Description
The Experience
The Director of Customer Security is part of our Customer Response, Escalation, and Security Team (CREST) — a global team of elite incident responders protecting Salesforce customers from the most sophisticated security threats. This role leads CREST operations across the Asia-Pacific (APAC) region and US West Coast and sits within the broader Security organization, reporting to the Director of CREST.
We are looking for a Director of Customer Security who is an investigator first and a leader second. You will own the region's most complex, high-severity security incidents end-to-end — from hands-on log analysis and scoping through executive communication and regulatory notification — while building and managing the team that handles our growing incident volume. This role is based in Bellevue, WA or San Francisco, CA.
What You'll Actually Be Doing
- Personally lead the most complex customer security investigations across APAC and US West, including multi-cloud data exfiltration scoping, novel attacker tactics, techniques, and procedures (TTPs), and advanced API abuse — using tools like Splunk and SQL to determine scope, timeline, and exfiltration vectors.
- Serve as the final technical authority on containment decisions for the region, including credential rotation, OAuth revocation, IP blocks, and deployment moratoriums, and lead high-stakes customer calls — including those involving legal counsel or regulatory pressure — without requiring senior escalation.
- Own regional operations including staffing, capacity planning, on-call scheduling, and case assignment, while setting quality standards for investigation documentation and customer-facing notifications across APAC and US West.
- Drive cross-functional engagement with Detection Engineering, Threat Intelligence, Product Security, and Legal to close detection gaps, and lead the team's transition from manual investigation to AI-driven automated triage and scoping.
You're Our Person If...
- You have 10+ years in information security, including at least 5 years leading hands-on incident response — and you are currently performing technical investigations, not purely managing.
- You can independently scope data exfiltration across APIs, bulk exports, and connected apps in multi-tenant SaaS environments, and write complex multi-source Splunk and SQL queries, including regex-based correlation.
- You have a demonstrated track record of leading complex, high-severity incidents end-to-end — from technical investigation through executive communication and regulatory notification (including Global Data Protection Regulation (GDPR), Digital Operational Resilience Act (DORA), and state breach notification laws).
- You have built and managed high-performing, globally distributed security teams with clear performance standards, and can influence cross-functionally across Engineering, Legal, Product, and customer-facing organizations.
Even Better If...
- You have experience managing AI and automation programs within security operations, including agentic workflows or detection automation.
- You hold relevant certifications such as GIAC Certified Incident Handler (GCIH), GIAC Certified Forensic Analyst (GCFA), Offensive Security Certified Professional (OSCP), or Certified Information Systems Security Professional (CISSP).
- You have deep familiarity with the Salesforce platform ecosystem (Core, Marketing Cloud, Commerce Cloud) or comparable large-scale SaaS environments.
- You have a background in advanced threat hunting, behavioral modeling, or detection engineering programs.
For roles in San Francisco and Los Angeles: Pursuant to the San Francisco Fair Chance Ordinance and the Los Angeles Fair Chance Initiative for Hiring, Salesforce will consider for employment qualified applicants with arrest and conviction records.