• Partner closely with engineering teams to deliver on critical AppSec services • Develop AppSec tooling that scales security throughout our ecosystem • Drive the design and development of innovative security solutions • Provide practical guidance to engineering teams • Collaborate with developers, product managers, and security engineers

• Own internal IT systems including identity management, device management, endpoint security, and SaaS tooling. • Lead SOC 2 and other compliance programs, including audit readiness, evidence collection, auditor coordination, and remediation. • Design, implement, and maintain security controls such as access controls, encryption, logging, and vulnerability management. • Develop and maintain security policies, procedures, and documentation aligned with frameworks such as SOC 2, NIST, and ISO 27001. • Manage identity lifecycle processes, including onboarding, offboarding, and access reviews using least-privilege principles. • Evaluate, select, and implement IT and security tools (MDM, EDR, SSO/IdP, DLP, logging). • Oversee vendor security reviews and third-party risk management. • Partner with engineering and operations to ensure secure configurations across cloud infrastructure and SaaS applications. • Participate in incident response activities and drive continuous improvement from security events. • Automate IT and security workflows where possible to improve efficiency and reliability.

• Lead the review and analysis of vulnerability data to identify trends, patterns, and key risks across Deckers’ global environment • Facilitate vulnerability management meetings and drive risk-based discussions to prioritize and accelerate remediation efforts • Advise and support remediation teams in developing actionable plans to address vulnerabilities and strengthen our security posture • Perform risk-based assessments for both on-premise and cloud-based services, ensuring robust protection for critical assets • Integrate advanced security technologies and automation tools to enhance threat detection and response capabilities • Build and present business cases for adopting new security solutions to mitigate emerging risks • Develop, consolidate, and maintain security metrics to measure the effectiveness of our cybersecurity program • Apply industry-leading frameworks (NIST, ISO27001/2, CIS Top 20 Controls) to establish and maintain best-in-class security measures • Foster strong relationships with technical teams, serving as a trusted advisor and championing a culture of security awareness • Contribute to the strategic direction of the Technical Security team by designing and implementing tools that enhance customer trust and detect suspicious activity

• Run Cobalt's endpoint and cloud asset security stack across managed laptops, desktops, and cloud infrastructure — including EDR, vulnerability management, and continuous compliance monitoring tooling • Administer Cobalt's compliance automation platform as the system of record for controls and evidence — manage personnel records, reconcile against HRIS and identity provider data, and handle edge cases outside the primary HRIS • Own end-to-end onboarding and offboarding security across employees, contractors, and external partners — verify new hires complete security gating before access is provisioned, apply the right requirements for each personnel tier, and close out access promptly when people leave • Triage alerts from EDR, SIEM, and the vulnerability scanner; recommend patches, file risk acceptances, and gather evidence to close out remediations • Co-own Cobalt's SOC 2 program — coordinate with auditors, gather evidence from internal teams, and run control testing (SSO, IAM, change management, access reviews) ahead of fieldwork • Maintain Cobalt's security policies (vulnerability management, logging and monitoring, incident response, access control), keep them current as the business evolves, and draft new policies when we identify gaps • Own the customer security questionnaire pipeline — partner with Sales, GTM, and product leads to turn around SIG, CAIQ, and bespoke vendor assessments quickly and accurately • Run vendor security reviews for new software and services Cobalt adopts, with clear turnaround expectations and a process the rest of the company can rely on • Triage suspected phishing reports and serve as incident manager when something happens — scope, contain, document, and run the postmortem • Own annual security awareness training rollout and tracking across the company • Partner with Engineering to secure the Cobalt Monitoring Intelligence platform at the edge and bring security perspective into design and code review • Support pen test engagements end-to-end: scoping, remediation tracking, and re-test follow-up