Product Security Manager

Summary

Join iHerb as a Product Security Manager to lead security initiatives, defining and implementing security standards across the product development lifecycle. Collaborate with engineering, product management, and cross-functional teams to ensure product security. Develop and implement a comprehensive product security strategy, including policies, standards, and guidelines. Lead "shift left" security initiatives, embedding security into the software development lifecycle. Oversee product security testing, manage security incidents, and provide developer training. Encourage security task automation and build self-service tools. Build strong partnerships to champion security best practices. Stay updated on security trends and manage a team of security engineers. Develop and maintain effective program metrics and report to leadership.

Requirements

• Bachelor's degree in Computer Science, Information Security, or a related field
• Minimum of 8 years of experience in product security, application security, or a similar role
• 3+ years of engineering management experience
• Strong understanding of secure software development principles and common security vulnerabilities (e.g., OWASP Top 10)
• Experience with standardized frameworks for maturing software security (OWASP SAMM, BSIMM)
• Experience with security testing tools and methodologies, i.e. SAST, DAST, SCA, and secret scanning
• Experienced in securing complex cloud environments (Kubernetes, Docker, AWS/GCP)
• Excellent communication, leadership, and interpersonal skills with a bias for action
• Ability to work effectively in a fast-paced, dynamic environment and move forward with incomplete or lacking information
• Passion for building diverse, high-performing teams and growing engineers in a hybrid and remote setting
• Ability to identify, evaluate potential vendor products and negotiate

Responsibilities

• Develop and implement a comprehensive product security strategy, including policies, standards, roadmap, and guidelines
• Lead "shift left" security initiatives, embedding security directly into the software development lifecycle with a focus on automation and scalability
• Oversee proactive product security testing activities, including code review, code vulnerability scanning, and penetration testing
• Ensure your team has the right processes to assist with threat modeling, secure design reviews, risk acceptance, and security code reviews
• Operate our vulnerability management and bug bounty/vulnerability disclosure programs to proactively identify and address security flaws
• Manage product security incidents and coordinate response efforts when product security vulnerabilities are identified
• Provide developer security training and awareness programs to product and engineering teams
• Encourage the automation of security-specific tasks and build tools that empower iHerb teams to self-serve their security needs
• Build strong partnerships and collaborate with product and engineering managers to champion security best practices across the organization
• Stay up-to-date with the latest security trends, technologies, and threats to ensure our products remain secure
• Manage and grow a team of application and product security engineers, guiding them to deliver high-impact projects that enhance our security posture
• Develop and maintain a set of high quality metrics that measure the effectiveness of the product security program at iHerb and regularly report to leadership

Preferred Qualifications

• Master's degree or relevant security certifications (e.g., CISSP, CSSLP)
• Experience with security automation and DevSecOps practices
• Security community contributions, talks/presentations, CVEs, etc

Benefits

• Medical, dental, vision, and basic life insurance programs
• 401(k) plan
• Time Off and Paid Sick Leave
• Paid holidays
• Restrict Stock Units
• Annual bonuses