Principal Product Security Engineer/Product Risk ...

The Red Hat Product Security team is looking for a Principal Product Security Engineer/Product Risk Manager to join us within the Global Engineering organization. In this role, you will be responsible for continuing to mature and enhance our risk management capabilities by identifying and managing risks that may impact our security and technology visions for the open hybrid cloud. This will involve continuing to enhance our risk management posture, performing technical analysis of potential risks, finding and advocating for paths to resolution, and engaging with senior leaders to accurately articulate risk. You will accomplish this by successfully collaborating across product management, product engineering, and partner ecosystems. This is a senior leadership role that offers you a broad range of responsibilities and challenges, and is ideal for an industry leader in open source looking to expand their global visibility, influence, and impact. The location for this role is in North America, ideally in the Boston, MA or Raleigh or Durham, NC areas, however remote in North America will be considered for the right candidate. Successful applicants must reside in a state where Red Hat is registered to do business. What you will do + Own and Evolve the Risk Management Methodology : Develop, own, and manage the central Product Security risk register, establishing it as the single source of truth for tracking and decision-making.You will refine and standardize our security risk management practices and playbooks. + Assess and Quantify Risk : Partner with technical teams to establish a consistent methodology for assessing and quantifying risk that goes beyond traditional severity scores to incorporate business context such as product impact, revenue, and reputational damage. + Translate and Articulate Risks : Translate complex technical issues and compliance gaps into clear, quantifiable business impact for non-technical audiences. You will interpret cybersecurity risk analyses in business terms and recommend a responsible course of action. + Drive Governance and Coordination : Lead a cross-functional risk governance committee to review and act on top risks. You will drive remediation progress, manage the formal risk exception process, and participate in developing key risk indicators (KRIs), key control indicators (KCIs), and key performance indicators (KPIs) for various programs. + Create Tailored Reporting : Design and deliver tailored risk reports, metrics, and dashboards for diverse audiences, including executive leadership, product engineering leaders, legal, and sales organizations. You will work with security leadership to present information and influence change. + Improve and Standardize Processes : Build a structured, repeatable program for risk identification, assessment, and communication across the organization. This includes developing templates and materials to enable self-service risk management and continuously monitoring and improving the effectiveness of risk management processes and security functions. + Build Thought Leadership : Develop learning and development materials to foster a culture of risk awareness. You will grow the presence and thought leadership of the security risk management practice. What you will bring + Technical and Risk Expertise + 7+ years of experience in product security, application security, or a technical GRC (Governance, Risk, and Compliance) role. + Deep understanding of core security concepts, including the Secure Development Lifecycle (SDL), threat modeling, vulnerability management, and risk assessment methodologies. + Experience building and managing a risk register using dedicated GRC platforms or other tools like Jira. + A bachelor's degree in a related field or an industry certification like CISSP, CGRC, CRISC or CISM are beneficial but not required. + Business Acumen and Communication + Exceptional ability to translate deep technical issues into clear business risks, explaining the

Created: 2025-11-01