Manager, Product Security Lead
SAS · Cary, NC · 3 wk ago
HybridEngineeringFull-time
About the role
We’re a leader in data and AI. Through our software and services, we inspire customers around the world to transform data into intelligence - and questions into answers. If you're looking for a dynamic, fulfilling career with flexibility and a world-class employee experience, you'll find it here. We're recognized around the world for our inclusive, meaningful culture and innovative technologies by organizations like Fast Company, Forbes, Newsweek and more.
Responsibilities
- Maintain a current picture of the external threat environment, including CVEs, industry incidents, emerging attack patterns, and regulatory shifts, and proactively brief engineering leadership on what matters and why.
- Audit external threats against the SAS portfolio in architectural context, filtering findings that are unexploitable given how Viya is built and deployed, so engineering teams stay focused on genuine risk.
- Lead the organization's response to CVE risks from penetration tests, customer requests, and Tech Support PSIRTs, determining appropriate responses such as mitigation, compensating controls, or full remediation.
- Lead, mentor, and direct a small team of offensive security specialists conducting internal penetration testing, validating findings, reviewing remediations, and coordinating follow-on testing.
- Represent Global Engineering on the ISMS Board and serve as a named lead in the organization's security incident response playbook.
- Ensure all applicable security policies and processes are followed to support the organization's secure software development goals.
- Influence without authority: demonstrate ability to drive alignment on security priorities across large, distributed engineering organizations.
- Architectural fluency: build genuine understanding of the systems you secure and know when you need to go deeper before rendering judgment on a finding.
- People development: set direction for experts, evaluate their work, and make the practitioners around you more effective.
- Penetration testing leadership, offensive security, or red team operations experience.
- Experience with supply chain security, SBOM, and third-party risk management.
- Expertise in securing enterprise web applications and familiarity with OWASP Top 10, CVSS, CWE, and SANS-25.
- Familiarity with security governance frameworks and ISMS participation.
- Recognized thought leadership in the security community (publications, conference contributions, open-source).
Requirements
- Bachelor's degree with major study in Computer Science, Electrical Engineering, or related field.
- Relevant security certifications preferred, such as GIAC certifications, CEH, CCSP, CSSLP, CISM, or CISSP.
- Extensive hands-on experience in product security, application security, or software security engineering, with a track record of meaningful impact, not just process compliance.
- Deep technical understanding of modern software architectures, cloud platforms, and enterprise SaaS deployment models, sufficient to evaluate security findings in architectural context, not just in the abstract.
- Proven experience in threat intelligence, CVE management, and security incident response, including hands-on involvement in active incidents.
- Exceptional communication skills across audiences, able to brief executives on what matters and advise engineers precisely on what to do.
Qualifications
- Equivalent combination of related education, training, and experience may be considered in place of the above qualifications.
Additional Competencies, Knowledge And Skills
- Influence without authority: demonstrated ability to drive alignment on security priorities across large, distributed engineering organizations.
- Architectural fluency: you build genuine understanding of the systems you secure and know when you need to go deeper before rendering judgment on a finding.
- People development: you set direction for experts, evaluate their work, and make the practitioners around you more effective.
- Penetration testing leadership, offensive security, or red team operations experience.
- Experience with supply chain security, SBOM, and third-party risk management.
- Expertise in securing enterprise web applications and familiarity with OWASP Top 10, CVSS, CWE, and SANS-25.
- Familiarity with security governance frameworks and ISMS participation.
- Recognized thought leadership in the security community (publications, conference contributions, open-source).