Director of Engineering – Security & Compliance Engineering

About The Position

Requirements

• 10+ years in software engineering or DevSecOps; 5+ years leading secure SDLC at scale (cloudfirst; AWS preferred).
• Expertise in CI/CD automation, SAST/DAST/IAST, SBOM/OSS governance, secrets management,and API/perimeter security.
• Hands-on experience integrating controls into developer workflows (policy-as-code, pipelines, pre-commit/pre-merge checks).
• Proven delivery of SOC 2 Type 2/HECVAT using automated, system-of-record evidence.
• Executive communication; OKR setting; budget ownership; ability to influence product/engineering/security.

Nice To Haves

• Certifications: CISSP, CISM, CCSP, AWS, or relevant DevSecOps credentials.
• Experience in EdTech or regulated SaaS; institution-facing security reviews.
• Track record of automating compliance (evidence collection, control verification, reporting).

Responsibilities

• Architect and institutionalize secure SDLC practices (threat modeling, secure coding, dependency hygiene, automated testing, release gating).
• Own DevSecOps integration across CI/CD (SAST/DAST/IAST, secrets scanning, SBOM, container/image hardening, IaC policy checks).
• Drive “shift-left” security through reusable CI/CD templates, policy-as-code, and golden paths.
• Partner with platform/SRE to enforce WAF, API AuthN/AuthZ, mTLS, and runtime protections via guardrails—not gates.
• Publish “paved road” toolchains, reference architectures, and code libraries with secure defaults.
• Stand up sandboxed environments (e.g., GitPod) and secure-by-default scaffolds to accelerate teams.
• Deliver targeted training for engineers (OWASP, secrets, auth, threat modeling) tied to real code and pipelines.
• Lead SOC 2 Type 2, HECVAT, and institutional reviews using automated evidence from pipelines and platforms.
• Define OKRs and SLAs for vulnerability remediation, secrets rotation, agent coverage, and audit readiness; publish executive dashboards.
• Align compliance asks with product/engineering roadmaps; triage by business risk and customer impact.
• Own vulnerability management (Qualys/Snyk/OSS posture), secrets lifecycle and key rotation, and perimeter/API security.
• Continuously monitor control health; ensure clear ownership, escalation paths, and exception processes.
• Improve MTTD/MTTR by integrating detections with engineering telemetry and runbooks.
• Optimize run costs for security tooling and tests; ensure renewals/SOWs are timely and value-based.
• Report posture, compliance status, and maturity trends; drive continuous improvement and transparency.
• Champion a blameless, learning culture that balances speed and safety.