Product Security Advisor
What We'll Bring:TransUnion’s Global Technology envisions and engineers secure, reliable, market-ready products that deliver a compelling experience to TransUnion’s customers, consumers and colleagues. Our strategy, globally aligned operating model, and product engineering mindset leverage our skills to their fullest capacity. Technology is an integral part of TransUnion’s business and value in the commercial market. By being a part of the Information Security Officer (ISO) Product Security team, you will be responsible for working with Product Engineering, Architecture, and Application Security to ensure security practices are implemented throughout the development lifecycle, thereby leading enablement of risk mitigation earlier in the development and helping to address technology debt.
What You'll Bring:
- 5+ years of application security or product security experience
- 3+ years of information security experience in a hybrid cloud environment
- In depth knowledge of secure coding practices, threat modeling, secure architecture design, and secure SDLC/CICD pipelines
- Prior software development or engineering experience
- Experience in working with industry frameworks and standards such as OWASP, PCI, ISO 27001/27002, NIST CSF, and NIST 800 series
- This is a hybrid position and involves regular performance of job responsibilities virtually as well as in-person at an assigned TU office location for a minimum of two days a week
We'd Love to See:
- Information Security (CISSP, CISA, Security +) and cloud (AWS CCP) certification
Impact You'll Make:
The Product Security Advisor will ensure Product Engineering maintains end-to-end security of product through compliance with policy, standards, regulations and industry best practices. The Product Security Advisor will partner with InfoSec management to create and implement a program for enabling security standards across all products within the TransUnion US Markets portfolio.
- Guides and advises product development teams on secure coding practices, secure software development methodologies, and secure development lifecycle (SDLC) processes
- Works with engineering and development team to ensure products comply with relevant security standards, regulations, and industry certifications, such as OWASP, CIS, or PCI-DSS to ensure security is prioritized throughout the development lifecycle
- Assists Product Engineering teams with adoption to changes in application security tooling (SAST, DAST, etc.) and interpretation of its results to ensure vulnerabilities are addressed on a timely basis and prevented from deployment into production
- Builds relationships and partners with functional areas and leadership across the business and Global Technology to raise awareness and support for Product Security
- Maintains relationships with internal and external auditors and assessors to facilitate execution of audits and assessments
- Mentors and educates colleagues and stakeholders on secure coding practices and secure product architectures
TransUnion provides flexible benefits including flexible time off for exempt associates, paid time off for non-exempt associates, tuition reimbursement, additional (following any short-term disability) 10 weeks of parental leave with gradual return, adoption assistance, fertility coverage, spousal and domestic partner benefits, charity gift matching, employee stock purchase plan, retirement contributions with employer match, organizational growth potential through our online learning platform with guided career tracks, and access to TransUnion’s Employee Resource Groups.
We are committed to being a place where diversity is not only present, it is embraced. As an equal opportunity employer, all qualified applicants will receive consideration for employment without regard to race, color, religion, sex, national origin, age, disability status, veteran status, genetic information, marital status, citizenship status, sexual orientation, gender identity or any other characteristic protected by law.
TransUnion's Internal Job Title:Advisor, InfoSec Governance