Position Title
Product Security Principal
Location
New York, NY 10018
Job Summary
Serves as the embedded security subject matter expert and thought lead for assigned product lines within the product operating model framework. Partners with the Technology Line of Business Lead, Business Architect, and Business Unit Risk Manager (BURM) to cultivate a security-first culture, ensuring products are secure from design through deployment. This position is accountable for application-specific security controls, threat modeling, security architecture reviews, secure code practices, and security testing coordination. Responsible for identifying and managing security risks, translating regulatory and policy requirements into actionable control designs, and serving as the clear point of escalation for IT Risk and Cyber domains within the product. Acts with urgency to monitor Key Risk Indicators, manage emerging security issues, and drive real risk reduction outcomes across the product’s technology supply chain.
Job Responsibilities:
JOB RESPONSIBILITIES
- Cultivates security culture across product, technology, and business teams by embedding threat modeling, security architecture reviews, and secure code practices, ensuring products adopt security controls and are secure from design through deployment.
- Owns application-specific security requirements, threat modeling, security architecture design, authentication/authorization design, and data classification/handling standards in partnership with Tech Leads and Business Architects.
- Leads security testing, vulnerability assessments, penetration testing coordination, and security validation activities, tracking security defect remediation and ensuring compliance with secure coding standards.
- Prepares and delivers Technology Review Board security artifacts including Initial Design Review security assessments, Production Release Review security validation, and security incident response plans.
- Proactively monitors Key Risk Indicators, manages emerging security issues with urgency, identifies root causes and themes, and provides timely recommendations for resolution to the BURM and leadership.
- Partners with Third Party Oversight teams to ensure effective technology risk management of vendors, with focus on Cloud computing, SaaS tools, and emerging technologies engaged by technology partners.
- Collaborates on business-as-usual audit and regulatory engagements, translating firmwide policy and regulatory requirements into control designs for Software Engineers and SRE teams.
- Serves as the product’s security thought leader, sharing best practices between product and cybersecurity teams, and acting as the clear point of escalation and subject matter expert for IT Risk and Cyber domains.
ADDITIONAL ACCOUNTABILITIES
- Performs special projects, and additional duties and responsibilities as required.
- Where applicable and when performing the responsibilities of the job, employees are accountable to maintain regulatory compliance and adhere to internal policies, standards, and controls.
JOB REQUIREMENTS
- Education level preferred: High School / High School Equivalency (GED, HiSET, TASC) / Foreign Equivalent
- Minimum experience required: 8+ Years in information security, cybersecurity, or technology risk management with strong security and technical skills in a regulated organization
- Experience operating in a 3 Lines of Defense (3LoD) model with demonstrated ability to translate policy and regulatory requirements into control designs for engineers and architects
- Proven ability to communicate effectively and authoritatively with technical and non-technical stakeholders, explaining complex security concepts in simple terms
Preferred Qualifications:
- Education level preferred: Undergraduate Degree (4 years or equivalent)
- Technical understanding of Public Cloud computing (Azure/AWS), including cloud hardening, data protection controls, resiliency, and access management. Experience with APIs/microservices, IAM, Secrets Management, DevSecOps, and SSDLC preferred.
- Financial services and banking experience preferred; experience in industries with similar risk tolerance acceptable. CISSP, CISM, or equivalent security certifications strongly preferred.
Job Competencies:
- Expert knowledge of application security principles, threat modeling methodologies, and secure software development lifecycle (SSDLC) practices.
- Deep understanding of cloud security architecture, identity and access management, secrets management, and data protection controls.
- Strong understanding of vulnerability assessment, penetration testing, secure code review, and security testing methodologies.
- Ability to think in terms of risks and outcomes, translating them into actions required to achieve business and technology goals.
- Knowledge of regulatory compliance frameworks, 3 Lines of Defense model, and control design principles for financial institutions.
- Delivery excellence mixed with strategic vision; ability to balance tactical security needs with long-term security architecture goals.
- Excellent written and verbal communication skills with ability to explain complex technical security concepts in simple terms.
- Demonstrated success influencing peers inside and outside your department without direct authority.
- Self-motivated learner with proven experience upskilling on modern technologies and security practices.
- Experience with DevSecOps tooling, CI/CD security integration, code scanning, and container security at build and runtime.
- Knowledge of endpoint security, email security, and workforce technology protection strategies.
- Understanding of third-party risk management, vendor security assessments, and SaaS security considerations.
- Ability to monitor Key Risk Indicators and act with urgency managing emerging security issues.
- Ability to mentor and guide development teams on secure coding practices and security best practices.
- Flexibility to adapt to evolving threat landscape and emerging security technologies.
- Ability to work collaboratively with product, technology, and business colleagues at all levels.
- Understanding of product operating framework and cross-functional collaboration with Business Architects, Tech Leads, and SRE teams.
- Deep understanding of security incident response, root cause analysis, and corrective action implementation.
- Experience presenting security assessments and recommendations to Technology Review Boards and executive leadership.
- Critical thinking mindset with ability to identify hidden security issues and unfamiliar technology risks.
- Recognized as a security thought leader with ability to share best practices across product and cybersecurity teams.
- Demonstrates a strong ability to build and maintain effective relationships with stakeholders by communicating clearly, engaging in proactive collaboration, and leveraging cross functional insights. Aligns relationship building efforts with enterprise goals to accelerate performance and drive strategic results.
- Builds trusted client relationships, whether internal or external, by identifying needs and delivering tailored solutions to enhance the overall client experience.
- Fosters or supports a positive work culture and productive work environment, displaying importance of effective relationships with customers and stakeholders.
- Minimal travel required
- Physical demands (ADA): No unusual physical exertion is involved.
Flagstar is an Equal Opportunity Employer
We are committed to providing clear and accurate compensation information in accordance with applicable laws. Actual starting base pay will be determined based on location, experience, and other non-discriminatory factors permitted by law. Total compensation may also include variable incentives, bonuses, commissions, or other awards as outlined in the offer of employment. Flagstar provides teammates access to a variety of benefits including medical, dental, vision, life, and disability insurance, as well as a comprehensive leave program. Please click the following link for detailed information: Benefits | Flagstar Bank
Pay Range
$123,249.00 - $195,985.00