Director - Product Security
Bellevue, WA US
The Director - Product Security to work closely with Discovery’s Information Security and Direct to Consumer (DTC) teams on initiatives to protect data, services, and technology assets from external threats. To assist development leaders with the design of adequate security controls based on appropriate risk levels. Assist information security team with reviewing business applications and provide guidance on securing direct to consumer applications ensure Discovery is providing adequate security protecting consumer data.
This is a key role within the Information Security department that will be focused on application security for our streaming media service and other supporting applications. The Director of Product Security will be a valued partner to development and engineering teams to ensure secure architectures, patterns, and solutions are created and maintained. This person will work closely with Discovery’s DTC application teams and will build a community of practice with developers within DTC to support effective communication and collaboration. This person will be the subject matter expert for secure code development and will work with various application engineering teams to develop alternatives for remediation of vulnerabilities.
Director will report directly to the VP of Information Security Direct to Consumer, and will work collaboratively and effectively with Global Information Security team, Broadcast and TVN Business Information Security Offices and infrastructure teams to design and deploy appropriate, risk-based safeguards and technical direction.
• Manage Global Product Security / DevSecOps team, in addition to supporting the U.S. and International Digital organizations.
• Evaluate, manage and support application security technologies, processes and workflows on multiple platforms (e.g., Server/Client, Mobile, Tablet, etc.)
• Conduct application security risk assessments, analysis, and monitoring
• 24x7 on-call availability for Information Security Incident Response issues across the globe as it pertains to DTC Business Systems
• Ability to manage cyber security risks and threats tied to Discovery’s reputation, exposure and regulatory, technology and data compliance
• Develop and execute security assessment test plans, document and present results
• Review developers’ codes, provide feedback and perform security and risk assessment for consumer-facing applications, services, and future technology
• Perform design analysis, review, piloting, and selection of security technologies that meet specified application/business requirements, as needed
• Identify and define application security requirements and security baselines for the various classes of assets and environments in use at Discovery or its partners
• Work collaboratively and proactively across the organization (e.g., Technical Architects/Leads, Product managers, Digital Media Program Teams, etc.) to support and remediate security gaps
• Review Technical Architecture and Delivery for Web and other Client Delivery Platforms
• Understand and recommend security controls for the rapid development of consumer-facing prototypes to identify technical options and inform architectural approaches
• Identify and recommend best-of-breed security stack and controls for interactive consumer experiences across web and mobile devices. (i.e., project, customer, and vendor management skills)
• Engage assigned business lines as the central point-of-contactfor information security controls.
• Ability to make considered effective decisions, come to sensible conclusions, understand situations, and form objective opinions especially in matters that affect action.
• Work closely with Global Information Security teams, legal counsel (Privacy/Compliance), IT, Broadcast, Digital teamsand Forensics to discuss/communicate incident response findings/analysis/remediation actions and related strategies that best protect the organization and reassure stakeholders.
• Manage relationships effectively, advocating for business and external customers by engaging in security-related requirements conversations, seeking understanding of control requirements for presenting to IT security solution architects
• Advocate for the company’s security initiatives and controls deployment. Stays knowledgeable about the company’s technical controlsand advocates for the technical security control needed by assigned business.
• Promote and evangelize the company’s IT and Information Security Policiesand Standards. Advise stakeholders on security deviation control alternatives, such as compensating controls, and leads stakeholders through the policy deviation process.
• Must be willing and able to travel up to 25% of the time
• 10+ years’ experience in managing Information Security global teams
• 10+ years’ experience in of cybersecurity architecture/engineering, cloud security, and/or application security (Appsec, Netsec), with a bachelor’s degree or higher in related field
• Must have high judgment and executive communication (verbal/written) skills
• Strong experience in handling cyber/operational security incidents tied to various attack vectors and stakeholders
• Broad knowledge of IT Security technologies, process, and techniques and a strong understanding of application security leading practices including OWASP and CWE.
• Extensive experience in secure code reviews, business logic assessment, and application security testing
• Experience deploying cybersecurity solutions in a public cloud environment (IaaS, PaaS, SaaS)
• Familiar with application security tools like BurpSuite Pro, SAST, DAST, Nmap, Metasploit, and Kali Linux, etc. (Experience in 3rd-party testing tools such as Veracode, WhiteHat, etc., is also preferred)
• Experience working with Agile development/Scrum methodologies, and incorporation of security requirements into SDLC (CI/CD) with product owners/managers
• Excellent knowledge of software and application design and architecture
• Strong Knowledge of TCP/IP, DNS, HTTP, HTTPS, VPN, SQL and other database technologies
• Experience with Unix/Linux and Windows operating systems in an Active Directory environment
• Experience with endpoint security and SIEM technologies, e.g., Carbon Black, QRadar
• Experience working in large global environments
• Excellent communication and presentation abilities with great attention to detail
• CISSP, CEH, GWEB, CWAPT, CASS, SCADA, CCSP, CSSLP, CISSP-ISSAP or OSCP certifications are highly desired