Director, Security Product Risk Management

Join to apply for the Director, Security Product Risk Management role at Docusign.

Overview

Docusign brings agreements to life. With Intelligent Agreement Management, Docusign helps organizations create, commit, and manage agreements across systems of record. This role leads a modern, automation-driven, data-informed security risk program to enable the organization to manage risk effectively and at scale.

What you’ll do

The Director, Security Product Risk Management is a strategic, product-focused leader responsible for designing, delivering, and evolving a security risk management program. You will ensure risks are identified, quantified, prioritized, and communicated in business-relevant terms. As the security product owner for Risk, you will set the vision, roadmap, and priorities for risk analytics, risk automation, and continuous monitoring. You’ll partner with engineering, product, GRC engineering, cyber defense, compliance, procurement, and business stakeholders to embed risk awareness, automation, and data-driven insights into systems and processes.

This is a people manager role reporting to the Senior Director of Security Governance, Risk Management and Compliance (GRC).

Responsibilities

• Lead and mentor a team of risk managers, risk product managers, and risk analysts
• Build a high-performing, product-driven team focused on measurable outcomes and continuous improvement
• Define, deliver, and evolve security risk management enterprise-wide
• Establish frameworks and processes for risk identification, assessment, prioritization, and reporting
• Drive adoption of quantitative risk methodologies (e.g., FAIR) and data-driven decision-making
• Lead security risk reviews across products, services, and infrastructure to enable faster, risk-informed choices
• Define KPIs, KRIs, and executive-level reporting to measure control effectiveness and risk posture
• Drive user adoption and operational efficiency through automation-first workflows across risk intake and reporting
• Act as the bridge between technical risks and business priorities, ensuring stakeholders have actionable insights
• Leverage predictive analytics and automation to prioritize risks based on potential business impact
• Deliver executive-ready reporting to senior security leadership and cross-functional stakeholders
• Partner with engineering to build real-time dashboards and centralized risk data pipelines, and to deliver risk automation capabilities and technical integrations
• Expand third-party risk scope to include strategic partners, alliances, and developer ecosystem
• Oversee technical integration reviews for SaaS, APIs, infrastructure connectivity, and data flows
• Build and maintain a fourth-party dependency framework to manage cascading risks
• Use attack surface monitoring, supply chain security platforms, and threat intelligence feeds to continuously track ecosystem exposure
• Collaborate with legal, procurement, compliance, and other teams to integrate risk management into business processes
• Partner with customer-facing security teams to support security assurance activities as needed

Qualifications

Basic

• 12+ years in security risk management, GRC, or related security disciplines, with 8+ years in leadership roles
• Bachelor’s or Master’s degree in Information Security, Risk Management, Analytics, or related field
• Experience designing and leading enterprise security risk programs
• Experience with cloud-native architectures, SaaS integrations, APIs, and security tooling
• Hands-on experience with GRC platforms (ServiceNow, LogicGate, OneTrust) and automation-first workflows
• Experience defining risk KPIs, metrics pipelines, and executive reporting frameworks

Preferred

• Excellent stakeholder management and communication skills across technical and business audiences
• Strong cross-functional collaboration, especially with engineering and executive teams
• Documentation and reporting skills
• Certifications: CISM, CRISC, CISSP, CCSP, or equivalent
• Familiarity with attack surface monitoring, supply chain security, and continuous control validation
• Experience driving automation strategies, predictive analytics, and data-driven insights
• Knowledge of frameworks such as NIST CSF, ISO 27005, FAIR, SOC 2, FedRAMP, and DORA

Employee status and designations

Hybrid: Employee divides their time between in-office and remote work. Access to an office location is required. Frequency: minimum 2 days per week; may vary by team but will be weekly in-office.

Positions are designated as In Office, Hybrid, or Remote and may change based on business needs and local law.

Compensation and benefits

Pay ranges vary by location and factors such as experience. Examples for illustrative locations include:

• California: base salary range $202,800.00 - $327,625.00
• Illinois, Colorado, Massachusetts and Minnesota: $193,100.00 - $272,750.00
• Washington, Maryland, New Jersey and New York (including NYC): $193,100.00 - $286,500.00

• Bonus: variable incentive pay for sales roles; company bonus plan for non-sales roles
• RSUs eligible for this role

Benefits

• Paid Time Off and holidays
• Paid parental leave
• Health plans with employer contribution from day one
• Retirement plans with employer contributions
• Learning and development opportunities
• Life events leave and other accommodations

Life at Docusign

We are committed to an inclusive culture where all employees feel valued and have equal opportunity to succeed. We provide accommodations during the application process and strive for a diverse workforce.

Equal Opportunity Employer

Docusign is an Equal Opportunity Employer. We hire based on experience, skill, aptitude and a can-do attitude, and we do not discriminate on protected characteristics. EEO Know Your Rights poster is available as part of our policy disclosures.

Contact and privacy

Accommodation requests: accommodations@docusign.com. For application process assistance, taops@docusign.com. Privacy notices apply to applicants.