Principal Product Security Architect

Job Description:Role OverviewWe are seeking an experienced Principal Product Security Architect to join our Product Security team as a player-coach, combining hands-on technical leadership with strategic security guidance. This role will drive security excellence across our product portfolio through risk assessment, architecture reviews, threat modeling, and by establishing secure development patterns that enable engineering teams to build security in from the start. You will serve as a trusted advisor to engineering leadership while remaining deeply technical and creating tangible security artifacts that scale across the organization.Key Responsibilities Security Architecture & Risk AssessmentPartner with engineering teams early in the design process to embed security controls and minimize remediation costsConduct comprehensive architecture reviews for major changes, new features, services, and products, identifying security risks and recommending mitigationsPerform Architecture reviews and threat modeling exercises using frameworks such as STRIDE and/or attack trees to systematically identify and prioritize threatsAuthor risk assessment reports for executive leadership, product management, and engineering stakeholders, translating technical findings into business impactDevelop specific, timely, and thoughtful requirements and solution improvements that manage the risks identified in your assessment Build and maintain reference architectures that demonstrate secure design patterns for common use cases (microservices, APIs, data pipelines, etc.) Security At ScaleCreate and publish secure code snippets, libraries, and design patterns that serve as /"paved pathways/" for development teamsMaintain a library of security patterns addressing common vulnerabilities (injection flaws, authentication weaknesses, cryptographic failures, etc.) that developers can leverage as pre-built mitigations to classes of vulnerabilitiesDevelop comprehensive security guidance documentation, including secure coding standards, cryptography guidelines, and authentication/authorization patternsBuild reusable security components and frameworks that make secure development the path of least resistanceEstablish security architecture principles and guardrails that balance security requirements with developer velocity. Product Security OperationsActively use our products in realistic scenarios to identify security gaps, usability issues, and opportunities for security improvementsProvide actionable feedback to product and engineering teams on security features, controls, and user experienceCollaborate with Product Security Incident Response Team (PSIRT) on vulnerability analysis and remediation strategiesSupport security assessment efforts including penetration testing, code reviews, and security tooling integrationContribute to security compliance initiatives (FedRAMP, NIST SSDF.) through architecture documentation and control validation. Leadership & Stakeholder ManagementRepresent Product Security in technical design reviews, architecture review boards, and risk committeesServe as a security thought leader across engineering, product, and executive teamsMentor security engineers and champion security champions within development teamsBuild strong relationships with engineering leadership to influence security strategy and prioritiesPresent security architecture decisions, risk trade-offs, and recommendations to senior leadershipDrive cross-functional initiatives that improve security posture while maintaining development velocity.Qualifications: Requirements13+ years of experience in information security with at least 5 years focused on product security, application security, or security architectureDeep expertise in secure software development lifecycle (SDLC) practices and modern development frameworksProven experience conducting threat modeling and risk assessments for complex distributed systemsStrong understanding of common vulnerability classes (OWASP Top 10, CWE Top 25) and secure coding practices across multiple languagesDemonstrated ability to write production-quality code and create technical security guidance for engineering teamsExperience building reference architectures, libraries, and automations that address security at scaleExcellent written and verbal communication skills with ability to tailor messaging for technical and executive audiencesTrack record of influencing engineering practices and building trust with development teams. Preferred QualificationsExperience with cloud-native architectures (AWS, Azure, GCP) and container security (Kubernetes, Docker) as well as large-scale private cloud deploymentsExperience assessing and securing Java platforms, event driven architectures, and data security in multi-tenant SaaS solutionsKnowledge of cryptography, PKI, authentication protocols (OAuth 2.0, SAML, OIDC), and identity managementBackground in security compliance frameworks (NIST SP 800-53, NIST SSDF)Certifications such as CISSP, CISSP-ISSAP/ TOGAF would be an added advantage.Contributions to open-source security projects or published security researchFamiliarity with Infrastructure as Code (Terraform) and Policy as Code (OPA)Experience with security automation, SAST/DAST tools, and security testing frameworksSecurity certifications such as CISSP, OSCP, GIAC, or similar credentialsExperience working in regulated industries (government, healthcare, financial services) SkillsCommunication: Both verbal and written communication skills are key, as is the ability to explain why security improvements are neededLanguages: Proficiency in at least two of: Java, Python, Go, ReactSecurity Tools: Experience with threat modeling tools, SAST/DAST scanners, dependency checkers, and security testing frameworksArchitecture: Deep understanding of microservices, APIs, event-driven systems, and distributed architecturesSecurity Controls: Expertise in authentication, authorization, encryption, secrets management, and secure communicationsMethodologies: Threat modeling (STRIDE), risk frameworks (FAIR, NIST RMF), secure design principles (least privilege, defense-in-depth, zero trust)

Apply Now