Principal Product Security Architect & Engagement Lead

Role Summary

Lead and govern the end-to-end product lifecycle cybersecurity assessment engagement for the customer product, including CRA-aligned security evaluation, architecture assessment, threat modeling, technical oversight, evidence traceability, and executive reporting. Serve as the primary customer interface and ensure all assessment activities are executed in compliance with export-control requirements.

Key Responsibilities

- Lead overall engagement delivery, governance, and customer coordination

- Conduct product security architecture assessments and threat modeling activities

- Perform trust boundary analysis and review data flows across product components and external integrations

- Oversee CRA-aligned assessment methodology, compliance traceability, and lifecycle security evaluation

- Evaluate operational resilience, recovery considerations, and lifecycle security controls across deployed product environments

- Review secure-by-design implementation and product security governance practices

- Guide technical testing activities and validate risk prioritization and exploitability context

- Review security findings and ensure consistency across technical and compliance outputs

- Lead executive reporting, release readiness assessment, and remediation discussions

- Ensure evidence collection and assessment outputs align to CRA requirements

- Review lifecycle security considerations including secure decommissioning and data disposal practices

- Enforce export-control compliant handling of personnel, systems, and data

- Provide final quality assurance and assessment signoff oversight

Required Skills & Experience

Mandatory:

- Strong experience in product cybersecurity and secure-by-design principles

- Expertise in threat modelling, architecture review, and trust boundary analysis

- Strong understanding of product lifecycle security and operational resilience concepts

- Familiarity with secure SDLC, SBOM governance, and vulnerability management practices

- Strong executive communication and stakeholder management capability

- Experience across both offensive security and security architecture domains

Good to have:

- Experience leading CRA, regulated product security, or compliance-driven cybersecurity assessments

- Experience leading engagement in export-controlled environments

Preferred Certifications

- CISSP, CSSLP, SABSA / TOGAF (preferred)

- FedRAMP or regulated environment experience preferred

Years of Required Experience

- 7-10 years in product application security

- 5+ years in complex customer assessment and regulatory assessment engagements