Senior Director, Product Security Technical Lead
We are the leading source of intelligent information for the world's businesses and professionals, providing customers with competitive advantage. Intelligent information is a unique synthesis of human intelligence, industry expertise and innovative technology that provides decision-makers with the knowledge to act, enabling them to make better decisions faster. We deliver this must-have insight to the financial and risk, legal, tax and accounting and media markets, powered by the world's most trusted news organization.
Position Title: Senior Director, Product Security Technical Lead - JREQ088696
Business Unit: Thomson Reuters – Information Security & Risk Management
As the Senior Director, Product Security Technical Lead you will develop a best in class enterprise product security program. Reporting to the Vice President, Product Security, you will work closely with the product management, software development and commercial teams to establish a strong security culture and build security by design into the software development process. You will define the value of enhanced information security capabilities of Thomson Reuters' products to internal and external stakeholders. You will provide input and oversight to help build robust and secure solutions that scale to the needs of professionals that depend on Thomson Reuters' products daily.
Main Responsibilities / Accountabilities:
- Define a Product Security strategy for Thomson Reuters' products to support business and customer needs.
- Collaborate with the go to market teams in order to understand the key Thomson Reuters' partnerships, and how information security can help drive revenue and retention from a customer value proposition perspective.
- Drive product adoption externally to consumers by developing customer personas in order to understand and anticipate their needs.
- Partner with software engineers and development teams on building information security requirements and specifications into Thomson Reuters' products.
- Act as a technical security subject matter expert (SME) for Thomson Reuters' applications and product capabilities in pre and post-sales discussions.
- Facilitate compliance with product security policies, practices and legal requirements
- Provide coaching, on-the-job and hands-on Product Security training, creation of reference materials, and procedures.
- Review internally developed code for advanced security issues as part of an Agile Development process and educate Product Development teams on secure coding best practices.
- Develop and leverage automation and analytics capabilities to improve our cyber threat detection and prevention capabilities.
- Develop and assist in the implementation of threat modeling exercises with product teams.
- Assist with product penetration testing and interact with penetration testers and other external vendors to validate security controls.
- Evaluate the security posture of third party libraries and frameworks and provide product teams with guidance and documented best practices for safely incorporating them into their products.
- Develop and maintain internal libraries that provide common implementations of critical security controls.
- Research and evaluate new Product Security technologies for internal consumption.
Customer Security Teams, Product Managers, Application & Software Developers, IT Infrastructure Teams, and Information Security & Risk Management Subject Matter Experts
Essential Skills and Experience:
- Extensive software development experience:
- Fully competent in most of the programming languages, software engineering methodologies, and software development tools our team uses:
- Java, Groovy, jUnit, Spock, SQL, Elasticsearch
- Angular2, ngrx, HTML5, JSON
- AWS, UNIX/Shell, Jenkins, Gradle
- IntelliJ, GIT, TFS
- Aspose, JxBrowser
- Extensive experience of application/product security experience in a large enterprise.
- Demonstrated and hands-on experience in the following areas:
- Source code auditing, penetration testing, product assessments, vulnerability research, and reverse engineering
- Strong understanding of the software development lifecycle (SDLC).
- Willing to travel internationally up to 20%.
- Familiarity with common software flaws that lead to exploits, and experience with techniques for securing embedded systems (e.g. ASLR).
- Strong experience in conducting static analysis (SAST), dynamic analysis (DAST), security technical implementation guide (STIG), and fuzz testing (FUZZY) and vulnerability scans
- Experience with various security tools and products (Fortify, Burp Suite, HP Webinspect, Checkmarx, Nessus, IBM AppScan, etc.)
- Experience with common security scoring systems – CVSS v3 and CWSS, and secure coding standards/best practices
- Experience identifying and protecting against web application and web service security vulnerabilities including those found in the OWASP Top 10 and CWE Top 25.
- Excellent verbal and written communication skills.
Desired Skills and Experience:
- People leadership experience.
- Contributions to the security community such as research, public CVEs, bug-bounty recognitions, open-source projects, and blogs or publications.
- Experience with, or willingness to become involved with, international security standards, such as those developed by IEEE, ISO, IEC, SAE, FIPS, PCI, and IIC
- Bachelor's degree, preferably in Computer Sciences or Technology or equivalent work experience
- CISSP, CISA, & CISM preferred.
At Thomson Reuters, we believe what we do matters. We are passionate about our work, inspired by the impact it has on our business and our customers. As a team, we believe in winning as one - collaborating to reach shared goals, and developing through challenging and meaningful experiences. With over 60,000 employees in more than 100 countries, we work flexibly across boundaries and realize innovations that help shape industries around the world. Making this happen is a dynamic, evolving process, and we count on each employee to be a catalyst in driving our performance - and their own.
As a global business, we rely on diversity of culture and thought to deliver on our goals. To ensure we can do that, we seek talented, qualified employees in all our operations around the world regardless of race, color, sex/gender, including pregnancy, gender identity and expression, national origin, religion, sexual orientation, disability, age, marital status, citizen status, veteran status, or any other protected classification under country or local law. Thomson Reuters is proud to be an Equal Employment Opportunity/Affirmative Action Employer providing a drug-free workplace.
Intrigued by a challenge as large and fascinating as the world itself? Come join us.
To learn more about what we offer, please visit careers.thomsonreuters.com.
More information about Thomson Reuters can be found on thomsonreuters.com.
Meet Some of Thomson Reuters's Employees
Producer, Facebook Live
Stephanie creates innovative video copy for live Facebook feeds, working with reporters right in the office, as well as those stationed all around the world.
Back to top