Director CyberSecurity

United StatesFull-timeup to $399kPosted Jul 16, 2026

At Expedia Group, we help travelers explore the world, one journey at a time. As a global travel company powered by passionate people, trusted partnerships, and leading technology, we connect travelers, partners, and advertisers through our consumer brands, B2B network, and travel advertising business.


Here, you'll do meaningful work that helps millions of people discover, book, and experience travel with more ease, confidence, and joy. Our five Behaviors-Traveler First, Think Big, Operate with Excellence, Ownership Mindset, and Succeed Together-help foster a supportive environment where people can grow their careers and have the flexibility, benefits, and support to do their best work. Join us and build for travelers everywhere.

Director, Security Engineering  

Our Technology Team partners with teams across Expedia Group to create innovative products, services, and tools to deliver high-quality experiences for travelers, partners, and our employees. A singular technology platform powered by data and machine learning provides secure, differentiated, and personalized experiences that drive loyalty and traveler satisfaction.
 

Expedia Group's Product Security organization is building the security infrastructure, platforms, and services that power secure software delivery across one of the world's largest travel technology platforms. We are looking for a Director, Security Engineering who ships — someone who turns architectural thinking into running systems, operating controls, and measurable outcomes at enterprise scale. 

This is fundamentally a hands-on, execution-oriented role. You will design and build security platforms, embed controls into high-velocity engineering workflows, operationalize cloud and data security programs, and serve as the technical anchor for complex, cross-cutting security initiatives. You will work closely with engineering teams, platform architects, and technology leads — influencing craft, output, and trust rather than org chart position. 

If you are energized by building things that work at scale, by making security invisible to engineers who do the right thing, and by leaving systems measurably more secure than you found them — this role was written for you. 

 

WHO THRIVES IN THIS ROLE 

You are a builder. You measure your impact in systems shipped, controls operationalized, and engineering teams unblocked — not in decks presented or frameworks authored. You are most comfortable when you are deep in the work: designing a zero-trust architecture in the morning, reviewing a CI/CD pipeline security integration in the afternoon, collaborating vertically and horizontally with product security and CTO stakeholders to drive our success while understanding competing priorities. you're are Passionate and curious about AI system the next day. You understand that security at scale is a product problem — and you design accordingly, obsessing over adoption, ergonomics, and measurable outcomes. You influence through craft, consistency, and trust, and you thrive in environments where competing priorities are real, and judgment matters more than process.  

 

In this role, you will:

Security Platform & Infrastructure Delivery 

  • Design, build, and operationalize reusable security platforms, shared services, and reference architectures that engineering teams consume at scale — prioritizing developer ergonomics and adoption velocity. 

  • Deliver security guardrails for infrastructure-as-code, containerized microservices, and service mesh architectures — implemented as enforceable, automated policy-as-code controls, not documentation. 

  • Build and maintain secrets management, certificate lifecycle, and workload identity frameworks for cloud-native infrastructure across multi-cloud environments. 

  • Own the technical implementation of security tooling integrations — Security Fabric to be include SAST, DAST, SCA, ASPM, CSPM, DSPM — ensuring signal quality, pipeline integration, and engineering team usability. 

  • Proven ability to develop and operationalize security policies, standards, and compliance frameworks (e.g., PCI-DSS, SOC 2, ISO 27001, GDPR) 

  

AI & Agentic System Security — Hands-On Implementation 

  • Demonstrated experience applying AI and machine learning techniques within cybersecurity contexts, including threat detection, anomaly detection, or automated vulnerability management 

  • Implement security architecture for LLM-based applications, RAG pipelines, and agentic AI systems — applying controls for prompt injection, model abuse, data exfiltration, and agent trust boundaries in production environments. 

  • Evaluate and operationalize AI-powered security tooling — automated threat detection, vulnerability triage, AI-driven response — from proof of concept through production operation. 

  • Embed security early in Expedia Group's AI development lifecycle, influencing model selection, fine-tuning practices, and deployment architecture through direct partnership with AI platform teams. 

  

Service Mesh & Zero-Trust Infrastructure 

  • Implement and operate service mesh security at scale — mTLS enforcement, traffic policy, workload identity, and zero-trust network segmentation across distributed microservices environments (Istio, Envoy, or equivalent). 

  • Architect and build identity-centric, zero-trust security models for distributed systems with complex east-west traffic patterns and hundreds of services. 

  • Drive practical implementation of zero-trust principles across infrastructure — not as a framework exercise, but as running, enforced controls. 

  

AWS Cloud Security Operations at Scale 

  • Architect and operate AWS-native security controls at enterprise scale: IAM and SCPs, GuardDuty, Security Hub, Inspector, Macie, Control Tower, Secrets Manager, KMS — configured, tuned, and continuously improved, not just deployed. 

  • Cloud Security Posture Management (CSPM) and Data Security Posture Management (DSPM) programs operationally — driving down finding age, improving coverage, and closing posture gaps at velocity.

  • Instrument and maintain security observability across cloud environments: detection coverage, alerting pipelines, and automated response playbooks that operate reliably at scale. 

  • Enable high-velocity release pipelines by embedding security controls natively into CI/CD without blocking engineering throughput — shifting left without shifting blame. 

  

SDLC Security Architecture — Built Into Engineering Workflows 

  • Implement SDLC security architecture end-to-end — from threat modeling at design time through runtime protection — embedded in the tools, pipelines, and workflows engineers already use. 

  • Deliver reusable security frameworks, libraries, and platform services that let product engineers ship secure code without becoming security experts. 

  • Build and maintain security standards for web application, API, mobile, and cloud-native services — grounded in OWASP, NIST, and validated against Expedia Group's actual engineering stack. 

  • Collaborate directly with engineering teams to balance security requirements against delivery priorities — understanding the pressures, designing controls that fit naturally, and earning credibility through practical judgment. 

  

Delivering Delight — Cyber Experience That Engineers Actually Want 

  • Design security interactions, tooling surfaces, and developer workflows that engineers find intuitive, fast, and useful — minimizing friction while maximizing adoption of secure patterns. 

  • Produce clear, actionable security guidance, architectural blueprints, and technical documentation calibrated to the engineering audience — not compliance artifacts. 

  • Navigate competing priorities with engineering teams by understanding delivery context, making risk tradeoffs explicit and transparent, and building durable trust through consistent, practical judgment. 

  • Contribute to reshaping Product Security and cybersecurity strategy — informing roadmap direction through execution experience, not just top-down design. 

  

Minimum Qualifications: 

  • 15+ years of progressive, hands-on cybersecurity experience — with demonstrated depth in building and operating security systems at enterprise scale, not just designing them. 

  • Deep, practitioner-level AWS expertise: IAM, VPC, GuardDuty, Security Hub, Macie, Inspector, Control Tower, Secrets Manager, KMS — operated at scale in high-velocity release environments with measurable outcomes. 

  • Proven track record delivering SDLC security architecture across large engineering organizations — including CI/CD integration, developer tooling, SAST/DAST/SCA deployment, and runtime security in production. 

  • Hands-on implementation experience with service mesh architectures — mTLS, workload identity, traffic policy, zero-trust network enforcement — using Istio, Envoy, Linkerd, or equivalent in production. 

  • Demonstrated proficiency in AI security — implementing controls for LLM applications, RAG systems, and agentic AI pipelines in enterprise production environments, not just evaluating them. 

  • Operational experience running CSPM and DSPM programs at scale — owning finding triage, remediation velocity, and posture improvement metrics. 

  • Proven ability to collaborate with and influence engineering teams without formal authority — translating security requirements into engineering-compatible designs and building trust through delivery. 

  • Ability to contribute to security strategy — translating execution experience and technical depth into roadmap input, architectural direction, and stakeholder communication. 

  • Exceptional technical communication skills — producing authoritative architectural documentation, security guidance, and clear executive-level summaries when needed. 

  • Bachelor's degree in Computer Science, Information Security, or related technical field — or equivalent professional experience. 

  

Preferred Qualifications:

  • Experience in a large-scale, multi-cloud e-commerce or travel technology environment with global operations and high release frequency. 

  • Hands-on experience building, deploying, or securing agentic AI systems and LLM-based applications in enterprise production — including red-teaming and abuse scenario validation. 

  • Experience building security-as-a-platform services consumed by large engineering organizations — including self-service security tooling, paved-road security libraries, or security SDK development. 

  • Prior people leadership or tech lead experience — not required, but relevant for candidates interested in optional team leadership scope. 

  • Relevant certifications: CISSP, CCSP, CSSLP, AWS Security Specialty, or GCP Security Engineer. 

  • Applied experience with PCI-DSS, SOC 2, GDPR, and ISO 27001 as a practitioner for building compliant systems — not as a policy author. 

  

  

Senior Individual Contributor | Director-Level Scope 

Note: This role is open to exceptional senior ICs and to candidates with people leadership experience who prefer to remain primarily hands-on. People management responsibilities may be available for the right candidate but are not required. 

 

The total cash range for this position in San Jose is $249,000.00 to $348,500.00. Employees in this role have the potential to increase their pay up to $398,500.00, which is the top of the range, based on ongoing, demonstrated, and sustained performance in the role.

Starting pay for this role will vary based on multiple factors, including location, available budget, and an individual’s knowledge, skills, and experience. Pay ranges may be modified in the future.

Benefits and perks

Expedia Group offers benefits and perks designed to support employees and their families, including medical, dental, and vision coverage, paid time off, an Employee Assistance Program, wellness and travel reimbursement, travel discounts, and International Airlines Travel Agent Network (IATAN) membership. Learn more about life at Expedia Group at https://careers.expediggroup.com/life.


Accommodation requests

Expedia Group is committed to providing an inclusive and accessible recruiting experience. If you need an accommodation or adjustment due to a disability during the application or recruiting process, please submit a request at https://expedia.service-now.com/askeg?id=job_accommodation.


About Expedia Group

Expedia Group includes three flagship consumer brands - Expedia, Hotels.com, and Vrbo - along with a leading B2B travel business and travel advertising offerings. Across our brands and business, we help travelers explore the world with confidence and ease.


Important notice

Employment opportunities and job offers at Expedia Group will always come from Expedia Group's Talent Acquisition and hiring teams. Never share sensitive personal information unless you are confident of the recipient. Expedia Group does not extend job offers via email or messaging tools to individuals with whom we have not made prior contact. Our email domain is @expediagroup.com. The official place to find and apply for roles is https://careers.expediagroup.com/jobs/.


Equal Opportunity

Expedia is committed to creating an inclusive work environment with a diverse workforce. All qualified applicants will receive consideration for employment without regard to race, color, religion, gender, gender identity or expression, sexual orientation, national origin, genetics, disability, age, veteran status, or any other characteristic protected by law. This employer participates in E-Verify. The employer will provide the Social Security Administration (SSA) and, if necessary, the Department of Homeland Security (DHS) with information from each new employee's I-9 to confirm work authorization.

Want jobs like this matched to you?

Swoopd scores fresh postings against your résumé so you only see the matches that matter.

Get started free