Description
Job Title: Business Information Security Officer (BISO)
About the team
Salesforce's Product Security team, a vital part of the broader Security organization, is dedicated to securing our customer data and assets while proactively managing risk and enhancing security posture. We thrive on deep collaboration with product and engineering teams to achieve optimal risk outcomes and maintain the trust our customers place in us.
We're seeking two highly accomplished Business Information Security Officers (BISOs) to join our team, one supporting our Availability & Infrastructure Engineering (AiE) team and the other our Hyperforce Platform Services (HPS) team. You will be leading security accountability for critical areas of our infrastructure and platform. These roles require moving beyond traditional compliance to become co-owners of security outcomes.
BISO for Availability & Infrastructure Engineering (AiE)
As the BISO for AiE, you will assume accountability for the security risk posture of the teams that keep Salesforce running 24/7/365—including Site Reliability Engineering (SRE), Big Data Observability, and Global Incident Response.
Your Mission:
Partner with AiE leadership to prioritize security risks within the context of mission-critical availability
Be the "Voice of Security" for operational teams where availability is intrinsically linked to security
Champion "Security for Operations" mindset, ensuring incident response frameworks, observability pipelines, and change management processes are robust against both adversarial threats and operational errors
Integrate "Security as Code" within CI/CD and release pipelines
Govern the use of AI in operations to automate security defenses and support operational resiliency
BISO for Hyperforce Platform Services (HPS)
As the BISO for HPS, you will secure the foundation of our business—our "Hyperforce" architecture—operating as the "Voice of Security" embedded with our most critical engineering teams.
Your Mission:
Partner with HPS leadership and architects to translate complex risks into engineering reality
Bring a "platform" mindset, understanding that security controls at the platform and infrastructure layer deliver exponential scale and value to downstream cloud tenants
Bridge the gap between "architectural risks" (multi-substrate security, cloud dependencies) and "operational risks" (patch management, configuration drift)
Foster a culture where security is indistinguishable from quality
Ensure risk decisions are deeply informed by specific technical context, constraints, and capabilities of our systems
Your Impact – Core Responsibilities (Both Roles)
Security Accountability & Partnership: Partner with product and engineering leadership to collaboratively prioritize security initiatives, negotiate trade-offs, and ensure executive-level accountability for achieving security and business outcomes
Strategic Risk Communication: Translate complex technical security signals into clear, compelling, and actionable executive and board-level business narratives
Operational Risk Management: Deliver regular, metric-driven readouts on security risk posture, actively maintain the Security Risk Register, and lead security due diligence for remediation timelines
Secure-by-Design/Secure-in-Operations Culture: Foster a culture of shared security responsibility by integrating security and compliance requirements throughout the infrastructure lifecycle
AI-Driven Optimization: Leverage generative AI technologies to reduce manual toil and enhance security risk management
Minimum Requirements
Bachelor's degree in Information Security, Computer Science, Information Technology, or a related field (equivalent experience may be considered)
10+ years of professional experience in security risk management, with at least 5 years dedicated to security operational roles supporting major cloud platforms (AWS, GCP, or multi-cloud environments)
Exceptional executive presence, negotiation, and influence skills with ability to partner at VP+ level without direct authority
High risk acumen and extensive experience managing complex portfolios of security risks
Strong working knowledge of industry standards and regulations (NIST CSF, ISO 27001, SOC 2, NIST 800-160, ISO 27035, ITIL v4, DORA)
Proven ability to build strong partnerships across all security functions (CSOC, Product Security, GRC, Enterprise Security)
Strong understanding of CI/CD security, infrastructure-as-code, and zero-trust architecture principles
Experience acting as a key stakeholder during major security incidents, managing executive escalations, and driving post-incident remediation
Additional Requirements for AiE Team:
Experience managing globally distributed teams across multiple time-zones with 24/7 on-call responsibilities
Strong grasp of availability metrics (SLAs, SLOs, error budgets) and ability to balance these with security error budgets
Foundational experience in SRE, DevOps, Big Data, or observability platforms
Experience with auto-remediation platforms and chaos engineering
Additional Requirements for HPS Team:
Solid understanding of hyper-scale architectures (like Hyperforce), containerization (Kubernetes), microservices, and distributed systems
Experience building or leading vulnerability management programs with context-based prioritization (SSVC, EPSS)
Strong understanding of IAM lifecycle, governance, and architecture (Least Privilege, RBAC/ABAC, SSO, MFA)
Preferred Qualifications
Demonstrated experience as a Business Information Security Officer (BISO) or equivalent security leadership role
Certifications such as CCSP, CISSP, CISM, AWS Certified Security Specialty, GCP Security Engineer, or CKS
Strong understanding of Secure SDLC, threat modeling, and integrating security checks (SAST/DAST) into development pipelines
For roles in San Francisco and Los Angeles: Pursuant to the San Francisco Fair Chance Ordinance and the Los Angeles Fair Chance Initiative for Hiring, Salesforce will consider for employment qualified applicants with arrest and conviction records.