Product Security Manager

About iHerb

iHerb is a global leader in health and wellness e-commerce, offering a vast selection of vitamins, supplements, and natural products. Our mission is to make health and wellness accessible to everyone. We are a passionate, fast-growing team of innovators and builders committed to providing a secure and seamless shopping experience for our millions of customers worldwide.

About the Role

We are seeking a highly skilled and experienced Product Security Manager to lead our security initiatives. In this crucial role, you will be responsible for defining, implementing, and maintaining security standards and practices across our product development lifecycle. You will work closely with engineering, product management, and other cross-functional teams to ensure our products and applications are designed and built with security as a top priority.

What you'll do

• Develop and implement a comprehensive product security strategy, including policies, standards, roadmap, and guidelines.

• Lead "shift left" security initiatives, embedding security directly into the software development lifecycle with a focus on automation and scalability.

• Oversee proactive product security testing activities, including code review, code vulnerability scanning, and penetration testing.

• Ensure your team has the right processes to assist with threat modeling, secure design reviews, risk acceptance, and security code reviews.

• Operate our vulnerability management and bug bounty/vulnerability disclosure programs to proactively identify and address security flaws.

• Manage product security incidents and coordinate response efforts when product security vulnerabilities are identified.

• Provide developer security training and awareness programs to product and engineering teams.

• Encourage the automation of security-specific tasks and build tools that empower iHerb teams to self-serve their security needs.

• Build strong partnerships and collaborate with product and engineering managers to champion security best practices across the organization.

• Stay up-to-date with the latest security trends, technologies, and threats to ensure our products remain secure.

• Manage and grow a team of application and product security engineers, guiding them to deliver high-impact projects that enhance our security posture.

• Develop and maintain a set of high quality metrics that measure the effectiveness of the product security program at iHerb and regularly report to leadership.

Qualifications

• Bachelor's degree in Computer Science, Information Security, or a related field.

• Minimum of 8 years of experience in product security, application security, or a similar role.

• 3+ years of engineering management experience.

• Strong understanding of secure software development principles and common security vulnerabilities (e.g., OWASP Top 10).

• Experience with standardized frameworks for maturing software security (OWASP SAMM, BSIMM)

• Experience with security testing tools and methodologies, i.e. SAST, DAST, SCA, and secret scanning.

• Experienced in securing complex cloud environments (Kubernetes, Docker, AWS/GCP).

• Excellent communication, leadership, and interpersonal skills with a bias for action.

• Ability to work effectively in a fast-paced, dynamic environment and move forward with incomplete or lacking information.

• Passion for building diverse, high-performing teams and growing engineers in a hybrid and remote setting.

• Ability to identify, evaluate potential vendor products and negotiate.

Preferred Qualifications

• Master's degree or relevant security certifications (e.g., CISSP, CSSLP).

• Experience with security automation and DevSecOps practices.

• Security community contributions, talks/presentations, CVEs, etc.

#LI-JC1