Director, Product Security
ACV Auctions, Buffalo, NY, United States
If you are looking for a career at a dynamic company with a people-first mindset and a deep culture of growth and autonomy, ACV is the right place for you! We offer competitive compensation packages and learning and development opportunities, and we continuously raise the bar by investing in our people and technology to help our customers succeed. We hire people who share our passion, bring innovative ideas, and enjoy a collaborative atmosphere.
Who We Are ACV is a technology company that has revolutionized how dealers buy and sell cars online. We are transforming the automotive industry with innovative, user‑designed, data‑driven applications and solutions. We build the most trusted and efficient digital marketplace with data solutions for sourcing, selling, and managing used vehicles with transparency and comprehensive insights that were once unimaginable. Our portfolio includes ACV Auctions, ACV Transportation, ClearCar, MAX Digital, ACV Capital, True360, and Data Services.
Benefits
Multiple medical plans, including a high‑deductible, low‑cost health plan
Company‑sponsored (paid) Short‑Term Disability, Long‑Term Disability, and Life Insurance
Comprehensive optional benefits such as Dental, Vision, Supplemental Life/AD&D, Legal/ID Protection, and Accident and Critical Illness Insurance
Generous paid time off options, including uncapped vacation days, the greater of 3 paid sick days or compliance with applicable state or local paid sick leave law, 6 paid company holidays, 2 floating holidays, parental leave, bereavement leave, jury duty leave, voting leave, and other forms of paid leave as required by applicable law or regulation
Employee Stock Purchase Program with additional opportunities to earn stock in the Company
Retirement planning through the Company’s 401(k)
Position Overview The Director of Product Security is a critical leadership role responsible for the overall security posture of ACV’s software applications and platforms. Reporting directly to the CISO, the Director will own and mature the entire Product and Application Security program, integrating security practices throughout the Secure Software Development Lifecycle (SSDLC). This position requires a self‑motivated, highly organized leader with excellent communication and technical skills. The Director will ensure the confidentiality, integrity, and availability of ACV’s product‑related data and systems by mitigating code‑based risks in a fast‑paced, technology‑driven environment. You will build and lead a high‑performing team, driving continuous improvement and ensuring ACV remains a secure and trusted platform for dealers and buyers nationwide.
Key Responsibilities
Design, implement, and manage the end‑to‑end Product Security program, focusing on securing ACV's proprietary applications and code base.
Lead the adoption of DevSecOps practices, automating security tools and gates within the CI/CD pipelines to prevent security defects from reaching production.
Establish and enforce SSDLC requirements, including security training for engineering teams and defining secure coding standards.
Build, mentor, and manage a team of Product Security Engineers responsible for application vulnerability management, security testing, and architectural review.
Proactively identify and establish security guardrails for AI/ML model development and usage to ensure safe innovation and high engineering velocity.
Oversee the deployment, tuning, and management of application security testing tools, including SAST, DAST, and SCA, to identify and remediate code‑based vulnerabilities.
Lead vulnerability remediation efforts for all ACV products, working closely with engineering and product teams to prioritize and track fixes based on risk.
Perform deep‑dive security architecture and design reviews for all new products, features, and core application services, ensuring security is “baked in” from conception.
Define and manage secure configuration standards for containerized applications, microservices, APIs, and their supporting cloud infrastructure (AWS and GCP).
Coordinate external penetration testing and bug bounty programs focused on ACV’s applications and APIs.
Design, maintain, and measure processes to prevent vulnerabilities from reaching production in a true Shift Left fashion.
Work with Technical Program Management to create appropriate KPIs to show success and improvement points in the program.
Contribute to the overall Governance, Risk, and Compliance (GRC) program by ensuring applications meet internal security policies and external regulatory standards (e.g., SOC 2, GDPR, CCPA).
Lead security risk assessments, threat modeling, and tabletop exercises specific to product features and architecture, prioritizing technical vulnerabilities and developing mitigation strategies.
Ensure protection of sensitive data, including PII and financial information, within the application environment in compliance with relevant regulations.
Serve as the primary security advisor to Product and Engineering leadership and stakeholders on all matters related to application and product security.
Collaborate effectively with IT, Engineering, and Product teams to integrate security into their processes, fostering a strong security‑conscious culture across development teams.
Maintain strong communication channels with remote team members to ensure alignment and foster a cohesive team environment.
Create a culture of communication, where collaboration and partnership with the remainder of the organization are evident and valued.
Create and maintain executive dashboards to increase security visibility throughout the organization and identify opportunities for improvement.
Perform additional duties as assigned.
Requirements
10+ years of experience in Information Security, with at least 5 years focused on Product Security or Application Security in a leadership role.
Proven experience building and leading a centralized Product Security/AppSec program within a technology‑driven, cloud‑based SaaS company.
Deep, hands‑on knowledge of SSDLC, CI/CD, and DevSecOps principles, including automating security tooling.
Strong understanding of security frameworks and best practices (NIST CSF, ISO 27001, CIS Controls).
Extensive experience with cloud security, focusing on applications deployed in AWS and/or GCP environments. Experience with Fintech companies is desirable.
Experience working with modern software development, including Agentic and Generative AI techniques.
Expertise with multiple application security tools, including SAST, DAST, MAST, SCA, API security platforms, and WAF.
Excellent communication, interpersonal, and leadership skills, with the ability to translate complex technical risks into business context for executive leadership and stakeholders.
Ability to work effectively in a remote environment and manage geographically dispersed teams.
Our Values Trust & Transparency | People First | Positive Experiences | Calm Persistence | Never Settling
At ACV, we are committed to an inclusive culture in which every individual is welcomed and empowered to celebrate their true selves. We foster a work environment of acceptance and understanding that is free from discrimination. ACV is an equal‑opportunity employer based on sex, race, creed, color, religion, marital status, national origin, age, pregnancy, sexual orientation, gender, gender identity, gender expression, genetic information, disability, military status, veteran status, or any other protected characteristic. We also consider qualified applicants regardless of criminal histories, consistent with legal requirements. If you have a disability or special need that requires reasonable accommodation, please let us know.
For information on our collection and use of your personal information, please see our Privacy Notice.
No immigration or work visa sponsorship provided for this position.
Compensation The compensation range for this position is listed in the "Job Details" section at the bottom of this posting. Final compensation will be determined based upon the applicant’s relevant experience, skill set, location, business needs, market demands, and other factors as permitted by law.
#J-18808-Ljbffr
Who We Are ACV is a technology company that has revolutionized how dealers buy and sell cars online. We are transforming the automotive industry with innovative, user‑designed, data‑driven applications and solutions. We build the most trusted and efficient digital marketplace with data solutions for sourcing, selling, and managing used vehicles with transparency and comprehensive insights that were once unimaginable. Our portfolio includes ACV Auctions, ACV Transportation, ClearCar, MAX Digital, ACV Capital, True360, and Data Services.
Benefits
Multiple medical plans, including a high‑deductible, low‑cost health plan
Company‑sponsored (paid) Short‑Term Disability, Long‑Term Disability, and Life Insurance
Comprehensive optional benefits such as Dental, Vision, Supplemental Life/AD&D, Legal/ID Protection, and Accident and Critical Illness Insurance
Generous paid time off options, including uncapped vacation days, the greater of 3 paid sick days or compliance with applicable state or local paid sick leave law, 6 paid company holidays, 2 floating holidays, parental leave, bereavement leave, jury duty leave, voting leave, and other forms of paid leave as required by applicable law or regulation
Employee Stock Purchase Program with additional opportunities to earn stock in the Company
Retirement planning through the Company’s 401(k)
Position Overview The Director of Product Security is a critical leadership role responsible for the overall security posture of ACV’s software applications and platforms. Reporting directly to the CISO, the Director will own and mature the entire Product and Application Security program, integrating security practices throughout the Secure Software Development Lifecycle (SSDLC). This position requires a self‑motivated, highly organized leader with excellent communication and technical skills. The Director will ensure the confidentiality, integrity, and availability of ACV’s product‑related data and systems by mitigating code‑based risks in a fast‑paced, technology‑driven environment. You will build and lead a high‑performing team, driving continuous improvement and ensuring ACV remains a secure and trusted platform for dealers and buyers nationwide.
Key Responsibilities
Design, implement, and manage the end‑to‑end Product Security program, focusing on securing ACV's proprietary applications and code base.
Lead the adoption of DevSecOps practices, automating security tools and gates within the CI/CD pipelines to prevent security defects from reaching production.
Establish and enforce SSDLC requirements, including security training for engineering teams and defining secure coding standards.
Build, mentor, and manage a team of Product Security Engineers responsible for application vulnerability management, security testing, and architectural review.
Proactively identify and establish security guardrails for AI/ML model development and usage to ensure safe innovation and high engineering velocity.
Oversee the deployment, tuning, and management of application security testing tools, including SAST, DAST, and SCA, to identify and remediate code‑based vulnerabilities.
Lead vulnerability remediation efforts for all ACV products, working closely with engineering and product teams to prioritize and track fixes based on risk.
Perform deep‑dive security architecture and design reviews for all new products, features, and core application services, ensuring security is “baked in” from conception.
Define and manage secure configuration standards for containerized applications, microservices, APIs, and their supporting cloud infrastructure (AWS and GCP).
Coordinate external penetration testing and bug bounty programs focused on ACV’s applications and APIs.
Design, maintain, and measure processes to prevent vulnerabilities from reaching production in a true Shift Left fashion.
Work with Technical Program Management to create appropriate KPIs to show success and improvement points in the program.
Contribute to the overall Governance, Risk, and Compliance (GRC) program by ensuring applications meet internal security policies and external regulatory standards (e.g., SOC 2, GDPR, CCPA).
Lead security risk assessments, threat modeling, and tabletop exercises specific to product features and architecture, prioritizing technical vulnerabilities and developing mitigation strategies.
Ensure protection of sensitive data, including PII and financial information, within the application environment in compliance with relevant regulations.
Serve as the primary security advisor to Product and Engineering leadership and stakeholders on all matters related to application and product security.
Collaborate effectively with IT, Engineering, and Product teams to integrate security into their processes, fostering a strong security‑conscious culture across development teams.
Maintain strong communication channels with remote team members to ensure alignment and foster a cohesive team environment.
Create a culture of communication, where collaboration and partnership with the remainder of the organization are evident and valued.
Create and maintain executive dashboards to increase security visibility throughout the organization and identify opportunities for improvement.
Perform additional duties as assigned.
Requirements
10+ years of experience in Information Security, with at least 5 years focused on Product Security or Application Security in a leadership role.
Proven experience building and leading a centralized Product Security/AppSec program within a technology‑driven, cloud‑based SaaS company.
Deep, hands‑on knowledge of SSDLC, CI/CD, and DevSecOps principles, including automating security tooling.
Strong understanding of security frameworks and best practices (NIST CSF, ISO 27001, CIS Controls).
Extensive experience with cloud security, focusing on applications deployed in AWS and/or GCP environments. Experience with Fintech companies is desirable.
Experience working with modern software development, including Agentic and Generative AI techniques.
Expertise with multiple application security tools, including SAST, DAST, MAST, SCA, API security platforms, and WAF.
Excellent communication, interpersonal, and leadership skills, with the ability to translate complex technical risks into business context for executive leadership and stakeholders.
Ability to work effectively in a remote environment and manage geographically dispersed teams.
Our Values Trust & Transparency | People First | Positive Experiences | Calm Persistence | Never Settling
At ACV, we are committed to an inclusive culture in which every individual is welcomed and empowered to celebrate their true selves. We foster a work environment of acceptance and understanding that is free from discrimination. ACV is an equal‑opportunity employer based on sex, race, creed, color, religion, marital status, national origin, age, pregnancy, sexual orientation, gender, gender identity, gender expression, genetic information, disability, military status, veteran status, or any other protected characteristic. We also consider qualified applicants regardless of criminal histories, consistent with legal requirements. If you have a disability or special need that requires reasonable accommodation, please let us know.
For information on our collection and use of your personal information, please see our Privacy Notice.
No immigration or work visa sponsorship provided for this position.
Compensation The compensation range for this position is listed in the "Job Details" section at the bottom of this posting. Final compensation will be determined based upon the applicant’s relevant experience, skill set, location, business needs, market demands, and other factors as permitted by law.
#J-18808-Ljbffr