Director - Security Compliance 

Our worldview at Expedia Group is “Travel is a force for good”; we believe travel is a force for good in the world. You don’t have to look too closely to realize right now that the world needs all the goodness it can get – it needs more travel. And with that as our worldview, the work we do at Expedia Group becomes more important than ever. Expedia Services is where exceptional technical and businesspeople come together to leverage our two decades in travel and invest in scalable solutions. 

The Expedia Security & Privacy Organization is seeking a highly motivated, collaborative Director - Security Compliance, with a practical self-starter mindset to be responsible for driving the overall development, implementation, and maintenance and management of the Global Compliance Program, including but not limited to regulatory needs such as PCI-DSS, GDPR/CCPA, etc. and best practices from SOC2, NIST CSF, ISO, etc. Additionally, this role is responsible for driving compliance focus and accountability across the organization and ensuring global compliance to all current regulatory guidelines and to Expedia Security & Privacy policies and standards. This position will serve as a primary liaison between internal and external auditor groups to integrate compliance regulation and controls to protect the Expedia’s assets and data globally. This is a unique role that will develop and drive operational excellence and program improvement and accelerate our mission to power global travel for everyone, everywhere. 

To be successful, you are organized, resourceful, possess domain knowledge on PCI DSS and security compliance and have a “can-do” attitude. You will be a key member of our security governance, risk, compliance, and privacy leadership team and responsible for providing expert risk analysis and information to business and risk management leadership. In this role, you will establish rapport with cybersecurity leadership, as well as external consultants to help support the company’s overall PCI DSS compliance. The role is charged with implementing and maintaining policies, as well as managing a comprehensive controls framework with industry requirements to ensure enterprise-wide PCI DSS compliance.

The ideal candidate will have diverse backgrounds and understand a variety of systems and services, including new technologies and legacy systems that are intertwined with PCI DSS scope. You will report to Senior Director – GRC and Privacy Operations. 

We believe diversity and inclusion among our teammates produces better results and is critical to our success as a global company and are committed to recruiting, developing, and retaining the most talented people from a diverse candidate pool.

What you'll do:

• Work in tandem with Product & Technology, risk management, cybersecurity and business leads to incorporate compliance practices and industry standards

• Develop and implement a comprehensive and Global Cybersecurity compliance program including but not limited to PCI-DSS, SOC2, GDPR, CCPA, HIPPA, NIST, ISO, etc. to achieve a strong compliance maturity model

• Ownership of a formal Compliance Governance process which aligns and prioritizes security initiatives, driving compliance focus and accountability across the organization

• Develop and establish executive dashboard reporting on compliance events, findings, accomplishments and publish to senior management and key stakeholders

• Manage the Global Compliance Program, which includes conducting the required testing and assessments including but not limited to PCI-DSS, SOC2, GDPR, HIPPA, NIST, ISO; and determine scope, process, testing, documentation, reporting, and remediation Continuously monitor changes to regulatory requirements, the threat landscape and business impact

• Partner with internal and external auditors to validate controls for compliance

• Direct compliance teams to document, communicate and enforce security improvements that balance risk with business operations and ensure controls do not weaken efficiencies or business innovation

• Create, prioritize, and manage the yearly scope of technology compliance obligations

• Identify, document, and monitor to closure any gaps when compliance responsibilities are not met

• Evaluate security controls and opportunities for improvement and communicate recommendations

• Attract, manage, grow, and retain talent to ensure highest performance of Compliance function in GRC

• Maintain a high degree of knowledge with current and proposed security changes impacting regulatory, privacy and security industry best practice guidance

• Acquire and retain knowledge of applicable industry standards

Who you are:

• Bachelor's degree or Master's degree in Information Technology, Information Management, Risk, Audit, Compliance, or related technical field; or Equivalent related professional experience

• 10+ years of experience

• Demonstrated understanding of PCI DSS and frameworks (NIST, ISO, SOC2)

• Previous work with both legacy and emerging technology solutions in scope

• Exposure to cloud providers (AWS, Google Cloud Platform, Microsoft Azure), virtualization and security management preferred

• Knowledge of networking, APIs, application security, encryption, identity and authentication, vulnerability management, threat intelligence, insider threats, attack surface, attacker tactics, and be proficient in understanding approved scanning vendor and attestation of compliance reports

• Strong organizational management, with experience managing diverse technical and business unit teams

• Capable of working with diverse teams and promoting a positive, enterprise-wide security culture

• Strong project management, multitasking and organizational skills

• Preferably one or more of the following professional certifications: PCIP, ISA, QSA, CISA, CRISC, CISSP

The total cash range for this position in Austin is $187,500.00 to $262,500.00. Employees in this role have the potential to increase their pay up to $300,000.00, which is the top of the range, based on ongoing, demonstrated, and sustained performance in the role.

The total cash range for this position in Chicago is $170,000.00 to $238,000.00. Employees in this role have the potential to increase their pay up to $272,000.00, which is the top of the range, based on ongoing, demonstrated, and sustained performance in the role.

The total cash range for this position in Seattle is $187,500.00 to $262,500.00. Employees in this role have the potential to increase their pay up to $300,000.00, which is the top of the range, based on ongoing, demonstrated, and sustained performance in the role.

Starting pay for this role will vary based on multiple factors, including location, available budget, and an individual’s knowledge, skills, and experience.  Pay ranges may be modified in the future.

Expedia Group is proud to offer a wide range of benefits to support employees and their families, including medical/dental/vision, paid time off, and an Employee Assistance Program. To fuel each employee’s passion for travel, we offer a wellness & travel reimbursement, travel discounts, and an International Airlines Travel Agent (IATAN) membership. View our full list of benefits. 

Expedia is committed to creating an inclusive work environment with a diverse workforce.   All qualified applicants will receive consideration for employment without regard to race, color, religion, gender, gender identity or expression, sexual orientation, national origin, genetics, disability, age, or veteran status. This employer participates in E-Verify. The employer will provide the Social Security Administration (SSA) and, if necessary, the Department of Homeland Security (DHS) with information from each new employee's I-9 to confirm work authorization.