Education level preferred: Undergraduate Degree (4 years or equivalent)
Technical understanding of Public Cloud computing (Azure/AWS), including cloud hardening, data protection controls, resiliency, and access management. Experience with APIs/microservices, IAM, Secrets Management, DevSecOps, and SSDLC preferred.
Financial services and banking experience preferred; experience in industries with similar risk tolerance acceptable. CISSP, CISM, or equivalent security certifications strongly preferred.
Job Competencies:
Expert knowledge of application security principles, threat modeling methodologies, and secure software development lifecycle (SSDLC) practices.
Deep understanding of cloud security architecture, identity and access management, secrets management, and data protection controls.
Strong understanding of vulnerability assessment, penetration testing, secure code review, and security testing methodologies.
Ability to think in terms of risks and outcomes, translating them into actions required to achieve business and technology goals.
Knowledge of regulatory compliance frameworks, 3 Lines of Defense model, and control design principles for financial institutions.
Delivery excellence mixed with strategic vision; ability to balance tactical s
Benefits
Vision insurance
Additional Information
Position Title
Product Security Principal
Location
New York, NY 10018
Job Summary
Serves as the embedded security subject matter expert and thought lead for assigned product lines within the product operating model framework. Partners with the Technology Line of Business Lead, Business Architect, and Business Unit Risk Manager (BURM) to cultivate a security-first culture, ensuring products are secure from design through deployment. This position is accountable for application-specific security controls, threat modeling, security architecture reviews, secure code practices, and security testing coordination. Responsible for identifying and managing security risks, translating regulatory and policy requirements into actionable control designs, and serving as the clear point of escalation for IT Risk and Cyber domains within the product. Acts with urgency to monitor Key Risk Indicators, manage emerging security issues, and drive real risk reduction outcomes across the product's technology supply chain.
Job Responsibilities:
JOB RESPONSIBILITIES
Cultivates security culture across product, technology, and business teams by embedding threat modeling, security architecture reviews, and secure code practices, ensuring products adopt security controls and are secure from design through deployment.
Owns application-specific security requirements, threat modeling, security architecture design, authentication/authorization design, and data classification/handling standards in partnership with Tech Leads and Business Architects.
Leads security testing, vulnerability assessments, penetration testing coordination, and security validation activities, tracking security defect remediation and ensuring compliance with secure coding standards.
Prepares and delivers Technology Review Board security artifacts including Initial Design Review security assessments, Production Release Review security validation, and security incident response plans.
Proactively monitors Key Risk Indicators, manages emerging security issues with urgency, identifies root causes and themes, and provides timely recommendations for resolution to the BURM and leadership.
Partners with Third Party Oversight teams to ensure effective technology risk management of vendors, with focus on Cloud computing, SaaS tools, and emerging technologies engaged by technology partners.
Collaborates on business-as-usual audit and regulatory engagements, translating firmwide policy and regulatory requirements into control designs for Software Engineers and SRE teams.
Serves as the product's security thought leader, sharing best practices between product and cybersecurity teams, and acting as the clear point of escalation and subject matter expert for IT Risk and Cyber domains.
ADDITIONAL ACCOUNTABILITIES
Performs special projects, and additional duties and responsibilities as required.
Where applicable and when performing the responsibilities of the job, employees are accountable to maintain regulatory compliance and adhere to internal policies, standards, and controls.
JOB REQUIREMENTS
Education level preferred: High School / High School Equivalency (GED, HiSET, TASC) / Foreign Equivalent
Minimum experience required: 8+ Years in information security, cybersecurity, or technology risk management with strong security and technical skills in a regulated organization
Experience operating in a 3 Lines of Defense (3LoD) model with demonstrated ability to translate policy and regulatory requirements into control designs for engineers and architects
Proven ability to communicate effectively and authoritatively with technical and non-technical stakeholders, explaining complex security concepts in simple terms
Flagstar · NY