Senior Director, Information Security
The Director will lead the AppSec & DevSecOps functions in the identification, classification, management and mitigation of software security risks through the use of effective processes and tooling throughout the software development life cycle. Candidate must be an individual who understands modern software development trends, understands engineering-led software security practices, and keeps up with the evolving cyber security threat landscape.
The ideal candidate will have a vision for developing effective software-based governance, strong security architecture/design practices, proven experience in implementing DevSecOps, and enabling developers to identify and correct vulnerabilities earlier in the SDLC using Static, Dynamic, and Software composition analysis including secure design architecture and patterns.
- Promote, maintain and drive a sound multi-disciplinary Application Security and DevSecOps strategy, based on well-established best practices, industry benchmarks and regulatory requirements
- Maturing governance processes and integrate them with modern CI/CD pipelines and development tooling (shift left)
- Make effective use of available software security tooling (DAST, SAST, IAST, Data Analytics) to identify and manage software vulnerabilities/defects
- Ability to secure workloads/application regardless of application placement (traditional on premise, Appliances, Virtualized environment, Public Cloud, Docker, Kubernetes environments)
- Champion a culture of security by design through implementation of sound design and security architecture activities/analysis early in the SDLC including threat modeling
- Implement relevant training programs that motivate and engage software development teams
- Forging and maintaining strong working relationships with development functions/teams, product delivery teams, project management, third party management, architecture, and external client teams.
- Provide timely, accurate, and actionable reporting on vulnerability activity, trends, service levels, and areas of concern to senior management
- Participate in security and technology strategic planning to ensure identified risk governance is incorporated into the CISO strategy.
- Educate and advise product and technical leaders on the development, delivery and management of software security solutions
- Appropriately assess risk and provide software security advice when business decisions are made
- Drive innovation in security trends to innovate security products
- Manage 3rd party code risks
- Experience leading teams to achieve business objectives, cultivating talent, building cross-functional teams
- Knowledge and experience operating industrys top application security testing tooling (SAST, DAST, IAST)
- Ability to promote a culture of automation, security/compliance as code across for software development projects or cloud workloads (Terraform IaC, Cloud Formation Templates)
- Experience assessing risk in Agile, DevOps, Cloud (IaaS PaaS and SaaS)
- Building Threat Modeling
- Broad security and technology expertise in technical and procedural security controls
- Deep understanding of cybersecurity risk/maturity practices and frameworks such as BSIMM, including hands-on experience performing formal risk assessments
- Conversant in security and privacy regulations and compliance (e.g., GLBA, SOX, GDPR, CCPA)
- Drive changes to Policy, Strategy, Training, and Technology needs
- Strong organizational skills with a successful track record of managing expectations, delivering results, and meeting milestones
- Excellent communication skills
- Ability to lead, influence and collaborate with remote team members
- Understanding of security operations concepts, vulnerability management and compliance remediation within a complex organization
- Understanding of security threat environment relative to network architectures, designs, data centers, applications, databases, etc.
- Demonstrated knowledge of recognized security industry standards and leading practices (e.g., FFIEC, NIST, SOC2)
- Relevant professional certifications: CISA, CISM, CRISC, CISSP or equivalent desired
Imperva is an analyst-recognized, cybersecurity leader—championing the fight to secure data and applications wherever they reside. Once deployed, our solutions proactively identify, evaluate, and eliminate current and emerging threats, so you never have to choose between innovating for your customers and protecting what matters most. Imperva—Protect the pulse of your business.