Docusign is looking to embed quantifiable risk testing into engineering workflows and deliver automation and dashboards that translate complex security data into measurable risk insights for business and leadership decisions.
Requirements
- 5+ years of experience in security risk management, security product management, risk analytics or SaaS/API security and integrations risk
- Experience with security frameworks (NIST CSF, ISO 27001/27005, SOC 2, FedRAMP) and quantification methodologies (FAIR or similar)
- Experience with quantitative risk techniques (e.g., FAIR, Monte Carlo simulation) or control telemetry data pipelines
- Experience with GRC platforms (ServiceNow IRM) and data analytics tools (Power BI, Looker, Tableau)
- Experience conducting security risk assessments and technical reviews
- Experience with SaaS, APIs, cloud services and shared responsibility models
- Professional certifications such as CRISC, FAIR or CISSP
Responsibilities
- Drive the product roadmap for security risk quantification and testing enablement
- Act as a risk product owner in agile ceremonies: prioritize backlogs, define user stories, and ensure delivery against roadmap commitments
- Collaborate with GRC Engineering to design and deliver risk-scoring engines, automation workflows, dashboards, and integration points across systems (e.g., ServiceNow IRM, Power BI)
- Partner with engineering, product security, architecture teams to embed quantifiable risk testing principles across all technology development such as products, APIs, environments and cloud services
- Build and maintain relevant dashboards to report on risk scenarios and control performance metrics
- Integrate quantifiable risk outputs and testing data into executive security risk reporting
- Assess and quantify security risks across APIs and system integrations, ensuring testing coverage and risk scoring reflect exposure across interconnected services
Other
- Hybrid: Employee divides their time between in-office and remote work. Access to an office location is required. (Frequency: Minimum 2 days per week; may vary by team but will be weekly in-office expectation)
- Strong cross-functional communication skills, able to translate technical risks into business impact and vice versa
- Analytical and structured thinker with comfort managing data-driven initiatives and automation programs
- Demonstrated ability to prioritize features, manage competing requirements, and deliver iterative product releases in collaboration with engineering and design partners
- Experience preparing risk insights to senior leadership
