Key skills
AIMLAnalyticsSDLCCI/CDProduct ManagementOWASP
About this role
SoFi is a next-generation financial services company and national bank focused on transforming personal finance. The Security Product Lead – Product Security & AI Security is responsible for defining the strategic direction and overseeing the security of the organization's product lifecycle and AI/ML initiatives.
Responsibilities:
- Develop and maintain a multi-year strategy and roadmap for Product Security and AI Security capabilities
- Align roadmap priorities with enterprise risk objectives, regulatory requirements (e.g., data privacy, AI governance), and evolving attack surface
- Identify capability gaps (e.g., secure coding practices, AI model integrity) and define strategic investment opportunities
- Translate strategic objectives into structured, sequenced initiatives
- Lead Security Due Diligence: Own the end-to-end security assessment process for M&A targets, including technical architecture reviews, vulnerability assessments, security program maturity evaluations, and risk quantification
- Develop M&A Security Strategy: Define and continuously improve SoFi's M&A security playbook, methodologies, and standards to enable rapid, consistent, and thorough security evaluations
- Drive Integration Planning: Partner with target companies and internal teams to design secure integration roadmaps that balance speed-to-value with security requirements
- Manage M&A security assessments and integration roadmaps to design secure integration roadmaps, balancing speed and security
- Define the value proposition and service model for Product Security and AI Security capabilities, including security requirements for all new product features
- Establish clear capability maturity targets (e.g., DevSecOps integration level, AI risk mitigation completeness) and continuous improvement plans
- Maintain and prioritize a strategic backlog aligned to measurable risk reduction outcomes (e.g., reduction in critical vulnerabilities, secure-by-design adoption)
- Ensure capabilities are treated as ongoing products with lifecycle ownership, not one-time projects
- Translate business priorities, AI adoption strategy, and risk signals into a prioritized portfolio
- Partner with engineering and product teams to reduce friction and improve predictability
- Mature Secure SDLC practices and embed automation into CI/CD pipelines
- Define and track outcome-based metrics (risk reduction, adoption, efficiency)
- Own the portfolio view of Product Security & AI Security initiatives within the broader security strategy
- Structure and manage strategic programs required to deliver roadmap objectives (e.g., implementing an AI Red Team program, rolling out a new static analysis tool)
- Define milestones, delivery plans, and success metrics for major initiatives
- Track progress against portfolio commitments and escalate risks proactively
- Manage cross-functional dependencies across Engineering, Product Management, Data Science, Legal, and other stakeholders
- Support quarterly and annual planning cycles, including investment
- Ensure predictable execution through structured governance and reporting cadence
- Partner closely with the Product Security and AI/ML functional leaders and teams to align on priorities and execution sequencing
- Collaborate with Engineering, Product Management, Legal, Risk, and Compliance stakeholders
- Facilitate stakeholder alignment, trade-off decisions (e.g., security vs. speed), and expectation management
- Influence without direct authority to drive secure design principles and manage cross-functional projects to ensure delivery
- Monitor industry trends in software supply chain attacks, emerging vulnerabilities (e.g., OWASP Top 10), and AI-specific threats (e.g., model poisoning, prompt injection)
- Identify opportunities for automation, analytics enhancement, and process optimization within DevSecOps pipelines
- Incorporate lessons learned from penetration tests, bug bounty programs, and security audits into roadmap evolution