Senior Product Security Architect

Business Unit:

Cubic Transportation Systems

Company Details:

When you join Cubic, you become part of a company that creates and delivers technology solutions in transportation to make people’s lives easier by simplifying their daily journeys, and defense capabilities to help promote mission success and safety for those who serve their nation. Led by our talented teams around the world, Cubic is committed to solving global issues through innovation and service to our customers and partners.

We have a top-tier portfolio of businesses, including Cubic Transportation Systems (CTS) and Cubic Defense (CD). Explore more on Cubic.com.

Job Details:

Summary: We are seeking a highly experienced Senior Product Security Architect who will be responsible for embedding security into the entire product lifecycle—from design to deployment—while enabling secure innovation at scale.

As a senior leader, you will define the product security strategy, influence engineering practices, and ensure security is a core pillar of product development rather than an afterthought. You will partner closely with engineering, DevOps, cloud, and business leaders to mitigate risks while accelerating delivery.

Key Responsibilities

1. Security Architecture & Strategy

• Define and implement product security architecture frameworks and standards.
• Integrate Security-by-Design and Privacy-by-Design principles into all products.
• Establish a long-term product security roadmap aligned with business strategy.
• Lead threat modeling and risk assessments for critical products and platforms.
• Provide architectural guidance for:
  • Cloud-native applications
  • Microservices and APIs
  • SaaS and enterprise platforms
• Drive adoption of security frameworks including:
  • NIST Secure Software Development Framework (SSDF) – NIST SP 800-218
  • OWASP SAMM (Software Assurance Maturity Model)

2. Secure SDLC (Software Development Lifecycle)

• Design and implement a Secure SDLC (SSDLC) framework across teams.
• Embed security controls across:
  • Design
  • Development
  • Testing
  • Deployment
• Define and enforce:
  • Secure coding standards
  • Secure coding practices
  • DevSecOps integration
• Ensure adoption of:
  • SAST (Static Application Security Testing)
  • DAST (Dynamic Application Security Testing)
  • SCA (Software Composition Analysis)
  • Penetration Testing frameworks
• Establish security maturity metrics and SSDLC governance aligned with NIST SSDF and OWASP SAMM.

3. Engineering & DevSecOps Enablement

• Partner with engineering teams to shift security left.
• Drive adoption of DevSecOps practices and automation.
• Enable teams through:
  • Security training and awareness
  • Secure coding guidelines
  • Architecture reviews
• Implement and govern CI/CD security controls and secure pipeline configurations.
• Act as a trusted advisor to engineering leadership.

4. Vulnerability & Risk Management

• Oversee application and product vulnerability management lifecycle.
• Define prioritization frameworks based on:
  • Risk severity
  • Business impact
• Drive remediation programs and SLAs.
• Conduct:
  • Penetration testing reviews
  • Security assessments
• Interpret and prioritize findings from SAST, DAST, SCA, and penetration testing activities.

5. Cloud & Infrastructure Security

• Provide security architecture for:
  • AWS / Azure / GCP environments
  • Container security (Docker, Kubernetes)
• Define controls for:
  • Identity & Access Management (IAM)
  • Data protection (encryption, key management)
  • Network security

6. Regulatory Compliance & Governance

• Ensure compliance with industry standards:
  • ISO 27001
  • SOC 2
  • GDPR and Data Privacy regulations
• Implement audit-ready processes and controls.
• Partner with risk teams for:
  • Security audits
  • Compliance assessments

7. Leadership & Stakeholder Management

• Lead and mentor a team of Product Security Engineers and Architects.
• Collaborate with:
  • Engineering leadership
  • Product management
  • Cybersecurity teams
  • External vendors and partners
• Influence senior stakeholders on:
  • Security investments
  • Risk posture
  • Strategic priorities

8. Incident Readiness & Response

• Support security incident handling related to product vulnerabilities.
• Define incident response playbooks for product security risks.
• Conduct post-incident reviews and improve controls.

Required Qualifications

Education

• Bachelor’s or Master’s degree in:
  • Computer Science
  • Information Security
  • Engineering
  • Related field

Experience

• 12–18+ years of experience in:
  • Application Security
  • Product Security
  • Security Architecture
  • DevSecOps
• Proven experience in a leadership role (Senior Manager / Architect level).
• Hands-on expertise in:
  • Secure application design
  • Threat modeling
  • Security architecture
  • Secure SDLC implementation

Technical Skills

Strong knowledge of:

• OWASP Top 10
• Secure coding standards
• API security
• NIST Secure Software Development Framework (SSDF) – SP 800-218
• OWASP SAMM (Software Assurance Maturity Model)

Experience with:

• Cloud security (AWS / Azure / GCP)
• Container and Kubernetes security
• CI/CD pipelines and DevOps tools
• Implementation of CI/CD security controls and secure pipeline configurations
• DevSecOps frameworks and automation

Strong understanding of:

• SAST (Static Application Security Testing)
• DAST (Dynamic Application Security Testing)
• SCA (Software Composition Analysis)
• Penetration Testing methodologies and frameworks
• Security testing and vulnerability remediation workflows

Familiarity with:

• SIEM and monitoring tools
• Security orchestration and automation tools

Certifications (Preferred)

• CISSP (Certified Information Systems Security Professional)
• CSSLP (Certified Secure Software Lifecycle Professional)
• CISM / CISA
• AWS Security Specialty
• Microsoft Azure Security Engineer
• Relevant DevSecOps or Cloud Security certifications

Leadership Competencies

• Strategic thinking with strong execution focus.
• Ability to influence without authority.
• Strong stakeholder management at the leadership level.
• Problem-solving and risk-based decision making.
• Ability to translate technical risks into business impact.
• Strong communication and executive presentation skills.

Success Metrics (KPIs)

• Reduction in critical vulnerabilities across products.
• Adoption rate of Secure SDLC practices.
• Improvement in security posture and audit outcomes.
• Reduction in time-to-remediation.
• Increased awareness and secure coding adoption across teams.
• Improvement in SSDLC maturity and DevSecOps adoption.

Why This Role Is Critical

This role is central to ensuring that security scales with innovation. As organizations move toward cloud-native, API-driven, and digital-first ecosystems, the Product Security Architect ensures:

• Security is embedded, not bolted on.
• Risks are proactively managed rather than reactively addressed.
• Engineering teams are enabled, not slowed down by security.
• Secure development practices become part of the organizational culture.

‎

Worker Type:

Employee

‎

We are committed to creating an inclusive workplace and welcome applications from people of all backgrounds. We do not discriminate based on any protected characteristic under applicable law.