×
Apply for Jobs Apply for Jobs Post a Job Post a Job Local Jobs Home
Register Here to Apply for Jobs or Post Jobs. X
More jobs:
Cybersecurity IT Consultant Security Manager IT Project Manager

Head of Product Security – CISO function - BPL

Job in Greater London, London, Greater London, W1B, England, UK
Listing for: United States Digital Space LLC
Full Time position
Listed on 2026-06-15
Job specializations:
  • IT/Tech
    Cybersecurity, IT Consultant, Security Manager, IT Project Manager
Salary/Wage Range or Industry Benchmark: 125000 - 150000 GBP Yearly GBP 125000.00 150000.00 YEAR
Job Description & How to Apply Below
Location: Greater London

Head of Product Security – BPL CISO

Product Security | CISO Function

Role Purpose

The Head of Product Security leads the pillar responsible for ensuring everything the company builds and ships is secure by design. This is the most agile-facing pillar in the CISO function — it must embed into product squads without becoming a bottleneck, own the shift-left programme, manage the developer security toolchain, and provide assurance that releases meet the organisation’s security and compliance requirements.

The role requires a blend of technical depth, developer empathy, and pragmatic risk management. The ideal candidate is someone who understands application security at a hands-on level, has run a security champions programme in an agile engineering organisation, and knows how to make security a service that engineering teams want to use rather than a gate they try to avoid.

You will work more closely with engineering leadership than with regulators — this is a builder’s role, not an auditor’s role.

Key Responsibilities
  • Own and drive the shift-left security programme, ensuring security is integrated into the earliest stages of the software development lifecycle through threat modelling, secure design patterns, and automated tooling.
  • Manage the security champions programme, recruiting, training, and supporting champions across all product squads.
  • Own the developer security toolchain (SAST, DAST, SCA, secrets scanning) and ensure it is integrated into all CI/CD pipelines with minimal developer friction and calibrated thresholds to avoid noise.
  • Establish and operate the vulnerability management lifecycle, including scanning orchestration, triage, prioritisation, SLA assignment, remediation tracking, and exception management.
  • Chair the weekly Vulnerability Review Board, making prioritisation decisions on critical and high-severity findings in collaboration with engineering leads.
  • Define and publish the security engagement model for product and engineering teams, including trigger points (new service, new integration, pre-release), SLAs, and escalation paths.
  • Oversee threat modelling for new services and major changes, ensuring threat models are completed before development progresses beyond initial design.
  • Own the security sign-off process for production releases, providing risk-based release decisions (approved, approved with conditions, deferred, escalated) rather than binary pass/fail gates.
  • Provide self-service security capabilities to product teams: threat model templates, security stories backlog, secure coding guides, and accessible tooling documentation.
  • Produce security assurance reporting for the CISO, including vulnerability trends, SDLC integration metrics, champion programme health, and developer satisfaction with security.
  • Collaborate with Security Architecture and Engineering on the “paved road” of secure defaults, patterns, and base images that product teams build upon.
  • Manage and develop the Product Security team, balancing deep technical capability with developer relations skills.
Key Deliverables
  • Security champions programme with training curriculum, monthly meetup cadence, and recognition framework.
  • Developer security toolchain fully operational and integrated into 100% of CI/CD pipelines.
  • Vulnerability management dashboard with SLA tracking, ageing analysis, and trend reporting.
  • Product security engagement model document (trigger points, SLAs, outputs, escalation paths).
  • Security release certification process with standardised decision framework.
  • Monthly product security report for CISO (vulnerability trends, tooling adoption, champion coverage, developer satisfaction).
  • Threat model register with completion tracking and findings remediation status.
  • Secure coding standards documentation for all primary programming languages.
  • Developer security training curriculum and workshop materials.
Required Skills and Experience
  • CSSLP, OSCP or similar certifications.
  • Experience with PCI Software Security Framework (SSF) and its application to payment processing software.
  • Previous career as a software engineer or developer before moving into security — you understand the developer experience from the inside.
  • Experience…
Note that applications are not being accepted from your jurisdiction for this job currently via this jobsite. Candidate preferences are the decision of the Employer or Recruiting Agent, and are controlled by them alone.
To Search, View & Apply for jobs on this site that accept applications from your location or country, tap here to make a Search:
 
 
 
Search for further Jobs Here:
(Try combinations for better Results! Or enter less keywords for broader Results)
Location
Increase/decrease your Search Radius (miles)
0
200
Filters
Education Level
Experience Level (years)
Posted in last:
Salary
Advanced Search