Director of Product Security
ABOUT THE TEAM
The Information Security department is responsible for setting enterprise security policies and standards that are designed to protect the confidentiality, integrity, and availability of Morningstar information. The security team offers guidance and technical expertise in areas like application security, infrastructure and cloud security, policies and procedures, disaster recovery and compliance/regulation. We analyze emerging security threats and conduct risk and vulnerability assessments to ensure that our information remains secure.
ABOUT THE ROLE
The Director of Product Security is responsible for the Product Security Program for all of Morningstar's products globally and is key in promoting a security-by-design culture across the organization.
As part of this, the Director of Product security is fostering a security culture, setting global Product Security standards and processes for all product teams, implementing appropriate security controls and tools, and continuously improve the overall program. This role works closely with the Technology Heads of all business units, senior management, as well as central infrastructure teams.
Morningstar is making significant use of AWS and other cloud providers for its products and the Director of Product Security will contribute to the next evolution of Morningstar's Security Program as products are shifting towards a DevSecOps mentality.
The position reports directly to the CISO and is based in our Chicago office with flexible work arrangements.
Job Responsibilities
- Lead and improve Morningstar's global product security program including a team of Application Security Architects and Application Security Analysts.
- Partner with the business and product teams to align on product security needs.
- Define application security standards and processes for all of Morningstar products.
- Improve security standards, processes, and tooling to support Morningstar's cloud migration and "shift left" of security within the development lifecycle.
- Collaborate with development teams and security champions across the organization to architect secure products
- Lead the creation of secure reference architectures and patterns for all product teams to leverage
- Develop, maintain, and communicate future and current security architecture strategies and models
- Conduct risk assessments, threat modeling and high-level information security reviews on Morningstar systems, applications, and platforms
- Work directly with internal business units to communicate risk, provide security remediation advice, and deliver training as needed.
- Guide the creation and maintenance of secure coding guidelines and training programs to assist internal development personnel
- Provide product security expertise to support the incident response process.
- Work with your direct reports and provide development opportunities and insightful coaching.
Qualifications
- A bachelor's degree and 7+ years' experience in a development or software security / penetration testing / security consulting role, or equivalent experience
- Ability to create and execute the strategic direction for the application security program
- Ability to understand business requirements and architect security solutions accordingly
- Excellent communication skills with the ability to translate complex technical topics to non-technical audiences in an effective manner
- A strong understanding of software development, architecture, and application security
- A strong understanding of application security best practices and how to build secure software
- Experience architecting and deploying applications securely in cloud environments, ideally AWS; or experience performing cloud security reviews.
- • Strong understanding of common authentication models and protocols (SAML, OAuth, OpenID, etc.) preferred
- Exposure to Agile and DevOps/DevSecOps processes
- Expert knowledge of application security vulnerabilities
- Experience developing and refining Secure SDLC processes
- Effective teamwork and leadership skills
Nice to have
- Experience with DAST, SAST, SCA, and similar tools
- Experience leading application/information security initiatives, or similar experience.
- Exposure to global teams working in different time zones.
001_MstarInc Morningstar Inc. Legal Entity