Security Product Lead – Product & AI Security at Sofi

Employee Applicant Privacy Notice Who we are: Shape a brighter financial future with us. Together with our members, we’re changing the way people think about and interact with personal finance. We’re a next-generation financial services company and national bank using innovative, mobile-first technology to help our millions of members reach their goals. The industry is going through an unprecedented transformation, and we’re at the forefront. We’re proud to come to work every day knowing that what we do has a direct impact on people’s lives, with our core values guiding us every step of the way. Join us to invest in yourself, your career, and the financial world. Role Overview The Security Product Lead – Product Security & AI Security is responsible for defining the strategic direction, roadmap, and measurable outcomes for securing the organization's product lifecycle and emerging AI/ML initiatives. This role sits within the Security Strategy & Delivery team and partners closely with the Product Security, Engineering, and Data Science/AI functional leaders and operational teams. This position ensures that Product Security and AI Security capabilities are treated as internal security products—aligned to enterprise risk priorities, supported by a clear roadmap, measured through defined KPIs, and delivered through structured program governance. The role requires strong cross-functional collaboration, strategic thinking, and the ability to influence without direct authority. By proactively embedding security controls into the product development lifecycle (SDLC) and addressing unique risks associated with AI/ML systems, this role directly supports the organization's overarching goal of protecting member trust, safeguarding corporate assets, and ensuring the continued stability and growth of the business. Key Responsibilities Strategy & Roadmap Stewardship • Develop and maintain a multi-year strategy and roadmap for Product Security and AI Security capabilities. • Align roadmap priorities with enterprise risk objectives, regulatory requirements (e.g., data privacy, AI governance), and evolving attack surface. • Identify capability gaps (e.g., secure coding practices, AI model integrity) and define strategic investment opportunities. • Translate strategic objectives into structured, sequenced initiatives. • Lead Security Due Diligence: Own the end-to-end security assessment process for M&A targets, including technical architecture reviews, vulnerability assessments, security program maturity evaluations, and risk quantification • Develop M&A Security Strategy: Define and continuously improve Meta’s M&A security playbook, methodologies, and standards to enable rapid, consistent, and thorough security evaluations • Drive Integration Planning: Partner with target companies and internal teams to design secure integration roadmaps that balance speed-to-value with security requirements • Manage M&A security assessments and integration roadmaps to design secure integration roadmaps, balancing speed and security Product & Capability Management • Define the value proposition and service model for Product Security and AI Security capabilities, including security requirements for all new product features. • Establish clear capability maturity targets (e.g., DevSecOps integration level, AI risk mitigation completeness) and continuous improvement plans. • Maintain and prioritize a strategic backlog aligned to measurable risk reduction outcomes (e.g., reduction in critical vulnerabilities, secure-by-design adoption). • Ensure capabilities are treated as ongoing products with lifecycle ownership, not one-time projects. • Translate business priorities, AI adoption strategy, and risk signals into a prioritized portfolio • Partner with engineering and product teams to reduce friction and improve predictability • Mature Secure SDLC practices and embed automation into CI/CD pipelines • Define and track outcome-based metrics (risk reduction, adoption, efficiency) Portfolio & Program Management • Own the portfolio view of Product Security & AI Security initiatives within the broader security strategy. • Structure and manage strategic programs required to deliver roadmap objectives (e.g., implementing an AI Red Team program, rolling out a new static analysis tool). • Define milestones, delivery plans, and success metrics for major initiatives. • Track progress against portfolio commitments and escalate risks proactively. • Manage cross-functional dependencies across Engineering, Product Management, Data Science, Legal, and other stakeholders. • Support quarterly and annual planning cycles, including investment • Ensure predictable execution through structured governance and reporting cadence. Cross-Functional Collaboration • Partner closely with the Product Security and AI/ML functional leaders and teams to align on priorities and execution sequencing. • Collaborate with Engineering, Product Management, Legal, Risk, and Compliance stakeholders. • Facilitate stakeholder alignment, trade-off decisions (e.g., security vs. speed), and expectation management. • Influence without direct authority to drive secure design principles and manage cross-functional projects to ensure delivery Continuous Improvement & Innovation • Monitor industry trends in software supply chain attacks, emerging vulnerabilities (e.g., OWASP Top 10), and AI-specific threats (e.g., model poisoning, prompt injection). • Identify opportunities for automation, analytics enhancement, and process optimization within DevSecOps pipelines. • Incorporate lessons learned from penetration tests, bug bounty programs, and security audits into roadmap evolution. Qualifications • Bachelor’s degree in Computer Science, Cybersecurity, or related discipline. • 7+ years of experience in cybersecurity, risk management, or technology strategy roles. • Demonstrated experience in Product Security (AppSec), DevSecOps, or AI/ML Security domains. • Demonstrated experience building and managing strategic roadmaps tied to measurable outcomes. • Experience providing strategic security due diligence and executing cyber security integration for M&A activities. • Strong understanding of secure development practices, vulnerability management, and common software security frameworks. • Understanding of AI/ML concepts and associated security risks, including data provenance, model integrity, and adversarial machine learning. • Strong product mindset with ability to translate strategy into execution. • Experience working in matrixed organizations with cross-functional stakeholders. • Strong analytical, communication, and executive presentation skills. Compensation and Benefits The base pay range for this role is listed below. Final base pay offer will be determined based on individual factors such as the candidate’s experience, skills, and location. To view all of our comprehensive and competitive benefits, visit our Benefits at SoFi page! SoFi provides equal employment opportunities (EEO) to all employees and applicants for employment without regard to race, color, religion (including religious dress and grooming practices), sex (including pregnancy, childbirth and related medical conditions, breastfeeding, and conditions related to breastfeeding), gender, gender identity, gender expression, national origin, ancestry, age (40 or over), physical or medical disability, medical condition, marital status, registered domestic partner status, sexual orientation, genetic information, military and/or veteran status, or any other basis prohibited by applicable state or federal law. The Company hires the best qualified candidate for the job, without regard to protected characteristics. Pursuant to the San Francisco Fair Chance Ordinance, we will consider for employment qualified applicants with arrest and conviction records. New York applicants: Notice of Employee Rights SoFi is committed to an inclusive culture. As part of this commitment, SoFi offers reasonable accommodations to candidates with physical or mental disabilities. If you need accommodations to participate in the job application or interview process, please let your recruiter know or email [Upgrade to PRO to see contact]. Due to insurance coverage issues, we are unable to accommodate remote work from Hawaii or Alaska at this time. Internal Employees If you are a current employee, do not apply here - please navigate to our Internal Job Board in Greenhouse to apply to our open roles.