Director, Head of Product Security

Company Description

About CyberArk:

CyberArk (NASDAQ: CYBR), is the global leader in Identity Security. Centered on privileged access management, CyberArk provides the most comprehensive security offering for any identity – human or machine – across business applications, distributed workforces, hybrid cloud workloads and throughout the DevOps lifecycle. The world’s leading organizations trust CyberArk to help secure their most critical assets. To learn more about CyberArk, visit our CyberArk blogs or follow us on Twitter, LinkedIn or Facebook.

Job Description

We are looking for a highly motivated Head of R&D Product Security to drive and lead the product security strategy across our diverse portfolio. In this critical role, you will work closely with multiple stakeholders, including development, DevOps, and security teams, to ensure robust security practices throughout the SSDLC. You will lead the central security team, champion secure development practices across all services, and nurture a security-first culture through training, mentorship, and thought leadership.

Key responsibilities include:

• Lead and mentor the R&D security team: Build a strong security culture across the entire R&D organization, providing mentorship and fostering growth for security champions, experienced security professionals, and developers alike.
• Oversee SSDLC processes: Define, implement, and enforce secure development standards in line with industry benchmarks (e.g., OWASP, NIST, CIS, SANS, FIPS). Ensure security is integrated into every phase of the SDLC, including requirement gathering, design, development, testing, and deployment.
• Security Posture: Define KPI, OKR and maintain visibility across all product development life cycle.
• Pipeline and automation security: Drive the adoption of automated security testing and analysis tools (e.g., SAST, SCA, DAST, IAC, secret leakage prevention and more). Ensure pipelines are secure and monitored for both SaaS and self-hosted product lines. Collaborate with DevOps teams to promote a "Shift Left" security approach, where security is prioritized from the outset of development. Nurture a developer-first mindset, embedding security automation and monitoring into the development workflow.
• Security incident response and mitigation: Lead efforts to assess, analyze, and respond to internal and external security incidents. Provide expert guidance on remediation strategies and proactive prevention measures, working closely with internal red-teaming and third-party penetration testing (PT) services.
• Cloud security leadership: Provide strategic direction to ensure the security of cloud environments (AWS, Azure, GCP). Ensure alignment with industry frameworks such as CSA CAIQ and ensure readiness for ongoing cloud security assessments.
• Proactive security planning: Develop and maintain a security backlog aligned with the company’s goals, addressing evolving risks and enabling the R&D teams to make informed decisions. Ensure security initiatives are tracked and balanced against product development timelines.
• Governance and compliance: Contribute to ISO, SOC2, and other security compliance initiatives by ensuring the highest security standards across all products. Report regularly on security status, risks, and progress to senior leadership, security steering committees, and audit committees.
  
  

• R&D teams across all product lines (SaaS and self-hosted)
• Global Security (PM Security, IT Security, Cloud Engineering, etc.)
• Legal, Research, and Red-Team units
  
  

• 7+ years of experience in software development and at least 3 years in cybersecurity, ideally with a focus on application security and cloud security.
• 4+ years of management experience, with a track record of leading and mentoring security teams in large-scale R&D organizations (preferably with 1,500+ developers).
• Expertise in SSDLC, cloud security frameworks, and DevSecOps practices.
• Proven ability to lead security efforts across multiple products and services in both SaaS and self-hosted environments.
• Deep understanding of automated security testing tools and practices to ensure the security of pipelines, code, and infrastructure.
• Ability to operate in a matrixed environment, driving alignment across teams with differing priorities.
• Strong communication skills and ability to convey complex security issues to both technical and non-technical stakeholders.
• High-level decision-making skills, particularly in situations with limited information or time constraints, ensuring risk is managed effectively.