Director CyberSecurity

ExpediaSan Jose, CA
$249,000 - $398,500

About The Position

Our Technology Team partners with teams across Expedia Group to create innovative products, services, and tools to deliver high-quality experiences for travelers, partners, and our employees. A singular technology platform powered by data and machine learning provides secure, differentiated, and personalized experiences that drive loyalty and traveler satisfaction. Expedia Group's Product Security organization is building the security infrastructure, platforms, and services that power secure software delivery across one of the world's largest travel technology platforms. We are looking for a Director, Security Engineering who ships — someone who turns architectural thinking into running systems, operating controls, and measurable outcomes at enterprise scale. This is fundamentally a hands-on, execution-oriented role. You will design and build security platforms, embed controls into high-velocity engineering workflows, operationalize cloud and data security programs, and serve as the technical anchor for complex, cross-cutting security initiatives. You will work closely with engineering teams, platform architects, and technology leads — influencing craft, output, and trust rather than org chart position. If you are energized by building things that work at scale, by making security invisible to engineers who do the right thing, and by leaving systems measurably more secure than you found them — this role was written for you.

Requirements

  • 15+ years of progressive, hands-on cybersecurity experience — with demonstrated depth in building and operating security systems at enterprise scale, not just designing them.
  • Deep, practitioner-level AWS expertise: IAM, VPC, GuardDuty, Security Hub, Macie, Inspector, Control Tower, Secrets Manager, KMS — operated at scale in high-velocity release environments with measurable outcomes.
  • Proven track record delivering SDLC security architecture across large engineering organizations — including CI/CD integration, developer tooling, SAST/DAST/SCA deployment, and runtime security in production.
  • Hands-on implementation experience with service mesh architectures — mTLS, workload identity, traffic policy, zero-trust network enforcement — using Istio, Envoy, Linkerd, or equivalent in production.
  • Demonstrated proficiency in AI security — implementing controls for LLM applications, RAG systems, and agentic AI pipelines in enterprise production environments, not just evaluating them.
  • Operational experience running CSPM and DSPM programs at scale — owning finding triage, remediation velocity, and posture improvement metrics.
  • Proven ability to collaborate with and influence engineering teams without formal authority — translating security requirements into engineering-compatible designs and building trust through delivery.
  • Ability to contribute to security strategy — translating execution experience and technical depth into roadmap input, architectural direction, and stakeholder communication.
  • Exceptional technical communication skills — producing authoritative architectural documentation, security guidance, and clear executive-level summaries when needed.
  • Bachelor's degree in Computer Science, Information Security, or related technical field — or equivalent professional experience.

Nice To Haves

  • Experience in a large-scale, multi-cloud e-commerce or travel technology environment with global operations and high release frequency.
  • Hands-on experience building, deploying, or securing agentic AI systems and LLM-based applications in enterprise production — including red-teaming and abuse scenario validation.
  • Experience building security-as-a-platform services consumed by large engineering organizations — including self-service security tooling, paved-road security libraries, or security SDK development.
  • Prior people leadership or tech lead experience — not required, but relevant for candidates interested in optional team leadership scope.
  • Relevant certifications: CISSP, CCSP, CSSLP, AWS Security Specialty, or GCP Security Engineer.
  • Applied experience with PCI-DSS, SOC 2, GDPR, and ISO 27001 as a practitioner for building compliant systems — not as a policy author.

Responsibilities

  • Design, build, and operationalize reusable security platforms, shared services, and reference architectures that engineering teams consume at scale — prioritizing developer ergonomics and adoption velocity.
  • Deliver security guardrails for infrastructure-as-code, containerized microservices, and service mesh architectures — implemented as enforceable, automated policy-as-code controls, not documentation.
  • Build and maintain secrets management, certificate lifecycle, and workload identity frameworks for cloud-native infrastructure across multi-cloud environments.
  • Own the technical implementation of security tooling integrations — Security Fabric to be include SAST, DAST, SCA, ASPM, CSPM, DSPM — ensuring signal quality, pipeline integration, and engineering team usability.
  • Develop and operationalize security policies, standards, and compliance frameworks (e.g., PCI-DSS, SOC 2, ISO 27001, GDPR).
  • Demonstrated experience applying AI and machine learning techniques within cybersecurity contexts, including threat detection, anomaly detection, or automated vulnerability management.
  • Implement security architecture for LLM-based applications, RAG pipelines, and agentic AI systems — applying controls for prompt injection, model abuse, data exfiltration, and agent trust boundaries in production environments.
  • Evaluate and operationalize AI-powered security tooling — automated threat detection, vulnerability triage, AI-driven response — from proof of concept through production operation.
  • Embed security early in Expedia Group's AI development lifecycle, influencing model selection, fine-tuning practices, and deployment architecture through direct partnership with AI platform teams.
  • Implement and operate service mesh security at scale — mTLS enforcement, traffic policy, workload identity, and zero-trust network segmentation across distributed microservices environments (Istio, Envoy, or equivalent).
  • Architect and build identity-centric, zero-trust security models for distributed systems with complex east-west traffic patterns and hundreds of services.
  • Drive practical implementation of zero-trust principles across infrastructure — not as a framework exercise, but as running, enforced controls.
  • Architect and operate AWS-native security controls at enterprise scale: IAM and SCPs, GuardDuty, Security Hub, Inspector, Macie, Control Tower, Secrets Manager, KMS — configured, tuned, and continuously improved, not just deployed.
  • Operate Cloud Security Posture Management (CSPM) and Data Security Posture Management (DSPM) programs operationally — driving down finding age, improving coverage, and closing posture gaps at velocity.
  • Instrument and maintain security observability across cloud environments: detection coverage, alerting pipelines, and automated response playbooks that operate reliably at scale.
  • Enable high-velocity release pipelines by embedding security controls natively into CI/CD without blocking engineering throughput — shifting left without shifting blame.
  • Implement SDLC security architecture end-to-end — from threat modeling at design time through runtime protection — embedded in the tools, pipelines, and workflows engineers already use.
  • Deliver reusable security frameworks, libraries, and platform services that let product engineers ship secure code without becoming security experts.
  • Build and maintain security standards for web application, API, mobile, and cloud-native services — grounded in OWASP, NIST, and validated against Expedia Group's actual engineering stack.
  • Collaborate directly with engineering teams to balance security requirements against delivery priorities — understanding the pressures, designing controls that fit naturally, and earning credibility through practical judgment.
  • Design security interactions, tooling surfaces, and developer workflows that engineers find intuitive, fast, and useful — minimizing friction while maximizing adoption of secure patterns.
  • Produce clear, actionable security guidance, architectural blueprints, and technical documentation calibrated to the engineering audience — not compliance artifacts.
  • Navigate competing priorities with engineering teams by understanding delivery context, making risk tradeoffs explicit and transparent, and building durable trust through consistent, practical judgment.
  • Contribute to reshaping Product Security and cybersecurity strategy — informing roadmap direction through execution experience, not just top-down design.

Benefits

  • medical, dental, and vision coverage
  • paid time off
  • an Employee Assistance Program
  • wellness and travel reimbursement
  • travel discounts
  • International Airlines Travel Agent Network (IATAN) membership
© 2026 Teal Labs, Inc
Privacy PolicyTerms of Service