The Head of Product Security at Gojek is accountable for security of Gojek?s engineering and application platforms (our products and services). This leader is accountable for managing security in Gojek?s engineering development environments, cloud infrastructure, source code repositories, and ensuring security is optimized in the SDLC and CI/CD arenas. In addition, this leader will own, develop and implement strategies to continuously ?shift left??to ensure a ?security-at-birth??model.
The incumbent will partner with Engineering, Product, Core Fraud, and Risk, Privacy, and Compliance teams to ensure that security is effectively interlocked and aligned with key business stakeholders. This leader is responsible for establishing and driving a product security program to integrate security into existing processes as well as establishing new processes to achieve security goals. He/she will serve as a trusted leader, advisor, and will lead a team to ensure that security requirements are met and aligned with business strategy.
This role reports to the Gojek CISO and will lead and grow a team and continuously evolve the product security function to align and scale with the business.
Serve on the engineering leadership team to define and ensure that common process, standards and tools for security engineering are established and followed
Drive for high degrees of security automation and help build a ?Security at Birth??and ?Security as Code??culture
Ensure an engaged, innovative, and encouraging working environment in the department by motivating, challenging, and mentoring employees towards growth. Build and mature the DevSecOps program and implement ?shift left??initiatives
Transform the existing product security function by building tight alignment with key business stakeholders to increase security effectiveness across the engineering development lifecycle
Lead and build/grow an existing DevSecOps team responsible for conducting penetration tests, automation, static/dynamic code analysis, threat modeling, and developer training programs
Develop and execute secure software development strategy for the Product Engineering Group (PDG), including policies, standards and governance
Design, improve and manage security automation to integrate application security into various CI/CD across the enterprise
Improve and expand application security risk posture and processes across engineering including coverage for all engineering product and infrastructure groups
Regularly report on security metrics for product and engineering postures
Manage continuous release planning and execution and integrate with security design and engineering work across multiple groups and technical constituencies
Leadership – Team Development & Succession PlanningDevelop and manage key stakeholder relationships with senior leaders from engineering, product, and business teams to work towards security outcomes
Work with peer organizations to benchmark and measure DevSecOps metrics regularly report
Build, grow, mentor and continuously cultivate a high-performance DevSecOps team
Actively work on succession planning and develop and mentor managers and staff to achieve career goals
Leads cross-functional teams to define objectives, strategies and metrics in working towards targeted security goals and outcomes
Own and actively and responsibly manage the product / DevSecOps security budget to ensure the highest return on investments
Participate in personnel management including recruitment and selection, adequate staffing, performance appraisals, education and training
Exceptional relationship management with senior leaders and stakeholders ongoing building and maintaining collaborative partnerships across all levels of an organization.
Strong ability to clearly articulate decisions based on risk-based / business impact decision tradeoffs
Experience in leading teams on technical security projects ensuring commitments are met and ensuring key stakeholders are constantly informed of the status
Strong leadership qualities and business acumen able to communicate with all levels of the organization including technical leaders to senior business leaders. Ability to manage and communicate effectively with the ambiguity associated with working in a fast-paced and changing environment
Strong people management skills providing direction, monitoring performance, motivating staff and building a positive working environment
Bachelor?s of Science degree in an Engineering discipline; Master?s preferred or equivalent work experience
10+ years of engineering development (DevSecOps) experience in highly diversified and high growth organizations.
Established track record in leading applications / DevSecOps teams in implementing ?shift left??strategies. familiarity with the leading tool-sets including continuous penetration testing, and automation, and SAST/DAST tools
Track record of aligning DevSecOps to business requirements and interlock with key stakeholders
Experience in managing and developing DevSecOps function and teams
Strong experience in securing large Kubernetes, docker, and Google Cloud infrastructures
Experience in establishing and rolling out Threat Modeling that can be consumed by developers and engineers into user stories
Experience building security communities across engineering teams through evangelism and training programs
Knowledge of common information security management frameworks, including but not limited to: ISO 27001 / 27002 and PCI
Professional security certifications, such as a Certified Information Systems Security Professional (CISSP) or other relevant security credentials desired
Ensuring security in our products and services is a critical part of Gojek?s #1 objective to be the safest and most secure platform in the market. If you see a good fit, we’d love to chat.