Director, Product Security Engineering

<p>Navan is looking for a visionary <strong>Director of Security Engineering</strong> to lead the charge in protecting our customer-facing products and internal tools. As we pivot toward a future defined by <strong>AI-driven natural language interfaces</strong>, you will be the primary architect of a security strategy that balances rapid innovation with world-class defense-in-depth.</p> <p>Reporting directly to the <strong>CISO</strong>, you will oversee two critical pillars of our defense: <strong>Product Security</strong> (S-SDLC, Threat Modeling, Pentesting) and <strong>Security Software Engineering</strong> (Core AuthN/AuthZ, Encryption Services). Your mission is to ensure that security is not a bottleneck, but a built-in feature of everything Navan builds.</p> <h3><strong>What You’ll Do</strong></h3> <ul> <li><strong>Strategic Leadership:</strong> Own the overall strategy and roadmap for the Product Security and Security Engineering programs.</li> <li><strong>Scale the Function:</strong> Develop and scale a "shift left" security culture by integrating automated security tooling and "Security as Code" solutions directly into the IDE / CI.</li> <li><strong>Architect Core Services:</strong> Oversee the design and implementation of highly scalable security frameworks for authentication, authorization, and encryption, including cutting-edge transitions to Passkeys.</li> <li><strong>AI Emerging Tech:</strong> Secure the next generation of Navan products, specifically focusing on the security implications of LLM-integrated natural language interfaces and AI-driven workflows.</li> <li><strong>Cross-Functional Partnership:</strong> Act as a key liaison between Security, Engineering, and Product teams to drive risk remediation and ensure "Security by Design".</li> <li><strong>Team Building:</strong> Recruit, mentor, and manage high-performing teams, including the development of Red Team and PSIRT functions.</li> <li><strong>Operational Excellence:</strong> Drive visibility into application vulnerabilities and technical debt, ensuring clear prioritization and pragmatic remediation.</li> </ul> <h3><strong>What We’re Looking For</strong></h3> <ul> <li><strong>Experience:</strong> 12+ years in Security Engineering or Software Engineering, with at least 5 years in a senior leadership role managing technical teams.</li> <li><strong>Technical Breadth:</strong> Deep expertise across the full stack, including Java Spring Framework, Cloud Infrastructure (AWS), and containerization.</li> <li><strong>Identity Access Specialist:</strong> In-depth knowledge of modern authentication (SAML, JWT, OIDC, Passkeys) and complex multi-tenant authorization frameworks.</li> <li><strong>Security Domain Expertise:</strong> Proven track record in threat modeling, architecture reviews, and application penetration testing in high-risk environments (e.g., Fintech or Healthcare)</li> <li><strong>Tooling Mastery:</strong> Hands-on experience with S-SDLC automation, including SAST, DAST, IAST, and SCA integration.</li> <li><strong>Regulatory Knowledge:</strong> Familiarity with global compliance standards such as PCI DSS, SOC2, HIPAA, and FedRAMP.</li> <li><strong>Communication Influence:</strong> The ability to translate complex security risks into business impact for executive stakeholders while maintaining deep technical credibility with engineers.</li> </ul><div class="content-pay-transparency"><div class="pay-input"><div class="description">The posted pay range represents the anticipated low and high end of the compensation for this position and is subject to change based on business need. To determine a successful candidate’s starting pay, we carefully consider a variety of factors, including primary work location, an evaluation of the candidate’s skills and experience, market demands, and internal parity.<br><br>For roles with on-target-earnings (OTE), the pay range includes both base salary and target incentive compensation. Target incentive compensation f ... (truncated, view full listing at source)