MANAGER, PRODUCT SECURITY TECHNICAL MANAGED SERVICES

SUMMARY

• Operational leader accountable for hands-on management, planning, and delivery of all Finite State Product Security Technical Managed Services binary firmware analysis, device penetration testing, threat and risk assessments (TARAs), SBOM/SCA generation, vulnerability response coordination, triage and remediation, and long-term engagement support for connected product OEMs and manufacturers (strategic accounts)
• Drives operational design, build-out, and scale of new and emerging managed services  PSIRT-as-a-Service (PSIRTaaS), EU Cyber Resilience Act (CRA) sustainable compliance, and adjacent offerings  with Finite State's AI Product Security Automation Platform as the delivery spine
• Direct people manager for the Technical Services team, accountable for hiring, onboarding, mentorship, performance management, capacity planning, skills development, and utilization optimization across a multi-disciplinary team of product security engineers and analysts
• Customer-facing managed services delivery leader accountable for engagement quality, technical accuracy, schedule adherence, customer satisfaction, renewal, and expansion across the active managed services portfolio
• Cross-functional partner to Product, Engineering, Sales, Marketing, Legal, and Regulatory Advisory Services Team, channeling field-level delivery experience into platform requirements, packaging and pricing, go-to-market enablement, and regulatory positioning

ESSENTIAL FUNCTIONS

Managed Service Delivery Operations

• Manages day-to-day execution of all active managed technical services customer engagements; ensures delivery quality, technical accuracy, schedule adherence, and consistent application of Finite State methodology across binary analysis, penetration testing, TARA, SBOM/SCA, vulnerability management, and remediation advisory
• Owns the full engagement lifecycle: scoping, statement of work, kickoff, execution, deliverable review, customer communications, and renewal/expansion planning
• Establishes, maintains, and continuously improves service delivery playbooks, technical methodologies, deliverable templates, peer review gates, and quality acceptance criteria
• Drives consistent integration of Finite State automation platform into every engagement; ensures platform capabilities are leveraged to maximum effect and that field experience feeds the platform roadmap
• Defines, monitors, and reports Service Level Agreements (SLAs), Service Level Objectives (SLOs), and engagement-level KPIs including billable utilization, time-to-deliverable, defect/escape rates, customer satisfaction (CSAT/NPS), and renewal rate
• Acts as senior technical escalation point for engagement issues, customer concerns, and complex or contested technical findings

New Service Build-Out and Operationalization

• Leads operational design and standup of new product security managed service offerings — PSIRTaaS, EU CRA sustainable compliance, and other emerging services — including process design, runbook authoring, tooling integration, staffing model, pricing inputs, contractual scaffolding, and SLA framework
• Partners with Product to ensure platform capabilities required for new managed services are scoped, prioritized, instrumented, and operationalized for service delivery 
• Designs and operates the customer-facing PSIRTaaS function: continuous vulnerability monitoring, automated and human-assisted triage, advisory issuance, CVE coordination with the appropriate CNA, customer disclosure workflow, remediation tracking, and post-disclosure verification
• Builds the operating model for sustainable EU CRA compliance services: conformity assessment support, Annex I essential requirements mapping, vulnerability handling obligations, technical documentation maintenance, and post-market surveillance support for connected product manufacturers

People Management and Team Development

• Hires, onboards, develops, mentors, and retains a team of product security engineers and analysts across multiple technical disciplines (binary/firmware analysis, offensive security, embedded systems, SBOM/SCA, regulatory engineering, vulnerability management)
• Sets individual performance objectives aligned to team and company OKRs; conducts regular 1:1s, delivers ongoing performance feedback, runs formal review cycles, and addresses performance issues directly and constructively
• Builds and maintains team capacity plans and skills inventories; identifies gaps and drives hiring, cross-training, certification, and external training plans to close them
• Manages utilization across the team to balance billable engagement work, capability development, and reserved capacity for new service launches and surge demand
• Cultivates a culture of technical excellence, intellectual honesty, customer empathy, peer review, and continuous learning; fosters psychological safety in a fully remote operating environment

Customer Engagement and Account Management

• Serves as senior delivery contact and trusted technical advisor for strategic customer accounts; owns the technical health of those relationships
• Leads recurring service reviews, escalation discussions, and quarterly business reviews; ensures customer outcomes are visible, measurable, and tied to renewal and expansion narratives
• Partners with Sales on scoping, statements of work, pricing alignment, and pre-sales technical engagement; provides expert input to deal qualification and risk
• Identifies and qualifies expansion opportunities (additional products, additional service lines, multi-year commitments) and works with Sales to convert them

Financial and Operational Performance

• Owns operational delivery against the Services ARR plan; accountable for margin discipline, utilization targets, and forecast accuracy
• Provides input to pricing, packaging, and capacity planning for current and new service offerings
• Tracks and reports delivery cost, gross margin per engagement, write-down and write-off rates, and other services-economics metrics; surfaces structural issues with concrete remediation proposals
• Produces timely, accurate forecasts of staffing, hiring, and external contractor needs against the demand pipeline

QUALIFICATIONS

EDUCATION AND/OR EXPERIENCE

• Bachelor's degree in Computer Science, Mathematics, Physical Sciences, Electrical/Computer Engineering, or equivalent demonstrable experience and certifications; advanced degree desirable
• Minimum 8 years of relevant experience in product security, embedded/connected device security, application security, or offensive security — a meaningful portion delivered in a customer-facing services, consulting, or managed services context
• Minimum 4 years of direct people management experience, including hiring, performance management, mentorship, and team development
• Demonstrated experience standing up new service offerings or productizing technical capabilities within a managed services or information technology environments is strongly preferred
• Hands-on technical depth in two or more of: binary/firmware analysis, penetration testing of embedded or IoT systems, threat modeling and TARA, SBOM and software composition analysis, vulnerability management and disclosure (CVE/CNA workflows), PSIRT/ESIRT operations

KNOWLEDGE, SKILLS, ABILITIES

Technical

• Deep working knowledge of connected and embedded device security, including firmware, microcontrollers, wireless SoCs, RTOS environments, and integrated IoT systems
• Hands-on familiarity with binary and firmware analysis tooling and methodology (Ghidra, IDA, Binary Ninja, radare2, and platform-driven equivalents)
• Strong understanding of SBOM standards (SPDX, CycloneDX), VEX, software composition analysis, and vulnerability correlation against CVE/CPE/PURL
• Strong understanding of vulnerability disclosure and PSIRT operating models, including ISO/IEC 29147 (vulnerability disclosure) and ISO/IEC 30111 (vulnerability handling), CVSS v3.1/v4, and CNA operating procedures
• Familiarity with offensive security methodology applied to embedded systems, including hardware-adjacent attacks (fault injection, side-channel concepts, debug interface exploitation) at a depth sufficient to scope, review, and quality-control the work
• Working knowledge of TARA methodologies (ISO/SAE 21434 for automotive, IEC 62443-3-2 for industrial, MITRE ATT&CK and EMB3D where applicable)
• Working knowledge of applied cryptography, secure protocols, secure boot, secure update, and key management as applied to embedded systems
• Ability to ramp quickly on AI and agentic AI platforms and productivity systems; familiarity with the automated firmware/binary analysis platform category and AI-assisted vulnerability triage is preferred

Standards and Regulatory

• Working knowledge of EU Cyber Resilience Act (CRA), including Annex I essential requirements, vulnerability handling obligations, conformity assessment routes, and post-market surveillance expectations
• Working knowledge of IEC 62443, ETSI EN 303 645, NIST IR 8259 series, NIST SSDF (SP 800-218), and US Executive Order 14028 / OMB M-22-18 SBOM requirements
• Familiarity with ISO 27001, SOC 2 Type I/II, and adjacent compliance regimes as they apply to a managed services delivery organization

Managed Services Operations

• Demonstrated ability to design and operate service delivery functions to defined SLAs, SLOs, and quality standards
• Demonstrated ability to manage utilization, capacity, and engagement profitability in a billable services context
• Strong project and program management capability

Leadership and Communication

• Excellent written and verbal communication skills; operates fluently with executives, technical individual contributors, customer technical staff, customer executives, regulators, and partners
• Strong people leadership: hiring, coaching, performance management, conflict resolution, and team building in a fully remote environment
• Demonstrated ability to translate technical findings into business and regulatory consequences for non-technical stakeholders
• Customer-facing executive presence: owns escalations, leads difficult conversations, and represents Finite State at the most senior levels of customer organizations

Certifications

• One or more of the following is required: CISSP, CSSLP, CCSP, GIAC (GPEN/GXPN/GREM/GICSP), OSCP, or equivalent demonstrated technical depth
• One or more of the following is desirable: CISM, CRISC, CISA, ISO/IEC 27001 Lead Auditor or Lead Implementer, IEC 62443 Cybersecurity Expert, PMP/PgMP, ITIL Foundation or higher

Tools and Environments

• Familiarity with vulnerability analysis and reverse engineering tools
• Familiarity with SAST/DAST/IAST tooling categories
• Familiarity with offensive security tooling 
• Familiarity with collaboration and delivery tooling 
• Comfort operating in a fully remote, cloud-only company environment

Compensation

• Tier 1 (San Francisco, New York, Seattle): $200,000 - $215,000
• Tier 2 (All Other Locations): $190,000 - $207,000