• Lead the design and execution of Upstart’s data security program, from early foundations through mature, scalable systems • Architect and build software solutions (APIs, services, and internal tools) that enable effective data protection and governance • Partner closely with Engineering, Analytics, Product, Legal, Risk, HR, and other stakeholders to secure sensitive data across diverse domains • Establish clear goals, success metrics, and accountability for data security initiatives • Drive adoption of least-privilege access models and modern data protection patterns across the organization • Mentor engineers and security practitioners, fostering strong technical standards and a culture of ownership • Continuously improve systems by learning from real-world signals such as false positives, operational feedback, and evolving threats

• Lead Test Security & Platform Defense Product Strategy (30%) • Own the end-to-end product strategy and roadmap for test security and platform defense across the digital assessment platform. • Define priorities based on assessment risk, threat intelligence, program needs, and platform constraints, ensuring a unified approach across current and future programs. • Synthesize inputs from Test Security, Platform Threat Intelligence, field observations, and engineering into clear problem statements, prioritization options, and actionable roadmap proposals. • Proactively identify new problem spaces and solution opportunities, challenging assumptions and advancing innovative approaches to assessment protection. • Maintain a forward-looking roadmap that evolves as threats, business needs, and technology change. • Establish a shared strategic narrative that aligns security, platform, and program leaders around goals, sequencing, and outcomes. • Coordinate Cross-Domain Execution (40%) • Translate product strategy into actionable initiatives implemented across multiple product domains and engineering teams. • Partner with product management leaders to integrate test security and platform defense solutions into domain roadmaps, align sequencing and dependencies across initiatives, and establish consistent security patterns, standards, and platform capabilities. • Engage program VPs as business owners to ensure solutions protect assessment integrity while supporting program-specific requirements and operational realities. • Surface prioritization conflicts and decision points, presenting structured options, risks, and delivery implications to Test Security and Technology, Program, and Product leadership. • Define shared success metrics so progress is measured holistically across teams, not in isolation. • Own and Deliver Critical Security Capabilities (15%) • When appropriate, directly own delivery for specific test security or platform defense capabilities, acting as a hands-on PM/PO for deeply technical engineering teams (e.g., secure client or related components). • Translate complex technical and security requirements into clear backlog priorities, delivery plans, and acceptance criteria. • Stay close to delivery to ensure strategy is grounded in execution realities and technical constraints. • Communicate Risk, Tradeoffs, and Impact (15%) • Communicate clearly and responsibly with senior leadership on security posture, emerging risks, progress against strategy, and key tradeoffs. • Translate highly technical, sensitive, or confidential information into appropriate-level messaging tailored to the audience, maintaining discretion at all times. • Build shared understanding and confidence across product, security, and program leadership through clear narratives, recommendations, and decision framing. • Serve as a trusted voice on test security and platform defense, particularly in moments of ambiguity, risk, or emerging threat response.

• Embed security best practices, such as encryption and authentication, directly into new products as part of the architecture and design process. • Identify vulnerabilities and security gaps during the design phase to present exploitation. • Define and enforce secure device architecture, including secure boot, hardware root of trust, device identity, and certificate-based authentication. • Own firmware security, including signing, update mechanisms, rollback protection, and vulnerability remediation. • Design and govern end-to-end encryption strategies spanning device, edge, and cloud. • Establish security requirements for low-cost hardware, balancing risk, cost, and operational constraints. • Conduct threat modeling for embedded systems, IoT protocols, and physical attack surfaces. • Partner with hardware, firmware, and manufacturing vendors to ensure supply-chain security controls. • Own product security incident response, including vulnerability triage, remediation coordination, customer communication, and post-incident reviews. • Manage coordinated vulnerability disclosure and CVE processes where applicable. • Lead Product Lifecycle Management security initiatives from concept throughout development, release, and maintenance. • Conduct product security testing and oversee penetration testing, vulnerability scans, and code reviews. • Define the product security strategic roadmap, goals, priorities, features and align product security with business objectives.

• Work with protocol, engineering, and privacy teams to provide guidance on security best practices and solutions • Lead cybersecurity and IT risk assessments, support the development, and provide recommendations on risk mitigations and control plans • Perform threat modelling and advise on solutions regarding crypto-related products • Develop and improve security standards and frameworks to meet future needs • Monitor and analyze emerging security trends • Deliver security training and awareness sessions tailored to various technical audiences