[Hiring] Director, Product Security @ACV

Role Description

The Director of Product Security is a critical leadership role responsible for the overall security posture of ACV’s software applications and platforms. Reporting directly to the CISO, this individual will own and mature the entire Product and Application Security program, integrating security practices throughout the Secure Software Development Lifecycle (SSDLC). This position requires a self-motivated and highly organized leader with excellent communication and technical skills. The Director will ensure the confidentiality, integrity, and availability of ACV’s product-related data and systems by mitigating code-based risks within a fast-paced, technology-driven environment. You will build and lead a high-performing team, driving continuous improvement and ensuring ACV remains a secure and trusted platform for dealers and buyers nationwide.

What you will do:

• Design, implement, and manage the end-to-end Product Security program, focusing on securing ACV's proprietary applications and code base.
• Lead the adoption of DevSecOps practices, automating security tools and gates within the Continuous Integration/Continuous Deployment (CI/CD) pipelines to prevent security defects from reaching production.
• Establish and enforce Secure Software Development Lifecycle (SSDLC) requirements, including security training for engineering teams and defining secure coding standards.
• Build, mentor, and manage a team of Product Security Engineers responsible for application vulnerability management, security testing, and architectural review.
• Understand and protect against the risks that AI brings without becoming the team that puts the No in Innovation.
• Proactively identify and establish security guardrails for AM/ML model development and usage to ensure safe innovation and high engineering velocity.
• Oversee the deployment, tuning, and management of application security testing tools, including Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), and Software Composition Analysis (SCA) to identify and remediate code-based vulnerabilities.
• Lead vulnerability remediation efforts for all ACV products, working closely with engineering and product teams to prioritize and track fixes based on risk.
• Perform and oversee deep-dive security architecture and design reviews for all new products, features, and core application services, ensuring security is "baked in" from conception.
• Define and manage secure configuration standards for containerized applications, microservices, APIs, and their supporting cloud infrastructure (AWS and GCP).
• Manage and coordinate external penetration testing and bug bounty programs focused on ACV’s applications and APIs.
• Design, maintain, and measure processes to prevent vulnerabilities from reaching production in a true Shift Left fashion.
• Work with Technical Program Management to create appropriate key performance indicators to show success and improvement points in the program.
• Contribute to ACV’s overall Governance, Risk, and Compliance (GRC) program by ensuring applications meet required internal security policies and external regulatory standards (e.g., SOC2, GDPR, CCPA).
• Lead security risk assessments, threat modeling, and tabletop exercises specific to product features and application architecture, identifying and prioritizing technical vulnerabilities and developing mitigation strategies.
• Ensure protection of sensitive data, including PII and financial information, within the application environment in compliance with relevant regulations.
• Serve as the primary security advisor to Product and Engineering leadership and stakeholders on all matters related to application and product security.
• Collaborate effectively with IT, Engineering, and Product teams to integrate security into their processes, fostering a strong security-conscious culture across development teams.
• Maintain strong communication channels with remote team members, ensuring alignment and fostering a cohesive team environment.
• Create a culture of communication, where collaboration and a sense of partnership with the remainder of the organization is evident and valued.
• Create and maintain executive dashboards to increase security visibility throughout the organization and identify opportunities for improvement.
• Perform additional duties as assigned.

Qualifications

• 10+ years experience in Information Security, with at least 5+ years directly focused on Product Security or Application Security in a leadership role.
• Proven experience building and leading a centralized Product Security/AppSec program within a technology-driven, cloud-based SaaS company.
• Deep, hands-on knowledge of the Secure Software Development Lifecycle (SSDLC), CI/CD, and DevSecOps principles, including automating security tooling.
• Strong understanding of security frameworks and best practices (NIST CSF, ISO 27001, CIS Controls).
• Extensive experience with cloud security, with a strong focus on securing applications deployed in AWS and/or GCP environments.
• Experience with modern software development including Agentic and Generative AI techniques.
• Expertise with multiple application security tools, including SAST, DAST, MAST, SCA, API security platforms, and Web Application Firewalls (WAF).
• Excellent communication, interpersonal, and leadership skills, with an ability to translate complex technical risks into business context for executive leadership and stakeholders.
• Ability to work effectively in a remote environment and manage geographically dispersed teams.

Benefits

• Multiple medical plans including a high deductible, low cost health plan.
• Company-sponsored (paid) Short-Term Disability, Long-Term Disability, and Life Insurance.
• Comprehensive optional benefits such as Dental, Vision, Supplemental Life/AD&D, Legal/ID Protection, and Accident and Critical Illness Insurance.
• Generous paid time off options, including uncapped vacation days, the greater of 3 paid sick days or in accordance with the applicable state or local paid sick leave law, 6 paid company holidays, 2 floating holidays, parental leave, bereavement leave, jury duty leave, voting leave, and other forms of paid leave as required by applicable law or regulation.
• Employee Stock Purchase Program with additional opportunities to earn stock in the Company.
• Retirement planning through the Company’s 401(k).

Company Description

ACV is a technology company that has revolutionized how dealers buy and sell cars online. We are transforming the automotive industry. ACV Auctions Inc. (ACV) has applied innovation and user-designed, data-driven applications and solutions. We are building the most trusted and efficient digital marketplace with data solutions for sourcing, selling, and managing used vehicles with transparency and comprehensive insights that were once unimaginable. We are disruptors of the industry and we want you to join us on our journey.