training curriculum and workshop materials.

Required Skills and Experience

• CSSLP, OSCP or similar certifications.
• Experience with PCI Software Security Framework (SSF) and its application to payment processing software.
• Previous career as a software engineer or developer before moving into security — you understand the developer experience from the inside.
• Experience with bug bounty programme management.
• Payments acquiring, FinTech, E-Pay - application security experience.
• Contributions to open-source security tools, OWASP projects, or published security research.
• Experience with security tooling for Kubernetes-native applications.
• Several years of progressive experience in application security or product security, with a number of years in a leadership role managing a product security or AppSec team.
• Deep understanding of modern application security: OWASP Top 10, API security (REST, gRPC, GraphQL), microservices security, container security, and secure coding practices.
• Proven experience building and running a security champions programme in an agile engineering organisation.
• Hands‑on experience with SAST, DAST, SCA, and secrets scanning tools and their integration into CI/CD pipelines (Jenkins, GitLab CI, GitHub Actions, or equivalent).
• Experience managing a vulnerability management programme with defined SLAs, exception processes, and stakeholder reporting across multiple engineering teams.
• Strong developer empathy — demonstrable ability to work with engineering teams as a partner, not an adversary.
• Ideally you have a software development background yourself.
• Experience operating a security function within agile or DevOps delivery models, including sprint‑aligned engagement and security backlog management.
• Understanding of PCI DSS software security requirements and their practical application in a cloud‑native, microservices environment.
• Experience with threat modelling frameworks (STRIDE, PASTA, attack trees) and their application to modern architectures.
• Strong communication skills for influencing engineering leadership, presenting to executives, and writing clear guidance for developers.