Director of Product Security

The Executive Director of Product Security at Candescent will lead the strategic direction, development, and execution of the enterprise-wide product and application security program with specialized focus on Candescent’s SaaS products serving regulated enterprises.

This role is responsible for embedding security into the software development lifecycle (SDLC) and AI development lifecycle (AIDLC), partnering with engineering, product data science, AI/ML engineering, and infrastructure teams to ensure secure software design, development, and deployment of Candescent applications. The ideal candidate will be a visionary leader with deep technical expertise in securing software development lifecycles, shift-left security, AI/ML application security, strong business acumen, regulatory compliance awareness, and a proven track record of building and scaling secure development practices in complex Saas and AI-driven environments. 

Key Responsibilities and Deliverables 

Strategic Leadership 

• Define and drive the product, application and AI/ML security strategy aligned with Candescent’s business and risk objectives for regulated enterprise clients. 

• Lead the development and execution of secure SDLC and AI development lifecycle (AIDLC) practices across all engineering and data science teams. 

• Serve as a trusted advisor to senior leadership on application security risks, AI/ML security risks, platform security, model governance, trends, and mitigation strategies. 

• Participate in the establishment of AI security governance frameworks that meet regulatory requirements (EU AI Act, NIST AI RMF, ISO 42001). 

• Develop security strategies for supply chain, third-party integrations, LLM/GenAI implementations, and SBOM generation (Software Bill of Materials). 

Program Development & Execution 

• Build and mature the application security program, including threat modeling, secure coding, code reviews, and security testing across traditional applications and AI/ML systems. 

• Develop and maintain security standards, policies, and guidelines for secure application development, secure code repository controls, and associated AI model integration. 

• Oversee the integration of security tools (SAST, DAST, SCA, IAST, RASP) and AI security tools (model scanning, adversarial testing, data poisoning detection, model monitoring) into CI/CD and ML pipelines. 

• Implement industry leading DevSecOps practices and secure AI pipeline architectures. 

• Establish data governance and privacy controls for development and training data, including sensitive data handling and data lineage tracking. 

Collaboration & Enablement 

• Partner with Information Security, DevOps, Engineering, Data Science, ML Engineering, and Product teams to ensure security is embedded early and continuously. 

• Lead security champions programs for developer and data scientist training initiatives to foster a security-first culture with security awareness. 

• Collaborate with GRC, Risk, and Compliance teams to ensure regulatory and policy alignment specific to regulations and industry-specific requirements that apply to product and application development (HIPAA, SOC 2, GDPR, CCPA, AI, etc....). 

• Work closely with customer-facing teams to address client product security requirements and regulatory audit needs. 

• Partner with legal and compliance teams on relevant product security and AI compliance. 

Risk Management & Incident Response 

• Identify and prioritize application and AI security risks through assessments, penetration testing, red teaming and threat intelligence. 

• Conduct specific risk assessments including adversarial attacks, threat modeling, prompt injection, data exfiltration risks, etc. 

• Lead response efforts for application-related and AI security incidents and vulnerabilities. 

• Provide executive-level reporting on application and AI security posture, KPIs, and risk metrics with regulatory reporting capabilities. 

• Participate in third-party vendor security assessments and AI supply chain risk when . 

Qualifications and Experience 

• Bachelor’s degree in computer science, Information Technology, or equivalent 

• 10+ years of experience in cloud-first software development environments with an information security focus, with at least 5 years in product security leadership roles. 

• Deep understanding of modern application architectures (e.g. microservices, containers, APIs, cloud-native) and AI architectures. 

• Hands-on experience with secure coding practices, threat modeling, and vulnerability management including AI specific threat modeling. 

• Proficiency with security tools such as SAST, DAST, SCA, and container security platforms plus AI security tools. 

• Strong knowledge of OWASP Top 10, OWASP ML Top 10, OWASP LLM Top 10, CWE, CVE, and secure development frameworks. 

• Experience working in Agile/DevOps environments and integrating security into CI/CD and ML pipelines. 

• Proven ability to lead cross-functional teams and influence at all levels of the organization. 

• Deep understanding of regulatory compliance requirements for SaaS products serving highly regulated industries. 

Preferred Distinctions 

• Advanced degree in Computer Science, Cybersecurity, or related field. 

• Relevant industry certifications, and/or security certifications as a plus. 

• Experience with cloud security (AWS, Azure, GCP) and infrastructure-as-code security.