Principal Product Security Architect

Principal Product Security Architect 

Role Overview 

We are seeking an experienced Principal Product Security Architect to join our Product Security team as a player-coach, combining hands-on technical leadership with strategic security guidance. This role will drive security excellence across our product portfolio through risk assessment, architecture reviews, threat modeling, and by establishing secure development patterns that enable engineering teams to build security in from the start. You will serve as a trusted advisor to engineering leadership while remaining deeply technical and creating tangible security artifacts that scale across the organization. 

Key Responsibilities 

Security Architecture & Risk Assessment 

• Partner with engineering teams early in the design process to embed security controls and minimize remediation costs 

• Conduct comprehensive architecture reviews for major changes, new features, services, and products, identifying security risks and recommending mitigations 

• Perform Architecture reviews and threat modeling exercises using frameworks such as STRIDE and/or attack trees to systematically identify and prioritize threats 

• Author risk assessment reports for executive leadership, product management, and engineering stakeholders, translating technical findings into business impact 

• Develop specific, timely, and thoughtful requirements and solution improvements that manage the risks identified in your assessment  

• Build and maintain reference architectures that demonstrate secure design patterns for common use cases (microservices, APIs, data pipelines, etc.) 

Security At Scale 

• Create and publish secure code snippets, libraries, and design patterns that serve as "paved pathways" for development teams 

• Maintain a library of security patterns addressing common vulnerabilities (injection flaws, authentication weaknesses, cryptographic failures, etc.) that developers can leverage as pre-built mitigations to classes of vulnerabilities 

• Develop comprehensive security guidance documentation, including secure coding standards, cryptography guidelines, and authentication/authorization patterns 

• Build reusable security components and frameworks that make secure development the path of least resistance 

• Establish security architecture principles and guardrails that balance security requirements with developer velocity 

Product Security Operations 

• Actively use our products in realistic scenarios to identify security gaps, usability issues, and opportunities for security improvements 

• Provide actionable feedback to product and engineering teams on security features, controls, and user experience 

• Collaborate with Product Security Incident Response Team (PSIRT) on vulnerability analysis and remediation strategies 

• Support security assessment efforts including penetration testing, code reviews, and security tooling integration 

• Contribute to security compliance initiatives (FedRAMP, NIST SSDF.) through architecture documentation and control validation 

Leadership & Stakeholder Management 

• Represent Product Security in technical design reviews, architecture review boards, and risk committees 

• Serve as a security thought leader across engineering, product, and executive teams 

• Mentor security engineers and champion security champions within development teams 

• Build strong relationships with engineering leadership to influence security strategy and priorities 

• Present security architecture decisions, risk trade-offs, and recommendations to senior leadership 

• Drive cross-functional initiatives that improve security posture while maintaining development velocity 

Qualifications 

Requirements 

• 13+ years of experience in information security with at least 5 years focused on product security, application security, or security architecture 

• Deep expertise in secure software development lifecycle (SDLC) practices and modern development frameworks 

• Proven experience conducting threat modeling and risk assessments for complex distributed systems 

• Strong understanding of common vulnerability classes (OWASP Top 10, CWE Top 25) and secure coding practices across multiple languages 

• Demonstrated ability to write production-quality code and create technical security guidance for engineering teams 

• Experience building reference architectures, libraries, and automations that address security at scale 

• Excellent written and verbal communication skills with ability to tailor messaging for technical and executive audiences 

• Track record of influencing engineering practices and building trust with development teams 

Preferred Qualifications 

• Experience with cloud-native architectures (AWS, Azure, GCP) and container security (Kubernetes, Docker) as well as large-scale private cloud deployments 

• Experience assessing and securing Java platforms, event driven architectures, and data security in multi-tenant SaaS solutions 

• Knowledge of cryptography, PKI, authentication protocols (OAuth 2.0, SAML, OIDC), and identity management 

• Background in security compliance frameworks (NIST SP 800-53, NIST SSDF) 

• Certifications such as CISSP, CISSP-ISSAP/ TOGAF would be an added advantage. 

• Contributions to open-source security projects or published security research 

• Familiarity with Infrastructure as Code (Terraform) and Policy as Code (OPA) 

• Experience with security automation, SAST/DAST tools, and security testing frameworks 

• Security certifications such as CISSP, OSCP, GIAC, or similar credentials 

• Experience working in regulated industries (government, healthcare, financial services) 

Skills 

• Communication: Both verbal and written communication skills are key, as is the ability to explain why security improvements are needed 

• Languages: Proficiency in at least two of: Java, Python, Go, React 

• Security Tools: Experience with threat modeling tools, SAST/DAST scanners, dependency checkers, and security testing frameworks 

• Architecture: Deep understanding of microservices, APIs, event-driven systems, and distributed architectures 

• Security Controls: Expertise in authentication, authorization, encryption, secrets management, and secure communications 

• Methodologies: Threat modeling (STRIDE), risk frameworks (FAIR, NIST RMF), secure design principles (least privilege, defense-in-depth, zero trust)