Head of Product Security


Gojek logo
Apply now Apply later

Posted 3 weeks ago

The Head of Product Security at Gojek is accountable for security of Gojek’s engineering and application platforms (our products and services). This leader is accountable for managing security in Gojek’s engineering development environments, cloud infrastructure, source code repositories, and ensuring security is optimized in the SDLC and CI/CD arenas. In addition, this leader will own, develop and implement strategies to continuously “shift left” to ensure a “security-at-birth” model.
The incumbent will partner with Engineering, Product, Core Fraud, and Risk, Privacy, and Compliance teams to ensure that security is effectively interlocked and aligned with key business stakeholders. This leader is responsible for establishing and driving a product security program to integrate security into existing processes as well as establishing new processes to achieve security goals. He/she will serve as a trusted leader, advisor, and will lead a team to ensure that security requirements are met and aligned with business strategy.
This role reports to the Gojek CISO and will lead and grow a team and continuously evolve the product security function to align and scale with the business.


  • Serve on the engineering leadership team to define and ensure that common process, standards and tools for security engineering are established and followed
  • Drive for high degrees of security automation and help build a “Security at Birth” and “Security as Code” culture
  • Ensure an engaged, innovative, and encouraging working environment in the department by motivating, challenging, and mentoring employees towards growth. Build and mature the DevSecOps program and implement “shift left” initiatives 
  • Transform the existing product security function by building tight alignment with key business stakeholders to increase security effectiveness across the engineering development lifecycle
  • Lead and build/grow an existing DevSecOps team responsible for conducting penetration tests, automation, static/dynamic code analysis, threat modeling, and developer training programs
  • Develop and execute secure software development strategy for the Product Engineering Group (PDG), including policies, standards and governance
  • Design, improve and manage security automation to integrate application security into various CI/CD across the enterprise
  • Improve and expand application security risk posture and processes across engineering including coverage for all engineering product and infrastructure groups
  • Regularly report on security metrics for product and engineering postures
  • Manage continuous release planning and execution and integrate with security design and engineering work across multiple groups and technical constituencies

  • Leadership - Team Development & Succession Planning
  • Develop and manage key stakeholder relationships with senior leaders from engineering, product, and business teams to work towards security outcomes
  • Work with peer organizations to benchmark and measure DevSecOps metrics regularly report
  • Build, grow, mentor and continuously cultivate a high-performance DevSecOps team
  • Actively work on succession planning and develop and mentor managers and staff to achieve career goals
  • Leads cross-functional teams to define objectives, strategies and  metrics in working towards targeted security goals and outcomes
  • Own and actively and responsibly manage the product / DevSecOps security budget to ensure the highest return on investments
  • Participate in personnel management including recruitment and selection, adequate staffing, performance appraisals, education and training

Relevant Experience

  • Exceptional relationship management with senior leaders and stakeholders – ongoing building and maintaining collaborative partnerships across all levels of an organization.
  • Strong ability to clearly articulate decisions based on risk-based / business impact decision tradeoffs
  • Experience in leading teams on technical security projects – ensuring commitments are met and ensuring key stakeholders are constantly informed of the status
  • Strong leadership qualities and business acumen able to communicate with all levels of the organization including technical leaders to senior business leaders. Ability to manage and communicate effectively with the ambiguity associated with working in a fast-paced and changing environment
  • Strong people management skills – providing direction, monitoring performance, motivating staff and building a positive working environment

The Person

  • Bachelor’s of Science degree in an Engineering discipline; Master’s preferred or equivalent work experience
  • 10+ years of engineering development (DevSecOps) experience in  highly diversified and high growth organizations. 
  • Established track record in leading applications / DevSecOps teams in implementing “shift left” strategies. familiarity with the leading tool-sets including continuous penetration testing, and automation, and SAST/DAST tools
  • Track record of aligning DevSecOps to business requirements and interlock with key stakeholders
  • Experience in managing and developing DevSecOps function and teams
  • Strong experience in securing large Kubernetes, docker, and Google Cloud infrastructures
  • Experience in establishing and rolling out Threat Modeling that can be consumed by developers and engineers into user stories
  • Experience building security communities across engineering teams through evangelism and training programs
  • Knowledge of common information security management frameworks, including but not limited to: ISO 27001 / 27002 and PCI
  • Professional security certifications, such as a Certified Information Systems Security Professional (CISSP) or other relevant security credentials desired
Ensuring security in our products and services is a critical part of Gojek’s #1 objective to be the safest and most secure platform in the market. If you see a good fit, we'd love to chat.
Gojek is an equal opportunity workplace that is committed to diversity and inclusion. At Gojek we celebrate our differences, because we believe that diversity not only creates a healthier work environment for our employees, but also helps our business thrive. 

About us
Gojek is a technology startup based in Jakarta, Indonesia. Specialising in ride-hailing and logistics, we are also the only company in Southeast Asia to be part of Fortune's 50 Companies That Changed the World (2017).
Gojek is a Super App: one app with over 20 services including food delivery, commuting, digital payments, shopping, hyper-local delivery, massages, and many more.
Gojek is Indonesia’s first and fastest growing unicorn building an on-demand empire. Our total of 2,000,000 driver-partners collectively travel 16.5 million KM daily – making us Indonesia’s de-facto transportation choice.
Gojek is a verb! Gojek is a way of life!
Job tags: Docker Engineering User stories