Omnissa is the first AI-driven digital work platform, built to support flexible, secure, work-from anywhere experiences. The Director of Security Architecture, Vulnerability Management and Response will set and drive the strategy for security functions, protecting the company's infrastructure and services while ensuring alignment with product security and engineering leadership.
Responsibilities:
- Set the multi-year strategy and roadmap aligned to Omnissa's risk appetite and business objectives
- Lead, mentor, and grow a globally distributed team of senior security engineers and architects across AMER and APAC
- Serve as the senior escalation point for design conflicts and remediation prioritization decisions, and for security incidents surfaced through the vulnerability response (PSIRT) process
- Represent the function to executive leadership, translating technical risk into business terms and reporting on posture, progress, and investment needs
- Partner with all lines of business to establish security standards, perform architecture and design reviews, and embed security into every stage of design and implementation
- Drive security framework development, hardening standards, and policy adherence across the enterprise
- Conduct risk assessments and requirements gathering for new infrastructure, products, and services, ensuring controls are defined before deployment
- Partner closely with Product Security and engineering to define security architecture requirements across the SDLC and CI/CD ecosystem, including threat modeling, architecture standards, SAST, DAST, software composition analysis, secrets detection, and artifact/image signing, ensuring security controls are built into development and deployment workflows from design through release
- Drive secure-by-design practices across the enterprise, reference architectures, secure design patterns, and paved-road templates that make the secure path the default path for engineering teams, reducing reliance on after-the-fact review
- Oversee threat modeling for new architectures, major features, and significant changes, partnering with IT, Product Security, and Engineering, to identify design-stage risk before implementation begins
- Define and maintain Omnissa's enterprise identity security strategy and standards, spanning workforce and non-human identities, including AI agents, and API-level access, authentication (SSO, MFA, phishing-resistant methods), authorization, privileged access, and identity governance, across on-premises and cloud environments, partnering with IT, who own and operate the underlying IAM tooling
- Partner with IT and engineering to drive adoption of modern identity architecture (e.g., Zero Trust access principles, just-in-time/just-enough access, federation standards) that scales to AI-driven and non-human identity growth across enterprise and product-facing systems
- Align security architecture, hardening standards, and control design with applicable frameworks: SOC 2, ISO 27001, NIST CSF/800-53, PCI, HIPAA, and FedRAMP; supporting control evidence and audit readiness in partnership with Compliance/GRC
- Partner with data owners, Legal, and Privacy to define data classification, residency, retention, and disposal standards, including for data used in AI/GenAI training, fine-tuning, and retrieval — and ensure security architecture enforces them across on-prem, cloud, and AI/ML pipelines
- Own the end-to-end Exposure Management program, the tooling, scanners, processes, and SLAs that identify, prioritize, and remediate risk across all environments
- Continuously monitor, prioritize, and report on vulnerabilities, providing remediation guidance to system and product owners and driving accountability to closure
- Govern the program in alignment with Omnissa's Vulnerability Management Policy and Standards
- Ensure Exposure/Vulnerability Management SLAs and remediation accountability apply uniformly across infrastructure, cloud, and product/application codebases
- Own the enterprise PSIRT strategy, partnering with the team on intake, triage, and coordinated response for vulnerabilities in Omnissa products and services, whether reported externally (researchers, customers, bug bounty) or discovered internally
- Define and enforce SLAs for triage time, severity scoring, and remediation timelines by severity
- Own the responsible disclosure program and any bug bounty/researcher relationships, including embargo management, CVE issuance, and public security advisory publication
- Serve as the central coordination point during high/critical vulnerability events, aligning Legal, Communications, Customer Success, and Engineering on response, customer notification, and regulatory disclosure obligations
- Maintain a closed feedback loop from PSIRT findings into Product Security's threat modeling, secure coding standards, pipeline security gates, and pen test processes: recurring vulnerability classes must directly inform these controls, not just get patched and closed
- Establish and mature Omnissa's security approach to AI and GenAI adoption, including guardrails, managed enterprise settings, and acceptable-use enforcement for AI tooling
- Partner with business and engineering stakeholders to assess and govern AI-related risk as new capabilities are introduced, ensuring controls keep pace with adoption
- Develop enterprise standards for secure AI usage and partner with Threat Management to define and support AI-related monitoring and detection requirements across the enterprise
- Evaluate and apply relevant AI risk and security frameworks (e.g., NIST AI RMF, OWASP LLM Top 10, ISO/IEC 42001) to guide model and pipeline risk assessments
- Make partnership and collaboration with SaaS/product engineering teams a central, ongoing priority — engaging early in the development lifecycle to embed security, unblock teams, and reduce friction
- Lead security tool selection, proofs of concept, and vendor negotiations, optimizing for capability, cost, and integration across the stack
- Manage vendor relationships and ensure the security toolchain delivers measurable risk reduction
Requirements:
- 10+ years in information security, including 5+ years leading technical security teams (engineering, architecture, and/or Exposure/Vulnerability Management), preferably at global SaaS companies
- Experience building and operating enterprise identity security strategy, including IAM/PAM architecture, authentication standards, and identity threat detection
- Deep hands-on background across multiple domains: cloud and network security, endpoint/workload protection, Exposure/Vulnerability Management, and Product Security/SDLC
- Working knowledge of data governance principles (classification, residency, retention) and major compliance/regulatory frameworks — including GDPR, CCPA, and CMMC alongside those listed above; AI risk frameworks a plus
- Proven track record partnering with engineering teams at a global SaaS company to drive security outcomes through influence and collaboration rather than mandate
- Experience with the full risk lifecycle: risk assessment, requirements gathering, control design, tool selection, vendor negotiation, and remediation oversight
- Strong communication skills with the ability to influence executives and engineers alike
- Hands-on experience partnering with Product/Application Security teams to integrate security into SDLC and CI/CD pipelines
- Practical experience with threat modeling methodologies and driving secure-by-design outcomes at the architecture stage, before code is written
- Experience operating across a globally distributed team and supporting 24x7 service models
- Background at a B2B SaaS/cloud company preferred, given the enterprise customer, contractual, and regulatory context this role operates in
- Experience securing AI/GenAI technologies and establishing governance for their enterprise use
- Familiarity with modern security tooling such as CrowdStrike, Wiz, Tenable, Seemplicity, Recorded Future, Cribl, and Palo Alto / Panorama
- Relevant certifications (e.g., CISSP, CCSP, or equivalent)