Head of Platform Security & Compliance
Head of Platform Security & Compliance
ROLE
– Lead platform security and compliance activities across engineering, implementation, reliability, and operations teams.
– Translate security baselines, audit requirements, internal controls, and assurance expectations into practical delivery practices.
– Establish clear ownership, accountability, and documentation discipline for platform security and compliance activities.
– Coordinate evidence gathering, control mapping, and audit readiness for SOC 2 Type II, ISO 27001, internal security reviews, and other applicable assurance activities.
– Ensure platform teams maintain documentation needed for audits, attestations, customer assurance requests, and internal security reviews.
– Act as a practical bridge between engineering teams and enterprise security, legal, risk, and compliance stakeholders.
– Embed secure development practices into software delivery, platform implementation, and operational workflows.
– Partner with Application Engineering, Data & AI Engineering, Solution Engineering, and Platform Reliability to define security expectations for design, development, testing, deployment, and production support.
– Support secure coding, code review, access control, vulnerability management, dependency management, secrets management, logging, monitoring, and incident readiness practices.
– Help teams identify security and compliance risks early in the delivery lifecycle and define pragmatic remediation plans.
– Promote repeatable secure delivery patterns that can be adopted across custom software, APIs, data services, AI-enabled features, and low-code or hybrid platform implementations.
– Maintain practical documentation for controls, procedures, evidence, system ownership, access models, data flows, and security-related delivery practices.
– Coordinate audit evidence collection across globally distributed teams and ensure evidence is accurate, current, and traceable.
– Support control design and control operation activities for SOC 2 Type II, ISO 27001, and internal security requirements.
– Partner with platform and engineering teams to maintain evidence for CI/CD, change management, access reviews, incident management, vulnerability management, logging, backup, availability, and secure development practices.
– Improve repeatability and reduce audit burden by creating templates, evidence standards, documentation patterns, and clear operating procedures.
– Support secure adoption of AI-assisted development practices across engineering and implementation teams.
– Define practical expectations for use of LLM-enabled tools, including data handling, prompt and output review, code review, auditability, intellectual property considerations, and secure coding expectations.
– Partner with Data & AI Engineering, Product, Security, Legal, and Global Shared Services teams to support responsible AI practices for AI-enabled platform capabilities.
– Ensure security and compliance fundamentals remain central as teams increase delivery velocity through AI-enabled development workflows.
– Help establish evidence and documentation practices for AI-enabled features, AI-assisted development, model usage, prompt management, and production AI behaviors where applicable.
– Review platform architecture, integration patterns, identity models, access controls, data flows, and deployment models from a security and compliance perspective.
– Promote reusable security patterns, shared control documentation, and consistent data protection standards across platform services.
– Guide security considerations across Azure, AWS, custom software, APIs, data services, AI-enabled capabilities, and low-code or hybrid development environments.
– Partner with Solution Architecture and Platform Reliability to ensure security and compliance requirements are reflected in architecture decisions and operational practices.
– Support secure interoperability across applications, platform services, enterprise systems, data flows, authentication models, and customer-facing delivery workflows.
– Identify, document, and communicate platform security and compliance risks in a clear, actionable way.
– Track remediation actions, control gaps, audit findings, and security improvements through resolution.
– Partner with Security, Legal, Global Shared Services, Product, and engineering leaders to clarify ownership and ensure alignment with enterprise policies.
– Support customer assurance, internal governance, and compliance-related requests by coordinating accurate and timely platform security information.
– Promote a culture where security, compliance, and auditability are treated as practical delivery responsibilities rather than separate after-the-fact activities.
