Staff Security Engineer - Product Security Risk & Metrics
An overview of this role:
We are seeking a Staff Security Engineer to join our Security Architecture team with a specialized focus on product security risk and metrics engineering. This position will develop specialized Key Risk Indicators (KRIs), design data collection systems, and create data visualizations that demonstrate our product security posture improvements, measure Product Security teams’ strategic and operational effectiveness, and drive data-informed security decisions. This engineer will also operationalize our Product Security Risk Register and drive cross-functional alignment across Security, Engineering, and Product stakeholders to ensure buy-in and commitment to risk reduction initiatives.
The ideal candidate combines product security expertise, data analysis expertise, and strong stakeholder management skills to build frameworks that enhance visibility, prioritization, and progress tracking of our product security initiatives.
What you'll do:
Create and maintain Key Risk Indicators (KRIs) specifically designed to measure, monitor, and communicate product security risk levels
Engineer tracking systems and data visualizations that monitor remediation progress and provide visibility into risk reduction initiatives
Apply data analysis techniques to identify trends and patterns in product security risk data to inform proactive risk management
Design and implement robust metrics collection systems that accurately measure both strategic and operational effectiveness for all Product Security teams
Build and maintain the operational systems for the Product Security Risk Register, focusing on efficient workflows and data collection
Manage operational cadences including the monthly risk review process and action item tracking workflows
Facilitate cross-team collaboration to ensure risk reduction efforts are properly coordinated and tracked
Drive cross-functional alignment between Security, Engineering, Product, and other stakeholders to ensure buy-in and commitment to risk reduction initiatives
Work alongside the Security Risk Team to ensure product-specific risk tracking aligns with broader operational and enterprise risk management programs while maintaining distinct focus areas
Serve as the central coordinator for the Product Security Risk Register operations, related metrics collection, and stakeholder reporting within the Security Architecture team
What you'll bring:
5+ years of experience in product security, DevSecOps, security risk management, data analytics, or related technical roles
Demonstrated understanding of secure development practices and product security risks
Proven experience developing and implementing security metrics, KRIs, and risk dashboards that drive organizational outcomes
Proven ability to translate complex security concepts into actionable data and visualizations
Proficiency with data visualization and analysis tools (e.g., Tableau, Power BI, or similar)
Proficiency in designing workflows and scalable labeling systems in development ticketing systems like GitLab, Jira, Asana, etc.
Strong analytical skills with ability to collect, organize, and derive insights from complex data sets
Experience with automation and scripting for data collection and reporting
Proven ability to manage cross-functional stakeholders, drive consensus, and navigate competing priorities
Excellent written and verbal communication skills with the ability to present complex data in accessible formats
Nice to have qualifications:
Experience working directly with product and engineering teams on security initiatives
Familiarity with GitLab and its DevSecOps capabilities
Prior experience specifically with security risk registers or vulnerability management programs
Prior experience with threat modeling, security reviews, or pentesting
Security certifications such as CISSP, CISM, CRISC, CRM, etc.
Project management certifications like PMP
Experience with risk assessment methodologies and frameworks such as NIST RMF, FAIR, ISO 31000, etc.
Knowledge of compliance frameworks such as FedRAMP, SOC 2, ISO 27001, PCI-DSS, TISAX, etc.
Experience working in a rapidly scaling technology company
About the job
Apply for this position
Staff Security Engineer - Product Security Risk & Metrics
An overview of this role:
We are seeking a Staff Security Engineer to join our Security Architecture team with a specialized focus on product security risk and metrics engineering. This position will develop specialized Key Risk Indicators (KRIs), design data collection systems, and create data visualizations that demonstrate our product security posture improvements, measure Product Security teams’ strategic and operational effectiveness, and drive data-informed security decisions. This engineer will also operationalize our Product Security Risk Register and drive cross-functional alignment across Security, Engineering, and Product stakeholders to ensure buy-in and commitment to risk reduction initiatives.
The ideal candidate combines product security expertise, data analysis expertise, and strong stakeholder management skills to build frameworks that enhance visibility, prioritization, and progress tracking of our product security initiatives.
What you'll do:
Create and maintain Key Risk Indicators (KRIs) specifically designed to measure, monitor, and communicate product security risk levels
Engineer tracking systems and data visualizations that monitor remediation progress and provide visibility into risk reduction initiatives
Apply data analysis techniques to identify trends and patterns in product security risk data to inform proactive risk management
Design and implement robust metrics collection systems that accurately measure both strategic and operational effectiveness for all Product Security teams
Build and maintain the operational systems for the Product Security Risk Register, focusing on efficient workflows and data collection
Manage operational cadences including the monthly risk review process and action item tracking workflows
Facilitate cross-team collaboration to ensure risk reduction efforts are properly coordinated and tracked
Drive cross-functional alignment between Security, Engineering, Product, and other stakeholders to ensure buy-in and commitment to risk reduction initiatives
Work alongside the Security Risk Team to ensure product-specific risk tracking aligns with broader operational and enterprise risk management programs while maintaining distinct focus areas
Serve as the central coordinator for the Product Security Risk Register operations, related metrics collection, and stakeholder reporting within the Security Architecture team
What you'll bring:
5+ years of experience in product security, DevSecOps, security risk management, data analytics, or related technical roles
Demonstrated understanding of secure development practices and product security risks
Proven experience developing and implementing security metrics, KRIs, and risk dashboards that drive organizational outcomes
Proven ability to translate complex security concepts into actionable data and visualizations
Proficiency with data visualization and analysis tools (e.g., Tableau, Power BI, or similar)
Proficiency in designing workflows and scalable labeling systems in development ticketing systems like GitLab, Jira, Asana, etc.
Strong analytical skills with ability to collect, organize, and derive insights from complex data sets
Experience with automation and scripting for data collection and reporting
Proven ability to manage cross-functional stakeholders, drive consensus, and navigate competing priorities
Excellent written and verbal communication skills with the ability to present complex data in accessible formats
Nice to have qualifications:
Experience working directly with product and engineering teams on security initiatives
Familiarity with GitLab and its DevSecOps capabilities
Prior experience specifically with security risk registers or vulnerability management programs
Prior experience with threat modeling, security reviews, or pentesting
Security certifications such as CISSP, CISM, CRISC, CRM, etc.
Project management certifications like PMP
Experience with risk assessment methodologies and frameworks such as NIST RMF, FAIR, ISO 31000, etc.
Knowledge of compliance frameworks such as FedRAMP, SOC 2, ISO 27001, PCI-DSS, TISAX, etc.
Experience working in a rapidly scaling technology company