AVP, AWS Security Engineer

Job Overview:
As the AVP, AWS Security Engineer, you are a hands-on senior cloud security engineer in the Security & Governance pod within the Foundations team in LPL's Cloud Center of Excellence (CCOE). At LPL, security is everyone's responsibility, and Security & Governance is involved in every aspect of CCOE - so you partner closely with the Network Engineering pod within Foundations and collaborate with every other team and pod across CCOE (Foundations, Platforms, Containers, Support, Delivery) to raise our cloud security posture to meet the standards of LPL's enterprise Information Security organization and the application and infrastructure teams delivering into our AWS landing zone. You codify controls today in Security Hub CSPM and AWS Config - including custom conformance packs - and you help adopt additional control-management systems as the landscape evolves. You partner with the Security Engineering team within LPL's Information Security organization (a peer of Security Architecture), which manages Wiz, to jointly monitor Wiz signal and drive resolution of Wiz findings; you separately drive resolution of Security Hub findings within CCOE (the two often diverge). You support LPL's enterprise vulnerability management department on cloud-workload findings rather than owning vulnerability management end-to-end, and you contribute directly to the Account Factory for Terraform (AFT) foundational base layer so security baselines are codified into the platform. LPL is an AWS-first CCOE: a multi-account landing zone with 100+ private reusable Terraform modules that enable 60+ AWS services, all delivered through Terraform Cloud and GitHub Actions. You spend the majority of your time hands-on in Terraform, security-findings triage, control authoring, and incident response across LPL's US offices and India Global Capability Center (GCC).
Responsibilities:

• Codify and continuously improve LPL's cloud control library - Security Hub CSPM as today's AWS-native control system, AWS Config with custom conformance packs to express controls as code, and additional control-management systems as the landscape evolves - and triage, investigate, and drive resolution of Security Hub findings within CCOE
• Partner with the Security Engineering team within LPL's enterprise Information Security organization (a peer of Security Architecture), which manages Wiz, to jointly monitor Wiz signal and drive resolution of Wiz findings, recognizing that Wiz and Security Hub findings frequently diverge
• Contribute directly to the Account Factory for Terraform (AFT) foundational base layer - security-control modules, Service Control Policies, AWS Config conformance packs, and reference patterns - so the secure-by-default posture is a property of the platform every account inherits
• Support LPL's enterprise vulnerability management department on cloud-workload findings: assist with triage, prioritization, and remediation guidance for findings that originate in or affect AWS, without owning vulnerability management end-to-end
• Operate as the security & governance partner across every CCOE team and pod - Foundations (FinOps, Functional Design Engineering & Strategy, Network Engineering, Monitoring), Platforms, Containers, Support, and Delivery - since Security & Governance is involved in every aspect of CCOE; embed security and governance review into design, code, and delivery touchpoints
• Partner closely and day-to-day with the Network Engineering pod within Foundations (VP, AVP, and engineers) on shared network-security controls: segmentation and micro-segmentation, ingress/egress inspection, encryption in transit, WAF, Shield, and certificate lifecycle
• Collaborate cross-organization with Security Architecture and Security Engineering - peer teams within LPL's Information Security organization - to evaluate, pilot, and operationalize additional security solutions (CNAPP, CSPM, CWPP, runtime defense, DSPM, secrets scanning) and to ensure CCOE's posture meets InfoSec and application-team requirements
• Translate regulatory requirements (FINRA, SEC, PCI, SOX) into automated, code-reviewed controls; lead cloud-security incident response within CCOE's scope as a senior responder; partner with Internal Audit and Information Security on evidence collection, attestation, and audit response; drive blameless post-incident reviews to durable control improvements
• Embed agentic AI capabilities into the team's engineering practice (e.g., Cursor, Claude Code, Bedrock, MCP servers, agentic IaC and review workflows) and into the platform's self-service experience for internal customers
• Embed agentic AI capabilities into security governance: AI-assisted triage of Security Hub and Wiz findings, automated control authoring (Terraform and AWS Config conformance pack drafts from natural-language intent), conversational interfaces for control inquiries, and MCP-backed agents that join Security Hub, AWS Config, Wiz signal, and Terraform context into one queryable view
• Operate as a hands-on senior cloud engineer: spend the majority of your time in Terraform code, security tooling configuration, vulnerability remediation, design reviews, peer reviews, and incident response - hands-on engineering is the primary leverage point
• Personally participate in 24x7 on-call rotations as a senior technical responder and escalation point for production incidents
• Partner with peer engineers, AVPs, and VPs across the Cloud Center of Excellence - the five CCOE teams (Foundations, Platforms, Containers, Support, Delivery) and the five Foundations pods (Security & Governance, FinOps, Functional Design Engineering & Strategy, Network Engineering, Monitoring) - to align roadmaps and remove cross-team and cross-pod blockers
• Champion AWS Well-Architected Framework adoption (with emphasis on the Security pillar) and drive continuous improvement against operational, security, reliability, and compliance outcomes
• Contribute to the private Terraform module library and the Account Factory for Terraform (AFT) foundational base layer, including security-control modules and reference patterns
• Raise engineering quality across the pod through code review, design partnership, and technical pairing - acting as a force multiplier without direct reports
• Participate in Agile/Scrum ceremonies (sprint planning, standups, backlog grooming, retrospectives) and partner with the RTE and PMO on delivery commitments and dependencies
• Represent the pod's security posture in architecture review boards, internal audit, and customer engagements; communicate technical risk and trade-offs clearly to engineers and to non-technical executives
  
  

  Equal Opportunity Employer
  We are an equal opportunity employer. All aspects of employment including the decision to hire, promote, discipline, or discharge, will be based on merit, competence, performance, and business needs. We do not discriminate on the basis of race, color, religion, marital status, age, national origin, ancestry, physical or mental disability, medical condition, pregnancy, genetic information, gender, sexual orientation, gender identity or expression, national origin, citizenship/ immigration status, veteran status, or any other status protected under federal, state, or local law.