Associate Director — Product & Application Security (EMEA)
Role Purpose
Lead and scale the Product & Application Security program for our products portfolio across EMEA. Own secure-by-design practices from architecture and threat modeling through DevSecOps in CI/CD, vulnerability management, and coordinated disclosure—enabling developer velocity without compromising risk posture. Align to our System Development & Application Security standards and reference patterns.
Key Outcomes
* Establish EMEA-fit Secure SDLC guardrails (requirements release gating) and publish reference architectures for authentication/authorization, secrets, cryptography, logging, and privacy.
* Embed DevSecOps controls in pipelines (SAST, SCA, secret scanning, IaC/K8s policy-as-code, SBOM generation, artifact signing and provenance) with measurable pass/fail criteria.
* Stand up product vulnerability management with SLA tiers, risk-based triage, and executive reporting.
* Launch an EMEA secure coding enablement track and developer champions program.
* Demonstrate compliance readiness for GDPR/NIS2 and AI-related controls applicable to product features.
Responsibilities
* Own AppSec architecture and threat modeling for high-risk services; review designs and third-party components.
* Define and enforce pipeline security controls; partner with Engineering to shift-left testing and automate gates.
* Govern SBOM standards and software supply-chain risk (open-source hygiene, provenance, signing).
* Lead vulnerability management and remediation orchestration across squads; partner with SRE for runtime hardening.
* Chair the Product Security Review Board for go-live exceptions and risk acceptance.
* Collaborate with Privacy/Legal on data protection by design; align with GRC on policy and control mapping.
* Mentor an EMEA AppSec team; provide matrix leadership across GDC and product squads.
Required Qualifications
* 10+ years in Application/Product Security; 3+ years leading programs at scale.
* Expertise with OWASP ASVS, threat modeling (STRIDE/ATT&CK), API security, and cloud-native architectures (Azure/AWS).
* Hands-on with SAST/SCA/DAST, IaC/K8s policy (e.g., OPA), container scanning, and SBOM tooling.
* Proven stakeholder management with Engineering, Product, and Platform teams.
* Relevant certifications such as CSSLP, CISSP, or CISM (preferred).
Preferred Qualifications
* Experience with AI/ML product risks (prompt injection, model supply chain, dataset governance).
* Familiarity with GDPR, NIS2, and secure disclosure practices.
Key Performance Indicators (KPIs)
* Builds passing security gates (%).
* MTTR for critical vulnerabilities.
* Coverage of threat models and reference patterns.
* SBOM completeness and policy adherence.
* Exception trend and closure rate.
LI-KS1