About this role
Associate Director — Product & Application Security (EMEA)
Role Purpose
Lead and scale the Product & Application Security program for our products portfolio across EMEA. Own secure-by-design practices from architecture and threat modeling through DevSecOps in CI/CD, vulnerability management, and coordinated disclosure—enabling developer velocity without compromising risk posture. Align to our System Development & Application Security standards and reference patterns.
Key Outcomes
Establish EMEA-fit Secure SDLC guardrails (requirements → release gating) and publish reference architectures for authentication/authorization, secrets, cryptography, logging, and privacy.
Embed DevSecOps controls in pipelines (SAST, SCA, secret scanning, IaC/K8s policy-as-code, SBOM generation, artifact signing and provenance) with measurable pass/fail criteria.
Stand up product vulnerability management with SLA tiers, risk-based triage, and executive reporting.
Launch an EMEA secure coding enablement track and developer champions program.
Demonstrate compliance readiness for GDPR/NIS2 and AI-related controls applicable to product features.
Responsibilities
Own AppSec architecture and threat modeling for high-risk services; review designs and third-party components.
Define and enforce pipeline security controls; partner with Engineering to shift-left testing and automate gates.
Govern SBOM standards and software supply-chain risk (open-source hygiene, provenance, signing).
Lead vulnerability management and remediation orchestration across squads; partner with SRE for runtime hardening.
Chair the Product Security Review Board for go-live exceptions and risk acceptance.
Collaborate with Privacy/Legal on data protection by design; align with GRC on policy and control mapping.
Mentor an EMEA AppSec team; provide matrix leadership across GDC and product squads.
Required Qualifications
10+ years in Application/Product Security; 3+ years leading programs at scale.
Expertise with OWASP ASVS, threat modeling (STRIDE/ATT&CK), API security, and cloud-native architectures (Azure/AWS).
Hands-on with SAST/SCA/DAST, IaC/K8s policy (e.g., OPA), container scanning, and SBOM tooling.
Proven stakeholder management with Engineering, Product, and Platform teams.
Relevant certifications such as CSSLP, CISSP, or CISM (preferred).
Preferred Qualifications
Experience with AI/ML product risks (prompt injection, model supply chain, dataset governance).
Familiarity with GDPR, NIS2, and secure disclosure practices.
Key Performance Indicators (KPIs)
Builds passing security gates (%).
MTTR for critical vulnerabilities.
Coverage of threat models and reference patterns.
SBOM completeness and policy adherence.
Exception trend and closure rate.
#LI-KS1
We are Grant Thornton
At GT Ireland we don’t just predict your future, we build it.
What does this mean for you?
Equity, diversity and inclusion
At Grant Thornton, we provide equitable opportunities for all our colleagues. We are a responsible, sustainable business where equity, diversity and inclusion (ED&I) is at the forefront of our workplace culture agenda, and today, we continue to build and develop on our existing ED&I structure and strategy to meet our workplace culture needs. People are at the heart of our business and teams built with varied individuals present diverse viewpoints, which need to be heard and valued.
We are all at our best when we are able to be ourselves and we view integrity and authenticity as integral values to bring to our day-to-day work-life at the firm. We are excited to see the personality and perspectives you will bring to our team because we know we will all benefit from them. Diversity of thought, background and experience enables better decision-making, improves the quality of our delivery, and helps us to meet the needs of our clients. Our firm is built on people and their ideas, so we want to hear all the new perspectives and fresh thinking you have to offer. You form the bedrock of our firm’s best-practice principles and we will champion you as leaders from day one.
Reward and benefits
Our reward and benefits are designed to create an environment where our people can flourish. We are committed to building a culture where our people have access to the necessary benefits to help promote a healthy lifestyle and thrive.
Recognition
We want to create a culture of recognition and celebrating success, by saying thank you to people who surpass our expectations and recognising the right values and behaviours. Our Shout Out recognition scheme is our way of highlighting and promoting achievements. Whether you simply want to say thank you, celebrate a special occasion or give an award for doing something exceptional, you can do all of this and more through the scheme.
Other facts
About Grant Thornton
In the US, Grant Thornton LLP and Grant Thornton Advisors LLC (and their respective subsidiary entities) practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Grant Thornton LLP is a licensed independent CPA firm that provides attest services to its clients, and Grant Thornton Advisors LLC and its subsidiary entities provide tax and business consulting services to their clients. Grant Thornton Advisors LLC and its subsidiary entities are not licensed CPA firms.
With a unified, local presence across seven countries – including the U.S., Ireland, and others, our platform represents a community of 18,000+ problem solvers, relationship builders, and quality-driven industry specialists. Serving clients across 16 distinct industries, we believe how we serve matters as much as what we do. Learn how we go beyond the expectations of business at GT.com.
What you'll do
- Lead and scale the Product & Application Security program across EMEA, ensuring secure-by-design practices throughout the development lifecycle. Collaborate with various teams to implement security controls and manage vulnerabilities effectively.
Ready to join Grant Thornton?
Take the next step in your career journey