Sr Security Program Manager

We’re hiring a senior Sr Security Program Manager to contribute to and mature an integrated security program that spans Product Security (AppSec / SSDLC), Security Operations (SecOps/IR/cloud security), Technical GRC, and Enterprise Applications and Identity. This is a high-visibility, cross-functional, strategic role.

You will own program outcomes, influence product and engineering roadmaps, and be the “translator” between security, risk, leadership, and the business teams who rely on ACV’s marketplace every day. ACV’s scale and data scope (including sensitive vehicle, dealer data, identity, and payment information) mean your work will meaningfully reduce enterprise risk and enable secure growth.

You will be a trusted member and critical voice of the security leadership team, reporting directly to the CISO.

Core responsibilities

• Work with stakeholders to create a unified security program roadmap covering Product Security, SecOps, and Enterprise Security. Translate risk appetite into prioritized initiatives, funding opportunities, and measurable outcomes.
• Define and publish security KPIs/OKRs as dashboards to various internal audiences (MTTR for incidents, mean time to remediate critical vulns, AppSec coverage, third-party risk posture, compliance readiness, etc). Use data to support visibility and continuous improvement.
• Work with security teammates to collectively drive programs partnering with Product, Engineering, and DevOps to embed AppSec into the SSDLC: threat modeling, secure design reviews, SCA/SAST/DAST pipelines, CI/CD gating, and developer training.
• Partner with Operational leads to drive maturity through the creation of requirement frameworks including documented procedures, incident response playbooks, and runbooks.
• Collaborate with Legal, Privacy, and GRC teams to ensure enterprise controls align with SOC 2 and other industry standard framework requirements.
• Partner directly with the CISO to ensure top initiatives are well-planned, resourced, and delivered. Anticipate needs, remove roadblocks, and help drive critical decision-making.
• Identify gaps, improve processes, and support the development of scalable frameworks.
• Drive cybersecurity initiatives from planning through delivery—ensuring on-time execution, resource alignment, stakeholder engagement, and clear reporting.
• Help run team meetings, leadership offsites, and special projects that support team health, accountability, and long-term success.

The impact you’ll make

• Create a program that reduces risk and creates demonstrable value for the business. We’re not the team that puts the no in innovation.
• Move ACV toward measurable, auditable maturity (SOC 2/ISO/other frameworks), reducing audit friction and supporting faster go-to-market for revenue-critical services.
• Ensure dealer and consumer trust by protecting highly sensitive data collected by the platform (identity, payment, vehicle/title/inspection data) and aligning controls to privacy commitments.
• Positively influence the viewpoint that security is a value add to the organization, not a cost center.

What we’re looking for

Must-have

• 8+ years experience building and operating security programs in SaaS / marketplace / fintech / large data platforms.
• Demonstrable ownership across AppSec, SecOps, and Corporate Security domains.
• Experience optimizing and helping vulnerability management and incident response programs mature with measurable SLAs (MTTR, remediation windows).
• Track record of influencing engineering/product leadership and delivering security as a business enabler (not a blocker).
• Strong program management skills: roadmap creation, cross-functional timelines, budget stewardship, vendor selection and contract negotiation.
• Excellent written + verbal communication; experience preparing executive risk briefings and board-level security summaries.
• Bachelor’s degree in CS, Engineering, Information Security, or commensurate experience (5+ years) working in a similar role.

Nice-to-have

• Prior experience at marketplaces or in automotive/transportation/finance verticals. Familiarity with data products, vehicle inspection pipelines, or payment flows is a plus.
• Experience with SOC 2 readiness, ISO 27001, PCI scope reduction, or public company compliance programs.
• Background in privacy program integration, especially where product telemetry/geolocation, vehicle data, and identity data are in scope.

Compensation: $155,000.00 - $195,000.00 annually. Please note that final compensation will be determined based upon the applicant's relevant experience, skillset, location, business needs, market demands, and other factors as permitted by law. #LI-AM1

No immigration or work visa sponsorship will be provided for this position.