Note: The job is a remote job and is open to candidates in USA. SAS is a leader in data and AI, inspiring customers to transform data into intelligence. They are seeking a Product Security Lead to maintain awareness of the external threat landscape and guide engineering leadership on security matters, while leading a team of offensive security specialists.
Responsibilities
- Maintain a current picture of the external threat environment, including CVEs, industry incidents, emerging attack patterns, and regulatory shifts, and proactively brief engineering leadership on what matters and why
- Assess how external threats map to the SAS portfolio in architectural context, filtering findings that are unexploitable given how Viya is built and deployed, so engineering teams stay focused on genuine risk
- Lead the organization's response to CVE risks from penetration tests, customer requests, and Tech Support PSIRTs, determining appropriate responses such as mitigation, compensating controls, or full remediation
- Lead, mentor, and direct a small team of offensive security specialists conducting internal penetration testing, validating findings, reviewing remediations, and coordinating follow-on testing
- Represent Global Engineering on the ISMS Board and serve as a named lead in the organization's security incident response playbook
- Ensure all applicable security policies and processes are followed to support the organization's secure software development goals
- Embrace curiosity, passion, authenticity, and accountability. These are our values and influence everything we do
Skills
- Bachelor's degree with major study in Computer Science, Electrical Engineering, or related field
- Extensive hands-on experience in product security, application security, or software security engineering, with a track record of meaningful impact, not just process compliance
- Deep technical understanding of modern software architectures, cloud platforms, and enterprise SaaS deployment models, sufficient to evaluate security findings in architectural context, not just in the abstract
- Proven experience in threat intelligence, CVE management, and security incident response, including hands-on involvement in active incidents
- Exceptional communication skills across audiences, able to brief executives on what matters and advise engineers precisely on what to do
- Equivalent combination of related education, training, and experience may be considered in place of the above qualifications
- Relevant security certifications preferred, such as GIAC certifications, CEH, CCSP, CSSLP, CISM, or CISSP
- Background in penetration testing leadership, offensive security, or red team operations
- Experience with supply chain security, SBOM, and third-party risk management
- Expertise in securing enterprise web applications and familiarity with OWASP Top 10, CVSS, CWE, and SANS-25
- Familiarity with security governance frameworks and ISMS participation
- Recognized thought leadership in the security community (publications, conference contributions, open-source)
Benefits
- Comprehensive medical, prescription, dental and vision plans.
- Medical plan options include: + PPO with low annual deductible and copays. + HDHP combined with a health savings account with a contribution from SAS (no access to on-site health care center).
- Onsite Health Care Center (HQ) that’s free to employees and family members enrolled in the PPO plan. There's a pharmacy too! Not local to HQ? The pharmacy will ship prescriptions for no additional charge!
- An industry-leading 401k plan.
- Tuition Assistance Program and programs and resources to support your development
- Generous time away including vacation time, a variety of paid holidays, and our much-loved U.S. Winter Wellness Break between December 25 and January 1.
- Volunteer Time Off, parental leave and unlimited paid sick days.
- Generous childcare benefits for all full-time employees.
Company Overview