AVP, AWS Security Engineer
LPL Financial · Fort Mill, SC · 2 wk ago
Information Technology$125k–$209k/yrFull-time
Job Overview
As the AVP, AWS Security Engineer, you are a hands-on senior cloud security engineer in the Security & Governance pod within the Foundations team in LPL's Cloud Center of Excellence (CCOE).
Responsibilities
- Codify and continuously improve LPL's cloud control library — Security Hub CSPM as today's AWS-native control system, AWS Config with custom conformance packs to express controls as code, and additional control-management systems as the landscape evolves — and triage, investigate, and drive resolution of Security Hub findings within CCOE.
- Partner with the Security Engineering team within LPL's enterprise Information Security organization (a peer of Security Architecture), which manages Wiz, to jointly monitor Wiz signal and drive resolution of Wiz findings, recognizing that Wiz and Security Hub findings frequently diverge.
- Contribute directly to the Account Factory for Terraform (AFT) foundational base layer — security-control modules, Service Control Policies, AWS Config conformance packs, and reference patterns — so the secure-by-default posture is a property of the platform every account inherits.
- Support LPL's enterprise vulnerability management department on cloud-workload findings: assist with triage, prioritization, and remediation guidance for findings that originate in or affect AWS, without owning vulnerability management end-to-end.
- Operate as the security & governance partner across every CCOE team and pod — Foundations (FinOps, Functional Design Engineering & Strategy, Network Engineering, Monitoring), Platforms, Containers, Support, and Delivery — since Security & Governance is involved in every aspect of CCOE; embed security and governance review into design, code, and delivery touchpoints.
- Collaborate cross-organization with Security Architecture and Security Engineering — peer teams within LPL's Information Security organization — to evaluate, pilot, and operationalize additional security solutions (CNAPP, CSPM, CWPP, runtime defense, DSPM, secrets scanning) and to ensure CCOE's posture meets InfoSec and application-team requirements.
- Translate regulatory requirements (FINRA, SEC, PCI, SOX) into automated, code-reviewed controls; lead cloud-security incident response within CCOE's scope as a senior responder; partner with Internal Audit and Information Security on evidence collection, attestation, and audit response; drive blameless post-incident reviews to durable control improvements.
- Embed agentic AI capabilities into the team's engineering practice (e.g., Cursor, Claude Code, Bedrock, MCP servers, agentic IaC and review workflows) and into the platform's self-service experience for internal customers.
- Embed agentic AI capabilities into security governance: AI-assisted triage of Security Hub and Wiz findings, automated control authoring (Terraform and AWS Config conformance pack drafts from natural-language intent), conversational interfaces for control inquiries, and MCP-backed agents that join Security Hub, AWS Config, Wiz signal, and Terraform context into one queryable view.
- Operate as a hands-on senior cloud engineer: spend the majority of your time in Terraform code, security tooling configuration, vulnerability remediation, design reviews, peer reviews, and incident response — hands-on engineering is the primary leverage point.
- Personally participate in 24x7 on-call rotations as a senior technical responder and escalation point for production incidents.
- Partner with peer engineers, AVPs, and VPs across the Cloud Center of Excellence — the five CCOE teams (Foundations, Platforms, Containers, Support, Delivery) and the five Foundations pods (Security & Governance, FinOps, Functional Design Engineering & Strategy, Network Engineering, Monitoring) — to align roadmaps and remove cross-team and cross-pod blockers.
- Champion AWS Well-Architected Framework adoption (with emphasis on the Security pillar) and drive continuous improvement against operational, security, reliability, and compliance outcomes.
- Contribute to the private Terraform module library and the Account Factory for Terraform (AFT) foundational base layer, including security-control modules and reference patterns.
- Raise engineering quality across the pod through code review, design partnership, and technical pairing — acting as a force multiplier without direct reports.
- Participate in Agile/Scrum ceremonies (sprint planning, standups, backlog grooming, retrospectives) and partner with the RTE and PMO on delivery commitments and dependencies.
- Represent the pod's security posture in architecture review boards, internal audit, and customer engagements; communicate technical risk and trade-offs clearly to engineers and to non-technical executives.
Requirements
- 7+ years of progressive technical experience including 3+ years in a senior cloud security, network security, or cloud infrastructure engineering role; Bachelor's degree in Computer Science, Engineering, or a related discipline (or equivalent work experience)
- 3+ years of hands-on production AWS at scale in a multi-account landing zone with strong production Terraform delivered through Terraform Cloud and GitHub Actions
- 3+ years experience operating as a senior individual contributor (AVP, Senior Engineer, Staff Engineer, or equivalent), influencing technical direction and uplifting peer engineers without direct authority — including code review leadership, design-review participation, and technical mentorship
- 3+ years experience personally participating in 24x7 production on-call rotations in a fast-paced, security-conscious, regulated environment (financial services strongly preferred)
- 5+ years hands-on production experience codifying cloud security controls in Security Hub CSPM and AWS Config (including custom conformance packs), with awareness of the broader CSPM and control-management landscape (Wiz, Prisma Cloud, Lacework, Orca) and how those systems integrate with Security Hub
- Core Competencies: Treats every security finding as a chance to fix a class of issues in code — prefers a one-time control change over a recurring ticket; Operates as the governance voice within an engineering organization where security is everyone's responsibility — raises the bar through controls and partnership, not policing; Leads in a matrixed environment without direct reports: drives outcomes through partnership, code, clear technical writing, and credibility with peer engineers, AVPs, and VPs — not through positional authority or people management; Strong partnership instincts with Security Architecture, Security Engineering, and Network Engineering peers — operates as one team across boundaries; Continuous learner, especially in cloud-native, IaC, platform engineering, and applied AISets vision and translates ambiguous strategy into executable engineering roadmaps; Bias for self-service, automation, and reducing toil for downstream internal customers; Builds high-trust relationships across the US and India organization and across functions (Architecture, Security, FinOps, Application Engineering, Network, Audit); Calm, decisive incident commander; fosters a strong post-incident learning culture; Excellent written and verbal communication, executive presence, and ability to influence without direct authority; Thrives in matrixed, fast-paced, regulated environments with imperfect information