Director, DevSecOps – Trust Engineering

About the Team 

The Trust Engineering Team builds platforms used by all cloud engineers at Roku. Together, these components are designed to be a secure and cost-effective platform of services Roku engineers use globally. Our team owns the following segments:

• Bug Bounty Program
• Threat Hunting
• Attack Surface Management
• Threat Intelligence
• Incident Response
• Security Infrastructure as Code
• FinOps
• Security Architecture and Engineering

Our team members are smart, collegial, collaborative, and focused on building the best-in-class platform. We foster a culture of experimentation, looking for the best idea to take the day. As a leader on this team, our Director, DevSecOps, models this behaviour: If we’re not trying new things, we’re not growing. And, we need to grow and adapt so that Roku stays on top.

About the Role

As Director, DevSecOps, you will lead Trust Engineering’s Security Operations organization. Key areas of your work include:

Team Leadership

• Hire, lead, mentor, and manage top Sec talent (e.g, threat intelligence, attack surface management, security operations team members).
• Provide technical leadership to your team, with a focus on simplifying and accelerating operations
• Continue to build a world-class team of Trust engineers by attracting and hiring high-quality talent across the US, UK, and India. We are expanding in India, so part of your time in this role will involve working closely with the rest of engineering in support of a development center there.  This includes strategizing and actively participating in efforts to attract the best talent there.

Technical Leadership

• Lead our trust platform, providing automation and tools to development, security observability, and cloud security governance
• Oversee the operations of the Vulnerability Management program, including periodic penetration tests, and managing remediation activities.
• Utilize expertise in cyber security architecture and engineering in support of programs, proposals, and corporate objectives.
• Analyze the current security environment to detect critical deficiencies and recommend solutions for improvement through the development of cyber capability reference architectures and knowledge of current threat landscape.
• Analyze industry technology and market trends to determine their potential impact on the enterprise / product security posture.
• Provide regular, timely reporting on information security topics as required.

Strategy & Stakeholders

• Support the design and implementation of a Threat Intelligence strategy to align with our organization's objectives.
• Proactively identify information security deficiencies and opportunities for improvement to enable effective risk management and to deliver business value.
• Utilizing user and internal stakeholder feedback, collaborate with Roku senior management and align roadmaps, communication strategy, and evolution of our platform.
• Act as a product manager for the organization.  Design mechanisms to deeply understand our internal customers’ platform use and pain points.  (For example:  Create automation of security infrastructure as code aligned with company CICD pipelines)
• Negotiate with external vendors to drive Roku’s cloud security governance program and security tooling, (e.g., build vs buy)
• Lead stakeholder engagement sessions to capture business and product requirements to evaluate cyber solutions and aid in the development and deployment of technology across the enterprise.
• Direct the creation or modification of cyber defense architectures, cyber engineering plans, and team construction for programs and proposals.

We're Excited If You Have

 Leadership Skills

• You enjoy building a world-class team, attracting, inspiring, and retaining top talent
• You have excellent soft skills and can effectively communicate and drive alignment with a diverse set of people, ranging from developers to Roku executives.
• You enjoy the challenge of building internal platforms, cross-team collaboration, influencing the direction of the work, and substantively contributing to system architecture
• Provide technical leadership to the team with your experience and focus on simplifying and accelerating developer experience. Lead developer platform, application hosting platform, observability and cloud governance 
• You are self-driven and enjoy taking complete ownership of initiatives

Technical Skills

• Experience developing and deploying cyber security programs, specifically Threat Intelligence & Vulnerability Management programs and knowledge operating other aspects of security including security operations, incident response, forensic analysis, identity and access management, data protection, penetration testing, web application security testing, etc.
• 10+ years in a strategic engineering leadership role, setting vision and leading teams of 5+ people with excellent experience in leading and evolving managers.
• Experience designing and implementing DevSecOps, Security & Access management policies.
• Experience with cloud cost governance involving forecasting and managing costs
• Demonstrated ability to engage senior leadership and drive strategic outcomes
• Demonstrated ability to work with internal users as customers
• Working knowledge of security products in on-prem, hosted and SaaS models, including GRC platforms, SIEM/SOAR tools, firewalls, vulnerability identification, network security, end point protection, etc.
• Strong architectural abilities towards building a holistic security tools / frameworks
• Knowledge of Kubernetes, Istio, and Envoy
• Experience with observability tools like Prometheus, Grafana, Loki, Sumo Logic, XSIAM, etc.
• Experience with AI in automating security processes and to optimizing
• Knowledge of Gitlab, Artifactory, Docker, Terraform, CI/CD, and a good understanding of different deployment architectures
• Knowledge of  common automation tools such as Terraform or CloudFormation. 
• Experience with cloud security models, network security architecture, security policy development, responding to security incidents and coordinating incident activities.
• Knowledge of Enterprise Security compliance frameworks such as MITRE, FISMA, NIST 800-53, NIST 800-53A, NIST 800-37, ISO2700 and FIPS 199.
• Bachelor’s in Computer Science, or equivalent work experience

#LI-GL1