Director CyberSecurity
About the role
Join Expedia Group, a global travel company, as a Director, Security Engineering. You will design and build security platforms, operationalize cloud and data security programs, and influence cross-functional teams to ensure secure software delivery across Expedia Group's technology platform.
Responsibilities
- Design and build reusable security platforms, shared services, and reference architectures for engineering teams at scale.
- Deliver security guardrails for infrastructure-as-code, containerized microservices, and service mesh architectures.
- Implement and maintain secrets management, certificate lifecycle, and workload identity frameworks for cloud-native infrastructure across multi-cloud environments.
- Own the technical implementation of security tooling integrations, ensuring signal quality, pipeline integration, and engineering team usability.
- Apply AI and machine learning techniques within cybersecurity contexts, including threat detection, anomaly detection, and automated vulnerability management.
- Architect and implement service mesh security at scale, including mTLS enforcement, traffic policy, workload identity, and zero-trust network segmentation.
- Operate AWS-native security controls at enterprise scale, including IAM, SCPs, GuardDuty, Security Hub, Inspector, Macie, Control Tower, Secrets Manager, and KMS.
- Manage cloud security posture management (CSPM) and data security posture management (DSPM) programs, driving down finding age, improving coverage, and closing posture gaps at velocity.
- Embed security in high-velocity release pipelines by integrating security controls natively into CI/CD without blocking engineering throughput.
- Implement SDLC security architecture end-to-end, from threat modeling at design time through runtime protection, embedded in tools, pipelines, and workflows engineers already use.
- Build and maintain security standards for web application, API, mobile, and cloud-native services, grounded in OWASP, NIST, and validated against Expedia Group's engineering stack.
- Collaborate directly with engineering teams to balance security requirements against delivery priorities, understanding pressures and designing controls that fit naturally.
- Design security interactions, tooling surfaces, and developer workflows that engineers find intuitive, fast, and useful, minimizing friction while maximizing adoption of secure patterns.
Requirements
15+ years of progressive, hands-on cybersecurity experience, with a focus on building and operating security systems at enterprise scale. Deep, practitioner-level AWS expertise, including IAM, VPC, GuardDuty, Security Hub, Macie, Inspector, Control Tower, Secrets Manager, KMS, and experience in high-velocity release environments. Proven track record delivering SDLC security architecture across large engineering organizations, including CI/CD integration, developer tooling, SAST/DAST/SCA deployment, and runtime security in production. Hands-on experience with service mesh architectures, mTLS, workload identity, traffic policy, zero-trust network enforcement, and Istio, Envoy, or equivalent in production. Demonstrated proficiency in AI security, implementing controls for LLM applications, RAG systems, and agentic AI pipelines in enterprise production environments. Operational experience running CSPM and DSPM programs at scale, owning finding triage, remediation velocity, and posture improvement metrics. Proven ability to collaborate with and influence engineering teams without formal authority, translating security requirements into engineering-compatible designs and building trust through delivery. Ability to contribute to security strategy, translating execution experience and technical depth into roadmap input, architectural direction, and stakeholder communication. Exceptional technical communication skills, producing authoritative architectural documentation, security guidance, and clear executive-level summaries when needed. Bachelor's degree in Computer Science, Information Security, or related technical field, or equivalent professional experience. Relevant certifications: CISSP, CCSP, CSSLP, AWS Security Specialty, or GCP Security Engineer. Applied experience with PCI-DSS, SOC 2, GDPR, and ISO 27001 as a practitioner for building compliant systems.