
WPP · United Kingdon
WPP is the trusted growth partner for the world’s leading brands. We unite cutting-edge media intelligence and data solutions, world-class creativity, next-ge...
WPP is the trusted growth partner for the world’s leading brands.
We unite cutting-edge media intelligence and data solutions, world-class creativity, next-generation production, transformative
enterprise solutions and expert strategic counsel in a single company – powered by exceptional talent and our agentic marketing
platform, WPP Open, to help our clients navigate change, capture opportunity and deliver transformational growth.
We work with the world's most valuable brands and have global reach across 100+ markets, with deep local expertise.
Our people are the key to our success. We're committed to fostering a culture of creativity, belonging and continuous learning,
attracting and developing the brightest talent, and providing exciting career opportunities that help our people grow.
For more information, visit WPP.com.
The Product, Application and Offensive Security Lead is responsible for embedding security directly into the design, development,
testing, and operation of DTS products and platforms.
This is a hands-on security engineering role. The role requires someone who can work directly with product and engineering teams,
review designs, assess APIs, run threat models, test systems, coordinate penetration testing, identify vulnerabilities, and help
teams remediate issues.
The role ensures DTS products, APIs, data collaboration capabilities, AI-enabled workflows, and client-facing services are
designed, built, and tested securely. It also owns the practical offensive security and adversarial assurance activity needed to
test DTS products from an attacker’s perspective.
The Product, Application and Offensive Security Lead will work closely with Product, Engineering, Architecture, Infrastructure,
Security Operations, Privacy, Cloud and Platform Security, and the ISMS and Risk Officer to ensure security issues are identified
early, fixed effectively, and tracked through governance where required.
Provide hands-on security support across DTS products and engineering teams. This includes:
Embed security into the software development lifecycle across DTS. This includes:
Run threat modelling and security design reviews for new and changed capabilities. This includes:
Carry out and coordinate offensive security testing across DTS products and platforms. This includes:
Provide security assurance for APIs, integrations, and data products. This includes:
Provide hands-on security review and adversarial testing for AI-enabled and agentic capabilities. This includes:
Help teams understand, prioritise, and fix security vulnerabilities. This includes:
Act as a practical security partner to engineering teams. This includes:
The Product, Application and Offensive Security Lead will be accountable for:
testing.
injection, data leakage, privilege escalation, and supply chain risk.
The Product, Application and Offensive Security Lead is expected to:
You're open: We are inclusive and collaborative; we encourage the free exchange of ideas; we respect and celebrate diverse views.
We are open-minded: to new ideas, new partnerships, new ways of working.
You're optimistic: We believe in the power of creativity, technology and talent to create brighter futures or our people, our
clients and our communities. We approach all that we do with conviction: to try the new and to seek the unexpected.
You're extraordinary: we are stronger together: through collaboration we achieve the amazing. We are creative leaders and pioneers
of our industry; we provide extraordinary every day.
Passionate, inspired people – We aim to create a culture in which people can do extraordinary work.
Scale and opportunity – We offer the opportunity to create, influence and complete projects at a scale that is unparalleled in the
industry.
Challenging and stimulating work – Unique work and the opportunity to join a group of creative problem solvers. Are you up for the
challenge?
#LI-Hybrid
We believe the best work happens when we're together, fostering creativity, collaboration, and connection. That's why we’ve
adopted a hybrid approach, with teams in the office around four days a week. If you require accommodations or flexibility, please
discuss this with the hiring team during the interview process.
WPP is an equal opportunity employer and considers applicants for all positions without discrimination or regard to particular
characteristics. We are committed to fostering a culture of respect in which everyone feels they belong and has the same
opportunities to progress in their careers.
PLEASE READ OUR PRIVACY NOTICE (HTTPS://WWW.WPP.COM/EN/CAREERS/WPP-PRIVACY-POLICY-FOR-RECRUITMENT) FOR MORE INFORMATION ON HOW WE
WPP is the trusted growth partner for the world’s leading brands. We unite cutting-edge media intelligence and data solutions, world-class creativity, next-generation production, transformative enterprise solutions and expert strategic counsel in a single company – powered by exceptional talent and our agentic marketing platform, WPP Open, to help our clients navigate change, capture opportunity and deliver transformational growth. We work with the world's most valuable brands and have global reach across 100+ markets, with deep local expertise. Our people are the key to our success. We're committed to fostering a culture of creativity, belonging and continuous learning, attracting and developing the brightest talent, and providing exciting career opportunities that help our people grow. For more information, visit WPP.com. Why we're hiring: The Identity, AI and Data Access Governance Lead is responsible for governing who, and what, can access DTS systems, data, APIs, tools, workflows and AI-enabled capabilities. This is a hands-on governance and control role, reporting into the SVP Security and Compliance. The role ensures that access across DTS is appropriate, auditable, reviewed, least-privileged and aligned with security, privacy, compliance and client commitments. The scope covers traditional human access, external users, privileged access, service accounts, machine identities, API keys, tokens, dataset access, and the emerging governance of AI agents and agentic workflows. The role will work closely with Architecture, Security, Product, Engineering, Infrastructure, Privacy, Legal/DPO, TechOps, Enterprise Technology and the ISMS and Risk Officer to ensure DTS has a clear and controlled model for access across platforms such as WPP Open, Choreograph, InfoSum, Open Intelligence, Resolve and related DTS capabilities. What you'll be doing: 1. IDENTITY AND ACCESS GOVERNANCE FRAMEWORK Define and maintain the access governance framework for DTS. This includes: * Defining access governance standards, processes and control expectations. * Establishing how access should be requested, approved, provisioned, reviewed, revoked and evidenced. * Ensuring access governance covers internal users, external users, clients, partners, vendors, service accounts, machine identities and AI agents. * Aligning identity and access governance with DTS architecture, security, privacy, compliance and data governance requirements. * Ensuring access governance is practical for product and engineering teams to implement. 2. ACCESS REVIEWS AND RECERTIFICATION Own the process for regular access reviews and recertification across DTS. This includes: * Defining the scope, frequency and evidence requirements for access reviews. * Coordinating access reviews for critical DTS systems, production environments, privileged roles, sensitive datasets, client-facing platforms and administrative tools. * Ensuring access review outcomes are tracked, remediated and evidenced. * Identifying stale, excessive, orphaned or poorly owned access. * Escalating overdue, high-risk or unresolved access issues through the appropriate governance channels. 3. PRIVILEGED ACCESS GOVERNANCE Ensure privileged access across DTS is properly controlled, justified and auditable. This includes: * Reviewing access to production systems, cloud environments, security tools, databases, CI/CD tooling, administrative consoles and sensitive platforms. * Supporting least-privilege, just-in-time and time-bound access models where appropriate. * Working with Cloud and Platform Security and Infrastructure to improve privileged access controls. * Ensuring privileged access risks are visible in the DTS risk register where required. 4. EXTERNAL USER, CLIENT AND PARTNER ACCESS GOVERNANCE Govern access for external users, clients, agencies, partners and vendors. This includes: * Defining standards for external user onboarding, approval, permissions, expiry and offboarding. * Ensuring external access has a clear business owner and justification. * Supporting access governance across client workspaces, agency environments, partner integrations and shared collaboration areas. * Working with Product and Engineering to ensure tenant, workspace and client-level isolation is appropriately governed. * Tracking risks related to stale accounts, vendor access, partner permissions and external user overprivilege. 5. SERVICE ACCOUNT, MACHINE IDENTITY AND API ACCESS GOVERNANCE Govern non-human access across DTS systems and platforms. This includes: * Defining standards for service accounts, machine identities, automation users, API keys, tokens, secrets and integration credentials. * Ensuring non-human access has clear ownership, purpose, scope, rotation, expiry and auditability. * Working with Product, Engineering, Cloud Security and Infrastructure to reduce unmanaged credential risk. * Ensuring service accounts and machine identities are included in access reviews. * Supporting stronger governance of API access, token issuance, credential lifecycle and integration permissions. 6. AI AND AGENTIC ACCESS GOVERNANCE Define and oversee the governance model for AI agents and agentic workflows across DTS. This includes: * Defining how AI agents are identified, permissioned, monitored, reviewed and revoked. * Ensuring agents have clear ownership, scoped permissions and auditable actions. * Defining which agent actions require human approval or additional control. * Governing agent access to APIs, tools, datasets, workflows, client environments and production capabilities. * Ensuring agents act within delegated authority and cannot exceed the permissions of the user, system or business process they represent. * Working with Product, Architecture and Security to ensure agentic workflows are designed with clear action boundaries. * Working with the Product, Application and Offensive Security Lead to test whether agent permissions and action boundaries can be bypassed. * Working with Privacy Engineering to ensure AI access models support permitted use, minimisation and data protection requirements. 7. DATA ACCESS GOVERNANCE Govern access to sensitive, client, partner and WPP-owned data across DTS. This includes: * Defining standards for dataset access approval, review, revocation and evidence. * Supporting data classification from an access-control and security-governance perspective. * Ensuring access to sensitive data is role-based, purpose-based, least-privileged and auditable. * Supporting controls for cross-client, cross-market, cross-agency and partner data access. * Ensuring data access governance supports InfoSum, Open Intelligence, Resolve, WPP Open and other DTS data collaboration use cases. * Working with Privacy Engineering on data minimisation, permitted use, retention and privacy-by-design requirements. * Ensuring data access risks are surfaced through the DTS risk process. 8. GOVERNANCE OF ACCESS TO TOOLS, WORKFLOWS AND ACTIONS Ensure access governance extends beyond systems and datasets into tools, workflows and actions. This includes: * Defining governance for access to operational tools, workflow automation, orchestration systems, AI tools and administrative actions. * Ensuring high-risk actions are subject to appropriate approval, logging and monitoring. * Supporting segregation of duties across sensitive workflows. * Ensuring automated workflows and agents have clearly scoped authority. * Working with Security Operations to ensure high-risk access and actions are visible in monitoring and detection processes. 9. AUDITABILITY, EVIDENCE AND REPORTING Maintain clear evidence of access governance and support audit and assurance requirements. This includes: * Producing access governance evidence for SOC 2, ISO 27001, client assurance, internal audit and risk reviews. * Working with the ISMS and Risk Officer to ensure access controls, reviews, exceptions and remediation actions are documented. * Reporting on access review completion, high-risk access, overdue actions and access control gaps. * Supporting client and audit questions related to identity, access, privileged roles, service accounts, AI agents and data access. * Ensuring access governance is repeatable, measurable and auditable. Who you'll be working with: The Identity, AI and Data Access Governance Lead will be accountable for: * DTS identity and access governance standards. * Regular access reviews and recertification. * Privileged access governance. * External user, client, partner and vendor access governance. * Service account, machine identity, API key and token governance. * AI agent identity, permission and action governance. * Dataset and sensitive data access governance. * Governance of access to tools, workflows and high-risk actions. * Access governance evidence for audit, compliance and client assurance. * Escalation of material access risks into the DTS risk process. What you'll need: The successful candidate will have: * Experience in identity governance, access management, IAM, security governance, GRC, data access control or platform security. * Strong understanding of least privilege, role-based access control, attribute-based access control, access reviews, privileged access and segregation of duties. * Experience governing access across SaaS platforms, cloud environments, APIs, data platforms or enterprise technology estates. * Knowledge of identity platforms such as Okta, Auth0, Keycloak, Azure AD / Entra ID or similar. * Understanding of service accounts, machine identities, API keys, tokens, secrets and non-human access governance. * Understanding of AI agents, agentic workflows, delegated authority and tool-access governance would be highly valuable. * Understanding of data classification, dataset access governance, privacy-by-design and audit requirements. * Ability to work across security, architecture, product, engineering, infrastructure, legal, privacy and compliance teams. * Strong organisational skills and ability to coordinate reviews, evidence, remediation and reporting. * Ability to translate complex access issues into clear risks, controls and practical actions. LEADERSHIP EXPECTATIONS The Identity, AI and Data Access Governance Lead is expected to: * Be structured, disciplined and pragmatic. * Bring clarity to complex access and permission models. * Challenge excessive, unclear or poorly governed access. * Work constructively with product and engineering teams to design workable controls. * Avoid creating unnecessary bureaucracy while ensuring access is properly governed. * Treat human, machine and agent access as part of the same control landscape. * Escalate material access risks clearly and early. * Support DTS in building a secure, auditable and scalable access governance model. SUCCESS MEASURES Success in the role will be measured by: * DTS having clear identity, access and data access governance standards. * Regular access reviews completed on schedule with evidence. * Reduction in stale, excessive, orphaned or poorly owned access. * Stronger governance of privileged access and production access. * Clear ownership and review of service accounts, machine identities, API keys and tokens. * Defined governance for AI agent identities, permissions and actions. * Improved auditability of access to data, APIs, tools, workflows and production systems. * Better alignment between identity, security, privacy, architecture, product and engineering teams. * Material access risks being visible through the DTS risk register and Risk Review Board. * Increased confidence that DTS can answer: who or what has access to what, why, and when was it last reviewed? Who you are: You're open: We are inclusive and collaborative; we encourage the free exchange of ideas; we respect and celebrate diverse views. We are open-minded: to new ideas, new partnerships, new ways of working. You're optimistic: We believe in the power of creativity, technology and talent to create brighter futures or our people, our clients and our communities. We approach all that we do with conviction: to try the new and to seek the unexpected. You're extraordinary: we are stronger together: through collaboration we achieve the amazing. We are creative leaders and pioneers of our industry; we provide extraordinary every day. What we'll give you: Passionate, inspired people – We aim to create a culture in which people can do extraordinary work. Scale and opportunity – We offer the opportunity to create, influence and complete projects at a scale that is unparalleled in the industry. Challenging and stimulating work – Unique work and the opportunity to join a group of creative problem solvers. Are you up for the challenge? #LI-Hybrid We believe the best work happens when we're together, fostering creativity, collaboration, and connection. That's why we’ve adopted a hybrid approach, with teams in the office around four days a week. If you require accommodations or flexibility, please discuss this with the hiring team during the interview process. WPP is an equal opportunity employer and considers applicants for all positions without discrimination or regard to particular characteristics. We are committed to fostering a culture of respect in which everyone feels they belong and has the same opportunities to progress in their careers. PLEASE READ OUR PRIVACY NOTICE (HTTPS://WWW.WPP.COM/EN/CAREERS/WPP-PRIVACY-POLICY-FOR-RECRUITMENT) FOR MORE INFORMATION ON HOW WE PROCESS THE INFORMATION YOU PROVIDE.
At Upvest, we are on a mission to make investing as easy as spending money. Upvest empowers businesses to offer a wide range of investment products and the best experience in the field of capital market investment and retirement planning. Upvest’s Investment API is easy to integrate so that fintechs and financial institutions can save resources and fully focus on their core business. We are proud to partner with Europe’s leading Fintechs and financial institutions such as DKB, Revolut, N26 and Raisin. Founded in 2017 by Martin Kassing, Upvest now brings together over 270 talented professionals from more than 70 nationalities. Upvest is backed by €280M in total funding from world-class investors, including BlackRock, Tencent, Sapphire Ventures, and Bessemer Venture Partners, Earlybird, Notion Capital, and Motive. Our latest €105M funding round in March 2026 - led by Sapphire and Tencent - serves as a massive catalyst for our growth, allowing us to offer premier investment experience. ABOUT THE ROLE: Upvest is at the inflection point where security needs to scale and remain a foundational discipline of the company. We're hiring a Security Engineering Lead to step into our lean and efficient Security team, set its multi-quarter direction, work cross-functionally and scale Security Engineering into a team that continues to own Upvest's entire application security and cloud security posture in a highly regulated environment as it scales. This role sits alongside our Security Operations and GRC teams, which owns detection, response, and compliance operations. Where SecOps keeps watch over what's happening now, Security Engineering shapes what we build and how we build it, embedding security into the SDLC, hardening our cloud environment, and building the platforms that make security teams more effective. You will own the secure paved roads every Upvest engineer relies on: automated SAST/DAST/SCA in our GitHub Actions pipelines, SSDLC adherence, IAM and network controls, and the technical implementation of DORA's (and other regulations') ICT risk framework for our platform. Our mission for the team is simple: make the secure way the easy way for everyone at Upvest. WHAT YOU’LL DO: * Set the multi-quarter strategy for application and cloud security across Upvest's Investment API platform — aligned with our product roadmap, our tenant commitments, and our regulatory obligations under DORA, MiFID II, and BaFin's MaRisk / BAIT requirements. * Lead, mentor, and grow our Security Engineering and Upvest's security culture. You'll inherit a small, talented team and own hiring, onboarding, growth, and retention as we scale. And you'll create initiatives to build security into the development and product life cycle. * Build paved roads. Own how Upvest performs encryption, authN/authZ, CI/CD, data, and network surfaces. We want fewer security review queues and more security baked into the templates. * Own application security end-to-end. Threat modeling, secure code review, SAST/DAST/SCA tooling integration in our GitHub Actions CI/CD, and vulnerability management. * Drive better cloud security posture across our GCP environment — IAM, VPC Service Controls, Cloud KMS, CSPM (Wiz), Binary Authorization for GKE, Terraform-driven infrastructure security baselines, and our Linkerd service mesh posture. * Mature Upvest's DORA technical implementation. Partner with our risk and compliance functions to translate DORA's ICT risk framework (Art. 5–9), secure development testing requirements (Art. 16), and threat-led penetration testing (Art. 24–27) into engineering work programmes — and into evidence we can show auditors and regulators. * Embed security in every product design. Partner deeply with product and engineering teams. Architecture reviews, design partnerships, security champions across product squads, collaboration beats gatekeeping. * Stay current on emerging threats. AI / LLM security, agentic identities, and the secure use of AI tooling in our own engineering workflow are an active concern * Represent Upvest's security posture clearly to everyone WHAT YOU BRING: * 6–10 years in security engineering, with 4+ years focused on product security or cloud security, and you work well in a regulated environment. You don't need to check every box, but we're asking for evidence that you've taken security from "owned by one team in a queue" to "embedded in how an engineering org ships." * Hands-on, technically credible. You earn the trust of engineers by going deep, so you're comfortable reading code, threat modeling designs, debating architectures, and writing tooling when it's valuable. * Cloud-native security depth. GCP preferred; AWS or Azure transferable. You know IAM, network segmentation, KMS, IaC security (Terraform), and Kubernetes hardening (RBAC, network policies, Pod Security Standards) as a craft. * Product/Application security foundations. OWASP Top 10 / ASVS, secure code review, SAST/DAST/SCA tooling integration, supply-chain security (SLSA, signing). * Lead through influence, not gatekeeping. You drive security outcomes through partnership with engineering teams. You can navigate ambiguity, set direction, and make sound risk-based decisions that scale with the organisation. People want to work with you, because you don't just say "no", you say "yeah, and this is how". * Hire and grow people. You've built or grown a small team. You set a high bar in interviews, invest in onboarding, give real-time feedback, and address performance issues quickly and fairly. Communicate cleanly across audiences e.g. a security incident write-up to engineering, a control narrative to an auditor, and a risk briefing to executives are three different documents, and you can write all three. NICE TO HAVE: * Experience securing multi-tenant B2B platforms or financial-API products: tenant isolation, API-as-product safety boundaries, and the specific operational shape of selling to regulated customers. * Experience with trading, custody, or securities settlement platforms, or curiosity about that domain. * Bug bounty / VDP programme management. * In a past life, you have shipped backend code in production, and you're comfortable in Go (preferred), Python, or another modern backend language. * Regulatory fluency. Working knowledge of DORA, MaRisk, BAIT, ISO 27001. You can change audit-speak or regulation into actionable technical requirements other people understand. You can hold your own with auditors and regulators without losing engineering pragmatism. * Background in engineering and offensive security * German skills are useful for some potential client interactions, but not required. Our working language is English. * Hands-on experience with AI/LLM security, agentic identity, or securing AI tooling in an engineering workflow. * Familiarity with the operational side of security is a bonus, hands-on experience with EDR and SIEM platforms, or a background in incident response. This matters in practice, you'll be part of the security on-call rotation, so being comfortable picking up an active incident is real, not theoretical. HOW WE UPVEST IN YOU: * Best-in-class AI tools: Every Upvenger has €20,000 per year to spend on the best AI tools available — so you're always working with the most powerful models and tooling on the market. * Impact-driven work: We’re building the infrastructure that will power the future of investing in Europe. It’s complex, ambitious, and meaningful. You’ll work with modern technologies and create something entirely new. No legacy systems, no limits. * Wellbeing: Recharge with 30 days of annual leave and maintain a healthy lifestyle with sports benefits. Access confidential professional coaching and enjoy the flexibility to work remotely abroad for up to 183 days a year. Recharge with UpRest, a one-month fully paid sabbatical after every 4 years of working at Upvest. * Development: Growth is in our DNA. Each Upvenger has access to a personal development budget and the freedom to decide how to use it. * Flexible work environment: Work from any of our hubs in Berlin, London or Tallinn hybrid or remotely across Europe, depending on the role. We give you the choice and budget to work where you’re most comfortable and productive, either at home or in the office. You choose. * Compensation and equity: We believe that all Upvengers contribute to our success and deserve a competitive, above-market salary and a participation in our employee equity program. * Team celebrations: Participate in company-wide events, such as UpFest, dinners, offsites and our Holiday party, to connect with colleagues and celebrate our achievements. * Inclusion: We’re committed to a culture where everyone belongs and thrives. Our Employee Resources Groups foster inclusion and connection, like Upfem for our female Upvengers, or UpVergent supporting neurodivergent Upvengers and allies. OUR VALUES: * Make it easy for others. We simplify the complex and act with the best intentions. * Own the outcome. We are proactive, fast and confident to get the job done, valuing progress over perfection. * Rise to the challenge. We aim high and push the boundaries. We stay curious, learn and celebrate our wins together. * Tell the story. We start with the Why to align on purpose. We are transparent and share knowledge to empower and inspire others. Upvest is an equal opportunity employer. We celebrate diversity and are committed to creating an inclusive environment for all employees.
About the Team The Senior Manager of Application Security leads a global team responsible for embedding security into Miro’s Software Development Lifecycle (SDLC)—from concept to code to customer impact. This team partners closely with product and engineering to proactively mitigate risk while accelerating developer velocity and innovation.The role focuses on enabling secure-by-default development through secure design support, automated tooling, vulnerability management, offensive testing, and developer engagement. It also plays a critical role in integrating security into Miro’s Discover, Define, Deliver product lifecycle and aligning with our AMPED Ways of Working (Analytics, Marketing, Product, Engineering, Design) and AMPED Operating Model. As Miro embraces AI-supported software development and explores Agentic AI workflows that empower engineers, product teams, and security teams alike, this role will contribute to adapting and securing those evolving working methods—ensuring that innovation and trust go hand in hand. About the Role As Senior Manager of Application Security, you will define and operationalize Miro’s application security strategy in alignment with our industry-leading software development lifecycle and AMPED framework. You will lead a multidisciplinary team of application security engineers and offensive security specialists who work directly with developers, product teams, and platform engineering across multiple regions. You will embed security into all phases of the product lifecycle—from early discovery and architecture threat modeling, to design reviews and secure delivery pipelines, and ongoing monitoring and testing post-release. Your team will also support Miro’s AI-driven development tooling and guide secure adoption of Agentic AI workflows, which enable both developers and security teams to collaborate more efficiently and proactively. The role requires a pragmatic, hands-on leader who thrives in fast-moving environments and has a deep understanding of both software engineering and security, as well as a passion for empowering teams to build securely and autonomously. What you’ll do * Lead and mentor a globally distributed team of security engineers focused on application security, offensive testing, secure architecture, and vulnerability remediation. * Lead and coordinate the team's initiatives and help provide project management leadership to the team members. * Coordinate cross function and cross stream initiatives and projects. * Drive integration of security into Miro’s Discover, Define, Deliver lifecycle through the lens of the AMPED Ways of Working and Operating Model. * Collaborate with Product, Engineering, and Design to ensure security is considered at the earliest stages of ideation—via threat modeling, risk reviews, and abuse-case analysis.Shape and evolve Miro’s Secure SDLC practices, integrating security seamlessly into CI/CD pipelines, infrastructure-as-code, and developer tooling. * Oversee execution of bug bounty and third-party testing programs, ensuring vulnerabilities are triaged, communicated, and remediated effectively. * Build and scale Miro’s Security Champions program to embed security ownership within each engineering team. * Guide secure adoption of AI-augmented software development tools, including LLMs used for code generation, reviews, or architectural assistance. * Help envision and safely operationalize Agentic AI-driven developer and security workflows, including policy-driven autonomous agents supporting security automation and decision-making. * Provide structured guidance, patterns, and reference architectures that support developers in implementing secure, scalable, and privacy-respecting features. * Define and report on KPIs and success metrics for secure development adoption, vulnerability resolution, and developer engagement. * Collaborate with Privacy, Legal, and Compliance teams to ensure alignment with regulatory requirements (ISO 27001, SOC 2, GDPR, and emerging AI regulations). * Foster a strong team culture based on collaboration, learning, and continuous improvement. What you’ll need * 10+ years of experience in software, application, or product security, including significant experience in secure software development. * 3+ years of technical leadership or management experience in a security-focused role. * Extensive experience with threat modeling methodologies (e.g., STRIDE, PASTA) and risk assessment, particularly within a SaaS or product-centric organization. * Deep expertise in Secure Software Development Lifecycles (SSDLC), including integrating security into agile and custom development frameworks. * Demonstrated experience running Security Champions programs and scaling developer engagement. * Experience leading offensive security programs (penetration testing, red teaming, bug bounty). * Practical understanding of governance and assurance frameworks such as ISO 27001, SOC 2, and OWASP SAMM. * Familiarity with AI/LLM tooling (e.g., Cursor, GitHub Copilot, custom LLM integrations) and the associated security and governance considerations. * Experience working with AWS and securing API-driven, microservice-based architectures. * Ability to manage distributed teams and communicate effectively across technical and business stakeholders. Who You Are (Skills & Attributes) * Developer-Aligned: You understand the pace and pressure of modern software development and are committed to reducing friction while improving security posture. * An Exceptional Communicator: You can articulate complex technical risks to non-technical stakeholders and translate business goals into security strategy for your team. * A Natural Collaborator: You excel at building strong relationships and influencing cross-functional teams without direct authority. * A Pragmatic Problem-Solver: You are skilled at identifying scalable, risk-based solutions and are comfortable navigating ambiguity in a fast-paced environment. * Data-Driven: You use metrics and KPIs to measure the effectiveness of your programs and drive continuous improvement. * A Passionate Mentor: You are dedicated to developing talent and empowering engineers and product managers to be security champions. Why Join Miro’s Security Team? As a member of Miro’s security leadership, you’ll help define how innovation and trust scale together. You’ll work across the AMPED operating model, empower developers through secure tooling, and support cutting-edge AI-driven and agentic workflows that redefine how software and teams are built. If you thrive on technical depth, cross-functional collaboration, and advancing the next era of secure software development, this role is for you. What's in it for you We want you to feel supported, connected, and ready to grow. Our global benefits package generally includes equity, a wellbeing benefit, a WFH equipment allowance, and an annual Learning & Development stipend. Join a diverse team where you can do your best work. Full benefits may differ per location. If you would like to learn more about location-specific benefits, please refer to our Global Miro benefits board.