Senior Manager, Security Compliance
Location: Chicago, Illinois, Seattle, Washington
Job Type: Full time
If you need assistance during the recruiting process due to a disability, please reach out to our Recruiting Accommodations Team through the Accommodation Request form. This form is used only by individuals with disabilities who require assistance or adjustments in applying and interviewing for a job. This form is not for inquiring about a position or the status of an application.
Senior Manager Security Compliance
Our worldview at Expedia Group is “Travel is a force for good”; we believe travel is a force for good in the world. You don’t have to look too closely to realize right now that the world needs all the goodness it can get – it needs more travel. And with that as our worldview, the work we do at Expedia Group becomes more important than ever.
Expedia Services is where exceptional technical and businesspeople come together to leverage our two decades in travel and invest in scalable solutions.
The Expedia Security & Privacy Organization is seeking a highly motivated, collaborative Senior Manager - Security Compliance, with a practical self-starter mindset to advise and serve as a subject matter expert and manage all aspects of Payment Card Industry Data Security Standard (PCI DSS) compliance requirements.
In this role, you will manage a team of analyst and the annual PCI DSS lifecycle, including assessments, testing, validation of controls and documentation related to compliance. In addition, you will keep pace with regulatory changes to ensure the company maintains PCI DSS compliance.
This is a unique role that will develop and drive strategy for our PCI DSS program, drive operational excellence and program improvement, and accelerate our mission to power global travel for everyone, everywhere.
To be successful, you are organized, resourceful, possess domain knowledge on PCI DSS and security compliance and have a “can-do” attitude. You will be a key member of our security governance, risk, compliance, and privacy team and responsible for providing expert risk analysis and information to business and risk management leadership. The role is charged with managing a comprehensive controls framework with industry requirements to ensure enterprise-wide PCI DSS compliance.
The ideal candidate will have diverse backgrounds and understand a variety of systems and services, including new technologies and legacy systems that are intertwined with PCI DSS scope. You will report to Director Security Compliance.
We believe diversity and inclusion among our teammates produces better results and is critical to our success as a global company and are committed to recruiting, developing, and retaining the most talented people from a diverse candidate pool.
What you'll do:
- Identify and document in-scope systems and applications for the PCI DSS cardholder data environment. Guide technical teams and stakeholders to implement required controls and meet compliance.
- Act as the primary point of contact for all PCI-related requirements, initiatives, and external relationships. Act as the main PCI DSS subject matter expert when internal team members have questions/need guidance and be the key liaison with external PCI advisory firms.
- Maintain documentation and keep the state of PCI program compliance up to date.
- Liaison with risk management, third-party qualified security assessors, audit, and compliance, as well as the PCI governing body and communities.
- Closely monitor and understand current and potential changes to the PCI DSS framework.
- Complete and preserve the internal self-assessment questionnaire as needed, as well as coordinate and communicate the report on compliance.
- Facilitate education and training for employees required to uphold PCI compliance.
- Continuously assess and validate cardholder data environment controls and monitoring.
- Provide oversight on findings and require thorough documentation and recommendations.
- Support business innovation initiatives, while ensuring PCI compliance is met.
- Maintain a high degree of knowledge with current and proposed security changes impacting PCI compliance and security industry best practices.
- Possess general knowledge of networking, encryption, authentication, payment infrastructure and application security.
- Influence and validate PCI DSS controls and present regularly to security, audit, and business leadership.
- Guide team members to align with security, audit, and risk management leadership for ongoing PCI compliance assessments, as well as annual strategic technology and budgetary directives.
- Liaison with internal and external auditors to manage controls for compliance and privacy laws.
- Perform other duties as assigned.
Who you are:
- 7+ years of overall corporate work experience with a bachelor’s degree or 5+ years of relevant experience with an advanced degree with a focus in Information technology/management, risk, or audit preferred.
- Demonstrated understanding of PCI DSS and general knowledge of frameworks (NIST CSF, ISO, SOC2, FedRAMP, SSAE18).
- Previous work with both legacy and emerging technology solutions in scope.
- Exposure to cloud providers (AWS, Google Cloud Platform, Microsoft Azure), virtualization and security management preferred.
- Strong organizational management, with experience managing diverse technical and business unit teams.
- General understanding of networking, APIs, application security, encryption, identity and authentication, vulnerability management, threat intelligence, insider threats, attack surface, attacker tactics, and be proficient in understanding approved scanning vendor and attestation of compliance reports.
- Capable of working with diverse teams and promoting a positive, enterprise-wide security culture.
- Strong project management, multitasking and organizational skills.
What could set you apart:
- Preferably one or more of the following: PCIP, ISA, QSA, CISA, CRISC, CISSP
About Expedia Group
Expedia Group (NASDAQ: EXPE) powers travel for everyone, everywhere through our global platform. Driven by the core belief that travel is a force for good, we help people experience the world in new ways and build lasting connections. We provide industry-leading technology solutions to fuel partner growth and success, while facilitating memorable experiences for travelers. Expedia Group's family of brands includes: Brand Expedia®, Hotels.com®, Expedia® Partner Solutions, Vrbo®, trivago®, Orbitz®, Travelocity®, Hotwire®, Wotif®, ebookers®, CheapTickets®, Expedia Group™ Media Solutions, Expedia Local Expert®, CarRentals.com™, and Expedia Cruises™.
© 2021 Expedia, Inc. All rights reserved. Trademarks and logos are the property of their respective owners. CST: 2029030-50
Employment opportunities and job offers at Expedia Group will always come from Expedia Group’s Talent Acquisition and hiring teams. Never provide sensitive, personal information to someone unless you’re confident who the recipient is. Expedia Group does not extend job offers via email or any other messaging tools to individuals to whom we have not made prior contact. Our email domain is @expediagroup.com. The official website to find and apply for job openings at Expedia Group is careers.expediagroup.com/jobs.Expedia is committed to creating an inclusive work environment with a diverse workforce. All qualified applicants will receive consideration for employment without regard to race, color, religion, gender, gender identity or expression, sexual orientation, national origin, genetics, disability, age, or veteran status. This employer participates in E-Verify. The employer will provide the Social Security Administration (SSA) and, if necessary, the Department of Homeland Security (DHS) with information from each new employee's I-9 to confirm work authorization.