Director, Product Security

Who we are looking for:

The Director of Product Security is a critical leadership role responsible for the overall security posture of ACV’s software applications and platforms. Reporting directly to the CISO, this individual will own and mature the entire Product and Application Security program, integrating security practices throughout the Secure Software Development Lifecycle (SSDLC). This position requires a self‑motivated and highly organized leader with excellent communication and technical skills.

The Director will ensure the confidentiality, integrity, and availability of ACV’s product‑related data and systems by mitigating code‑based risks within a fast‑paced, technology‑driven environment. You will build and lead a high‑performing team, driving continuous improvement and ensuring ACV remains a secure and trusted platform for dealers and buyers nationwide.

• Design, implement, and manage the end‑to‑end Product Security program, focusing on securing ACV's proprietary applications and code base.
• Lead the adoption of Dev Sec Ops  practices, automating security tools and gates within the Continuous Integration/Continuous Deployment (CI/CD) pipelines to prevent security defects from reaching production.
• Establish and enforce Secure Software Development Lifecycle (SSDLC) requirements, including security training for engineering teams and defining secure coding standards.
• Build, mentor, and manage a team of Product Security Engineers responsible for application vulnerability management, security testing, and architectural review.
• Understand and protect against the risks that AI brings without becoming the team that puts the No in Innovation. Proactively identify and establish security guardrails for AM/ML model development and usage to ensure safe innovation and high engineering velocity.
• Oversee the deployment, tuning, and management of application security testing tools, including Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), and Software Composition Analysis (SCA) to identify and remediate code‑based vulnerabilities.
• Lead vulnerability remediation efforts for all ACV products, working closely with engineering and product teams to prioritize and track fixes based on risk.
• Perform and oversee deep‑dive security architecture and design reviews for all new products, features, and core application services, ensuring security is "baked in" from conception.
• Define and manage secure configuration standards for containerized applications, microservices, APIs, and their supporting cloud infrastructure (AWS and GCP).
• Manage and coordinate external penetration testing and bug bounty programs focused on ACV’s applications and APIs.
• Design, maintain, and measure processes to prevent vulnerabilities from reaching production in a true Shift Left fashion.
• Work with Technical Program Management to create appropriate key performance indicators to show success and improvement points in the program.
• Contribute to ACV’s overall Governance, Risk, and Compliance (GRC) program by ensuring applications meet required internal security policies and external regulatory standards (e.g., SOC2, GDPR, CCPA).
• Lead security risk assessments, threat modeling, and tabletop exercises specific to product features and application architecture, identifying and prioritizing technical vulnerabilities and developing mitigation strategies.
• Ensure protection of sensitive data, including PII and financial information, within the application environment in compliance with relevant regulations. Validate that products conform to ACV’s data classification policies and other relevant documents and oversee processes to measure and enforce this before deployment.
• Serve as the primary security advisor to Product and Engineering leadership and stakeholders on all matters related to application and product security.
• Collaborate effectively with IT, Engineering, and Product teams to integrate security into their processes, fostering a strong security‑conscious culture across development teams.
• Maintain strong communication channels with remote team members, ensuring alignment and fostering a cohesive…