Pearson
Director of Engineering – Security & Compliance Engineering
Pearson, Trenton, New Jersey, us, 08628
Director of Engineering – Security & Compliance Engineering
Join Pearson as a technical leader in Security & Compliance Engineering. The role is based in the USA with hybrid/remote flexibility.
Role Overview The Director of Security & Compliance Engineering embeds security into the SDLC, partners with engineering to drive secure design, DevSecOps automation, and developer enablement, leading the PSG‑SC program to reduce risk and streamline audits.
Key Responsibilities
Architect and institutionalize secure SDLC practices (threat modeling, secure coding, dependency hygiene, automated testing, release gating).
Own DevSecOps integration across CI/CD with SAST/DAST/IAST, secrets scanning, SBOM, container/image hardening, and IaC policy checks.
Drive shift‑left security through reusable CI/CD templates, policy‑as‑code, and golden paths.
Partner with platform and SRE to enforce WAF, API AuthN/AuthZ, mTLS, and runtime protections via guardrails.
Publish secure toolchains, reference architectures, and code libraries with secure defaults.
Stand up sandboxed environments (e.g., GitPod) and secure‑by‑default scaffolds to accelerate teams.
Deliver targeted training for engineers (OWASP, secrets, auth, threat modeling) tied to real code and pipelines.
Lead SOC 2 Type 2, HECVAT, and institutional reviews using automated evidence from pipelines and platforms.
Define OKRs and SLAs for vulnerability remediation, secrets rotation, agent coverage, and audit readiness; publish executive dashboards.
Align compliance asks with product/engineering roadmaps; triage by business risk and customer impact.
Own vulnerability management, secrets lifecycle, key rotation, and perimeter/API security.
Continuously monitor control health; ensure clear ownership, escalation paths, and exception processes.
Improve MTTD/MTTR by integrating detections with engineering telemetry and runbooks.
Optimize run costs for security tooling and tests; ensure renewals/SOWs are timely and value‑based.
Report posture, compliance status, and maturity trends; drive continuous improvement.
Champion a blameless, learning culture that balances speed and safety.
Qualifications
10+ years in software engineering or DevSecOps; 5+ years leading secure SDLC at scale (cloud‑first; AWS preferred).
Expertise in CI/CD automation, SAST/DAST/IAST, SBOM/OSS governance, secrets management, and API/perimeter security.
Hands‑on experience integrating controls into developer workflows (policy‑as‑code, pipelines, pre‑commit/pre‑merge checks).
Proven delivery of SOC 2 Type 2/HECVAT using automated, system‑of‑record evidence.
Executive communication; OKR setting; budget ownership; ability to influence product/engineering/security.
Certifications: CISSP, CISM, CCSP, AWS, or relevant DevSecOps credentials (Preferred).
Experience in EdTech or regulated SaaS; institution‑facing security reviews (Preferred).
Track record of automating compliance (evidence collection, control verification, reporting) (Preferred).
Compensation The minimum full‑time salary range is $170,000 – $195,000. This position is eligible for an annual incentive program. Benefits details are available upon request.
Application Deadline Apply by 31 Dec 2025 to be considered for this role.
EEO Statement Pearson is an Equal Opportunity Employer and a member of E‑Verify. Employment decisions are based on qualifications, merit and business need. Qualified applicants will receive consideration for employment without regard to race, ethnicity, color, religion, sex, sexual orientation, gender identity, gender expression, age, national origin, protected veteran status, disability status, or any other group protected by law. Pearson actively seeks qualified veterans and individuals with disabilities as defined under VEVRAA and Section 503 of the Rehabilitation Act. Reasonable accommodations are available for applicants with disabilities.
#J-18808-Ljbffr
Role Overview The Director of Security & Compliance Engineering embeds security into the SDLC, partners with engineering to drive secure design, DevSecOps automation, and developer enablement, leading the PSG‑SC program to reduce risk and streamline audits.
Key Responsibilities
Architect and institutionalize secure SDLC practices (threat modeling, secure coding, dependency hygiene, automated testing, release gating).
Own DevSecOps integration across CI/CD with SAST/DAST/IAST, secrets scanning, SBOM, container/image hardening, and IaC policy checks.
Drive shift‑left security through reusable CI/CD templates, policy‑as‑code, and golden paths.
Partner with platform and SRE to enforce WAF, API AuthN/AuthZ, mTLS, and runtime protections via guardrails.
Publish secure toolchains, reference architectures, and code libraries with secure defaults.
Stand up sandboxed environments (e.g., GitPod) and secure‑by‑default scaffolds to accelerate teams.
Deliver targeted training for engineers (OWASP, secrets, auth, threat modeling) tied to real code and pipelines.
Lead SOC 2 Type 2, HECVAT, and institutional reviews using automated evidence from pipelines and platforms.
Define OKRs and SLAs for vulnerability remediation, secrets rotation, agent coverage, and audit readiness; publish executive dashboards.
Align compliance asks with product/engineering roadmaps; triage by business risk and customer impact.
Own vulnerability management, secrets lifecycle, key rotation, and perimeter/API security.
Continuously monitor control health; ensure clear ownership, escalation paths, and exception processes.
Improve MTTD/MTTR by integrating detections with engineering telemetry and runbooks.
Optimize run costs for security tooling and tests; ensure renewals/SOWs are timely and value‑based.
Report posture, compliance status, and maturity trends; drive continuous improvement.
Champion a blameless, learning culture that balances speed and safety.
Qualifications
10+ years in software engineering or DevSecOps; 5+ years leading secure SDLC at scale (cloud‑first; AWS preferred).
Expertise in CI/CD automation, SAST/DAST/IAST, SBOM/OSS governance, secrets management, and API/perimeter security.
Hands‑on experience integrating controls into developer workflows (policy‑as‑code, pipelines, pre‑commit/pre‑merge checks).
Proven delivery of SOC 2 Type 2/HECVAT using automated, system‑of‑record evidence.
Executive communication; OKR setting; budget ownership; ability to influence product/engineering/security.
Certifications: CISSP, CISM, CCSP, AWS, or relevant DevSecOps credentials (Preferred).
Experience in EdTech or regulated SaaS; institution‑facing security reviews (Preferred).
Track record of automating compliance (evidence collection, control verification, reporting) (Preferred).
Compensation The minimum full‑time salary range is $170,000 – $195,000. This position is eligible for an annual incentive program. Benefits details are available upon request.
Application Deadline Apply by 31 Dec 2025 to be considered for this role.
EEO Statement Pearson is an Equal Opportunity Employer and a member of E‑Verify. Employment decisions are based on qualifications, merit and business need. Qualified applicants will receive consideration for employment without regard to race, ethnicity, color, religion, sex, sexual orientation, gender identity, gender expression, age, national origin, protected veteran status, disability status, or any other group protected by law. Pearson actively seeks qualified veterans and individuals with disabilities as defined under VEVRAA and Section 503 of the Rehabilitation Act. Reasonable accommodations are available for applicants with disabilities.
#J-18808-Ljbffr