GENERAL FUNCTIONThe Director, Product Security will lead the design, implementation, and continuous improvement of the enterprise
Secure Software Development Lifecycle (Secure SDLC) and Product Security program.
This includes defining security control frameworks, ensuring appropriate coverage across the application portfolio, and enabling design-stage security practices. The role provides both
strategic direction and hands-on execution, working across organizational boundaries to embed security into application, API, data, and platform development processes.
The Director will be responsible for:
- Leading a small team of product security specialists
- Driving cross-functional alignment across Engineering, Architecture, and Security
- Ensuring consistent application of security controls at scale
- Providing a clear, auditable view of application security risk and control effectiveness
The role achieves results by influencing without authority, removing impediments, enabling collaboration, and ensuring security practices are both effective and scalable across a distributed Agile environment.
They personally follow policies and procedures as defined and are accountable for always doing the right thing for customers and colleagues. The incumbent ensures that their actions and behaviors drive a positive customer experience. While operating within the Bank's risk appetite, the role achieves results by consistently identifying, assessing, managing, monitoring, and reporting risks of all types
ESSENTIAL DUTIES AND RESPONSIBILITIES:- Drive implementation of a world class enterprise Product Security and Secure SDLC control framework within the existing IT Target Operating Model.
- Develop and track Product Security KPIs/KRIs, including control adoption, coverage, and risk trends
- Ensure alignment of security controls across Application, API, Data, and Platform Security teams
- Partner with Enterprise Architecture to operationalize a scalable threat modeling practice
- Oversee execution of threat modeling and design security reviews for high-risk applications and APIs
- Promote adoption of secure design patterns and reference architectures
- Integrate security signals from AppSec, API Security, and EVM to produce holistic application risk views
- Identify systemic vulnerabilities and repeat risk patterns across the application portfolio
- Drive risk-based prioritization by providing inputs into Agile backlogs and delivery planning
- Define product incident response process into existing Bank incident response processes.
- Facilitate collaboration across Application Security, API Security, Data Security, Platform Security, EVM, First Line Business Controls and the Chief Software Engineering organization.
- Remove organizational impediments that limit adoption of secure development practices
- Challenge existing processes and identify opportunities for efficiency, consistency, and scalability improvements
- Provide audit-ready evidence of secure SDLC control effectiveness
- Align Product Security practices with regulatory expectations (e.g., GLBA, FFIEC, PCI)
- Ensure risk is identified, assessed, monitored, and reported appropriately
- Evaluate and improve Product Security processes to increase effectiveness and reduce friction
- Drive adoption of automation, reusable patterns, and scalable security practices
- Act as a leader of the Product Security craft, defining future direction and best practices
SUPERVISORY RESPONSIBILITIES: Duties include, but are not limited to:
- Directly a small team of specialized Product Security professionals.
- Provide coaching, performance management, and career development for direct reports
- Foster a culture of continuous learning, collaboration, and accountability for security outcomes
- Lead through player-coach engagement, contributing directly to program execution while guiding team direction
- Influence and mentor engineers and security practitioners across multiple teams without direct authority
- Support hiring, development, and capability growth as the Product Security function matures.
MINIMUM KNOWLEDGE, SKILLS AND ABILITIES REQUIRED:- Typically, will have at least 6-10 years of combined people leadership and hands-on experience in their particular craft.
- Bachelor's or advanced degree in Computer Science/Information Systems or equivalent
- combination of education and experiences.
- Deep understanding of secure SDLC practices, application security, and threat modeling methodologies
- Knowledge of modern application architectures (cloud-native, APIs, microservices, containers)
- Familiarity with vulnerability management processes and enterprise remediation practices
- Understanding of regulatory expectations for security controls and audit evidence in financial services
- Knowledge of enterprise architecture frameworks and secure design principles
- Ability to operate effectively as a player-coach, balancing leadership and hands-on execution.
- Strong ability to influence across organizational boundaries without direct authority
- Proven ability to translate technical vulnerabilities into business risk and engineering priorities
- Strong analytical skills to identify systemic issues across large application portfolios
- Ability to drive risk-based prioritization within Agile delivery models
- Excellent communication, presentation, and interpersonal skills to engage both technical and executive audiences.
- Demonstrated ability to communicate complex information in a simplified way and meet fast paced deadlines.
- Critical Thinking and creative problem solving.
- Ability to establish credibility as a technical and strategic leader across multiple domains
- Ability to balance security rigor with delivery speed, minimizing friction
- Capability to remove organizational impediments and enable cross-team collaboration
- Ability to scale security practices across a large, complex enterprise environment
- Demonstrated ability to build trust and create a safe, collaborative, and effective working environment.
Position not available for immigration sponsorship #LI-MB1
Director, Product Security
The base salary for this position is reflective of the range of salary levels for all roles within this pay grade across the U.S. Individual salaries within this range will vary based on factors such as role, relevant skillset, relevant experience, education and geographic location. In addition to the base salary, this role is eligible to participate in an incentive compensation plan, with any such payment based upon company, line of business and/or individual performance.
LOCATION -- Cincinnati, Ohio 45202
Attention search firms and staffing agencies: do not submit unsolicited resumes for this posting. Fifth Third does not accept resumes from any agency that does not have an active agreement with Fifth Third. Any unsolicited resumes - no matter how they are submitted - will be considered the property of Fifth Third and Fifth Third will not be responsible for any associated fee.
