At LPL, security is everyone's responsibility — and the Security & Governance pod within our Cloud Center of Excellence is where that responsibility becomes a property of our AWS landing zone. As AVP, Security & Governance, you raise LPL's cloud security posture to meet the standards of our enterprise Information Security organization and the application and infrastructure teams shipping into the landing zone. Security & Governance is involved in every aspect of CCOE, so you partner closely with the Network Engineering pod within Foundations and collaborate with every other CCOE team and pod. You codify controls in Security Hub CSPM and AWS Config (including custom conformance packs), partner with Security Engineering on Wiz signal, and support our enterprise vulnerability management team — all while staying hands-on in AWS and Terraform. If you'd rather codify a control once than chase it ten times, and want to operate as the security partner to every engineering team in our cloud, this is your seat.

Job Overview:

As the AVP, AWS Security Engineer, you are a hands-on senior cloud security engineer in the Security & Governance pod within the Foundations team in LPL's Cloud Center of Excellence (CCOE). At LPL, security is everyone's responsibility, and Security & Governance is involved in every aspect of CCOE — so you partner closely with the Network Engineering pod within Foundations and collaborate with every other team and pod across CCOE (Foundations, Platforms, Containers, Support, Delivery) to raise our cloud security posture to meet the standards of LPL's enterprise Information Security organization and the application and infrastructure teams delivering into our AWS landing zone. You codify controls today in Security Hub CSPM and AWS Config — including custom conformance packs — and you help adopt additional control-management systems as the landscape evolves. You partner with the Security Engineering team within LPL's Information Security organization (a peer of Security Architecture), which manages Wiz, to jointly monitor Wiz signal and drive resolution of Wiz findings; you separately drive resolution of Security Hub findings within CCOE (the two often diverge). You support LPL's enterprise vulnerability management department on cloud-workload findings rather than owning vulnerability management end-to-end, and you contribute directly to the Account Factory for Terraform (AFT) foundational base layer so security baselines are codified into the platform. LPL is an AWS-first CCOE: a multi-account landing zone with 100+ private reusable Terraform modules that enable 60+ AWS services, all delivered through Terraform Cloud and GitHub Actions. You spend the majority of your time hands-on in Terraform, security-findings triage, control authoring, and incident response across LPL's US offices and India Global Capability Center (GCC).

Responsibilities:

• Codify and continuously improve LPL's cloud control library — Security Hub CSPM as today's AWS-native control system, AWS Config with custom conformance packs to express controls as code, and additional control-management systems as the landscape evolves — and triage, investigate, and drive resolution of Security Hub findings within CCOE

• Partner with the Security Engineering team within LPL's enterprise Information Security organization (a peer of Security Architecture), which manages Wiz, to jointly monitor Wiz signal and drive resolution of Wiz findings, recognizing that Wiz and Security Hub findings frequently diverge

• Contribute directly to the Account Factory for Terraform (AFT) foundational base layer — security-control modules, Service Control Policies, AWS Config conformance packs, and reference patterns — so the secure-by-default posture is a property of the platform every account inherits

• Support LPL's enterprise vulnerability management department on cloud-workload findings: assist with triage, prioritization, and remediation guidance for findings that originate in or affect AWS, without owning vulnerability management end-to-end

• Operate as the security & governance partner across every CCOE team and pod — Foundations (FinOps, Functional Design Engineering & Strategy, Network Engineering, Monitoring), Platforms, Containers, Support, and Delivery — since Security & Governance is involved in every aspect of CCOE; embed security and governance review into design, code, and delivery touchpoints

• Partner closely and day-to-day with the Network Engineering pod within Foundations (VP, AVP, and engineers) on shared network-security controls: segmentation and micro-segmentation, ingress/egress inspection, encryption in transit, WAF, Shield, and certificate lifecycle

• Collaborate cross-organization with Security Architecture and Security Engineering — peer teams within LPL's Information Security organization — to evaluate, pilot, and operationalize additional security solutions (CNAPP, CSPM, CWPP, runtime defense, DSPM, secrets scanning) and to ensure CCOE's posture meets InfoSec and application-team requirements

• Translate regulatory requirements (FINRA, SEC, PCI, SOX) into automated, code-reviewed controls; lead cloud-security incident response within CCOE's scope as a senior responder; partner with Internal Audit and Information Security on evidence collection, attestation, and audit response; drive blameless post-incident reviews to durable control improvements

• Embed agentic AI capabilities into the team's engineering practice (e.g., Cursor, Claude Code, Bedrock, MCP servers, agentic IaC and review workflows) and into the platform's self-service experience for internal customers

• Embed agentic AI capabilities into security governance: AI-assisted triage of Security Hub and Wiz findings, automated control authoring (Terraform and AWS Config conformance pack drafts from natural-language intent), conversational interfaces for control inquiries, and MCP-backed agents that join Security Hub, AWS Config, Wiz signal, and Terraform context into one queryable view

• Operate as a hands-on senior cloud engineer: spend the majority of your time in Terraform code, security tooling configuration, vulnerability remediation, design reviews, peer reviews, and incident response — hands-on engineering is the primary leverage point

• Personally participate in 24x7 on-call rotations as a senior technical responder and escalation point for production incidents

• Partner with peer engineers, AVPs, and VPs across the Cloud Center of Excellence — the five CCOE teams (Foundations, Platforms, Containers, Support, Delivery) and the five Foundations pods (Security & Governance, FinOps, Functional Design Engineering & Strategy, Network Engineering, Monitoring) — to align roadmaps and remove cross-team and cross-pod blockers

• Champion AWS Well-Architected Framework adoption (with emphasis on the Security pillar) and drive continuous improvement against operational, security, reliability, and compliance outcomes

• Contribute to the private Terraform module library and the Account Factory for Terraform (AFT) foundational base layer, including security-control modules and reference patterns

• Raise engineering quality across the pod through code review, design partnership, and technical pairing — acting as a force multiplier without direct reports

• Participate in Agile/Scrum ceremonies (sprint planning, standups, backlog grooming, retrospectives) and partner with the RTE and PMO on delivery commitments and dependencies

• Represent the pod's security posture in architecture review boards, internal audit, and customer engagements; communicate technical risk and trade-offs clearly to engineers and to non-technical executives

What are we looking for?

We’re looking for strong collaborators who deliver exceptional client experiences and thrive in fast-paced, team-oriented environments. Our ideal candidates pursue greatness, act with integrity, and are driven to help our clients succeed. We value those who embrace creativity, continuous improvement, and contribute to a culture where we win together and create and share joy in our work.

Requirements:

• 7+ years of progressive technical experience including 3+ years in a senior cloud security, network security, or cloud infrastructure engineering role; Bachelor's degree in Computer Science, Engineering, or a related discipline (or equivalent work experience)

• 3+ years of hands-on production AWS at scale in a multi-account landing zone with strong production Terraform delivered through Terraform Cloud and GitHub Actions

• 3+ years experience operating as a senior individual contributor (AVP, Senior Engineer, Staff Engineer, or equivalent), influencing technical direction and uplifting peer engineers without direct authority — including code review leadership, design-review participation, and technical mentorship

• 3+ years experience personally participating in 24x7 production on-call rotations in a fast-paced, security-conscious, regulated environment (financial services strongly preferred)

• 5+ years hands-on production experience codifying cloud security controls in Security Hub CSPM and AWS Config (including custom conformance packs), with awareness of the broader CSPM and control-management landscape (Wiz, Prisma Cloud, Lacework, Orca) and how those systems integrate with Security Hub

Core Competencies:

• Treats every security finding as a chance to fix a class of issues in code — prefers a one-time control change over a recurring ticket

• Operates as the governance voice within an engineering organization where security is everyone's responsibility — raises the bar through controls and partnership, not policing

• Leads in a matrixed environment without direct reports: drives outcomes through partnership, code, clear technical writing, and credibility with peer engineers, AVPs, and VPs — not through positional authority or people management

• Strong partnership instincts with Security Architecture, Security Engineering, and Network Engineering peers — operates as one team across boundaries

• Continuous learner, especially in cloud-native, IaC, platform engineering, and applied AI

• Sets vision and translates ambiguous strategy into executable engineering roadmaps

• Bias for self-service, automation, and reducing toil for downstream internal customers

• Builds high-trust relationships across the US and India organization and across functions (Architecture, Security, FinOps, Application Engineering, Network, Audit)

• Calm, decisive incident commander; fosters a strong post-incident learning culture

• Excellent written and verbal communication, executive presence, and ability to influence without direct authority

• Thrives in matrixed, fast-paced, regulated environments with imperfect information

Preferences:

• AWS Certified Security – Specialty

• Hands-on production exposure to Wiz, Prisma Cloud, Lacework, Orca, or a comparable CNAPP / CSPM platform — enough to be an effective partner to the team that operates it

• Hands-on experience with Service Control Policies (SCPs), AWS Config conformance packs (including custom packs), and policy-as-code (Sentinel, OPA / Conftest)

• Familiarity with industry security frameworks (CIS Benchmarks, NIST 800-53, NIST CSF, FedRAMP) and translating them into automated controls

• Hands-on experience with AWS networking primitives (VPC, Transit Gateway, PrivateLink, Network Firewall, Route 53) and the security controls that wrap them

• Master's degree in Computer Science, Engineering, or MBA

• Experience integrating agentic AI / GenAI tooling (Cursor, Claude Code, Copilot, Bedrock, MCP) into platform, IaC, and engineering practice

• Strong scripting / programming proficiency in Python, Bash, or PowerShell

• AWS Solutions Architect - Professional

• AWS Certified Generative AI Developer - Associate

• HashiCorp Certified: Terraform Associate (004) or Authoring & Operations

• Open-source contributions, public technical writing, or conference speaking on cloud, IaC, or platform engineering topics

• Experience with FinOps practices and cloud cost management at scale

Pay Range: