Head of Product Security

As the Head of Product Security, you will be responsible for defining, building, and leading Fluidra’s product security function for connected and IoT-enabled pool products. You will own the end-to-end product security strategy, embed security-by-design practices across the product lifecycle, and ensure compliance with the EU Cyber Resilience Act (CRA) and other applicable global regulations.

Reporting directly to the Global CISO, this role works closely with Engineering, R&D, Firmware, IoT, Compliance, Cybersecurity Architecture teams, and external partners to ensure secure, compliant, and resilient products.

Key Responsibilities

Strategy & Leadership

- Define and execute the product security strategy aligned with CRA requirements and industry best practices - Build, mentor, and lead a high-performing team of product security engineers and analysts - Establish global product security governance, policies, and standards across R&D teams - Define, monitor, and report product security KPIs and metrics - Provide regular updates on product security posture and compliance to executive leadership - Stay current on emerging threats, regulatory changes, and industry trends

Security by Design

- Embed security-by-design principles throughout the connected product development lifecycle - Lead threat modeling initiatives for new products and features - Define security requirements from product concept through deployment - Ensure OWASP standards are integrated into development practices - Assess and mitigate security risks related to AI/ML-enabled product features

Vulnerability Management & PSIRT

- Establish and lead the Product Security Incident Response Team (PSIRT) - Implement coordinated vulnerability disclosure processes - Manage vulnerability reporting to ENISA, as required under CRA - Oversee security patch development, validation, and deployment

Compliance & Supply Chain Security

- Own compliance with CRA and RED Article 3.3 for connected products - Ensure SBOM generation, maintenance, and disclosure processes are in place - Assess and manage third-party and supply chain security risks - Oversee technical documentation for CE conformity declarations - Define and manage product security support periods and end-of-life processes - Coordinate with external auditors and certification bodies

Coordination & Stakeholder Management

- Collaborate with Cybersecurity Architecture teams on cloud security initiatives - Manage external hardware penetration testing vendors - Partner with R&D leadership to integrate security into product roadmaps - Work closely with Quality and Regulatory teams on certifications - Support Sales and Customer Success teams on product security queries - Conduct product security due diligence for mergers and acquisitions

What We Are Looking For

Experience

- Minimum 10 years of experience in cybersecurity, with 5+ years focused on product or IoT security - Proven experience building and leading security teams - Hands-on experience with PSIRT operations and vulnerability disclosure - Background in manufacturing, industrial, or consumer IoT environments preferred

Expert Knowledge

- Security-by-design methodologies and secure development lifecycle - Threat modeling frameworks (STRIDE, PASTA, Attack Trees) - OWASP standards (Top 10, IoT Top 10, ASVS) - EU Cyber Resilience Act and Radio Equipment Directive requirements - IoT security architecture and embedded systems - Supply chain security and third-party risk management

Technical Skills

- Cloud security platforms (Wiz preferred) - AWS IoT services and serverless architectures - Embedded systems security - SBOM generation and vulnerability management tools - Security considerations for AI/ML-enabled products

Leadership & Communication

- Experience leading teams in global, matrixed organizations - Strong communication skills across technical and executive audiences - Proven ability to collaborate cross-functionally with engineering teams - Vendor management and negotiation experience

Certifications

- CISSP or CISM (mandatory) - Preferred: OSCP, GICSP, IEC 62443

Additional Requirements

- Excellent English communication skills (written and verbal) - Willingness to travel internationally up to 10%, as required