Director of Engineering – Security & Compliance Engineering – Pearson Software Group Location: USA (Hybrid/Remote flexibility) Reports to: VP, Head of Engineering – PSG **About Pearson Software Group (PSG)** Pearson Software Group (PSG) powers Pearson’s Higher Education and PPG product lines, delivering world-class learning platforms at scale (e.g., MyLab, Mastering, Pearson+, Exam Prep). PSG supports 5,000+ colleagues and millions of learners globally. **Role Overview** The Director of Security & Compliance Engineering (S&C) is a hands-on technical leader who embeds security into the SDLC, partnering with engineering to drive secure-by-design architecture, DevSecOps automation, and developer enablement. The role leads the PSG-SC program to reduce risk, harden platforms, and streamline audits through engineering-first practices and evidence from delivery systems. **Key Responsibilities** **Engineering Leadership & DevSecOps** + Architect and institutionalize secure SDLC practices (threat modeling, secure coding, dependency hygiene, automated testing, release gating). + Own DevSecOps integration across CI/CD (SAST/DAST/IAST, secrets scanning, SBOM, container/image hardening, IaC policy checks). + Drive “shift-left” security through reusable CI/CD templates, policy-as-code, and golden paths. + Partner with platform/SRE to enforce WAF, API AuthN/AuthZ, mTLS, and runtime protections via guardrails—not gates. **Technical Enablement & Developer Experience** + Publish “paved road” toolchains, reference architectures, and code libraries with secure defaults. + Stand up sandboxed environments (e.g., GitPod) and secure-by-default scaffolds to accelerate teams. + Deliver targeted training for engineers (OWASP, secrets, auth, threat modeling) tied to real code and pipelines. **SDLC Governance & Compliance** + Lead SOC 2 Type 2, HECVAT, and institutional reviews using automated evidence from pipelines and platforms. + Define OKRs and SLAs for vulnerability remediation, secrets rotation, agent coverage, and audit readiness; publish executive dashboards. + Align compliance asks with product/engineering roadmaps; triage by business risk and customer impact. **Risk Management & Incident Response** + Own vulnerability management (Qualys/Snyk/OSS posture), secrets lifecycle and key rotation, and perimeter/API security. + Continuously monitor control health; ensure clear ownership, escalation paths, and exception processes. + Improve MTTD/MTTR by integrating detections with engineering telemetry and runbooks. **Operational Excellence** + Optimize run costs for security tooling and tests; ensure renewals/SOWs are timely and value-based. + Report posture, compliance status, and maturity trends; drive continuous improvement and transparency. + Champion a blameless, learning culture that balances speed and safety. **Qualifications** **Required** + 10+ years in software engineering or DevSecOps; 5+ years leading secure SDLC at scale (cloudfirst; AWS preferred). + Expertise in CI/CD automation, SAST/DAST/IAST, SBOM/OSS governance, secrets management,and API/perimeter security. + Hands-on experience integrating controls into developer workflows (policy-as-code, pipelines, pre-commit/pre-merge checks). + Proven delivery of SOC 2 Type 2/HECVAT using automated, system-of-record evidence. + Executive communication; OKR setting; budget ownership; ability to influence product/engineering/security. **Preferred** + Certifications: CISSP, CISM, CCSP, AWS, or relevant DevSecOps credentials. + Experience in EdTech or regulated SaaS; institution-facing security reviews. + Track record of automating compliance (evidence collection, control verification, reporting). Compensation at Pearson is influenced by a wide array of factors including but not limited to skill set, level of experience, and specific location. As required by the California, Colorado, Hawaii, Illinois, Maryland, Minnesota, New Jersey, New York State, New York City, Vermont, Washington State, and Washington DC laws, the pay range for this position is as follows: The minimum full-time salary range is between **$170,000 - $195,000** - This position is eligible to participate in an annual incentive program, and information on benefits offered is here. Applications will be accepted through until the **31 Devember 2025** . This window may be extended depending on business needs. **Who we are:** At Pearson, our purpose is simple: to help people realize the life they imagine through learning. We believe that every learning opportunity is a chance for a personal breakthrough. We are the world's lifelong learning company. For us, learning isn't just what we do. It's who we are. To learn more: We are Pearson. Pearson is an Equal Opportunity Employer and a member of E-Verify. Employment decisions are based on qualifications, merit and business need. Qualified applicants will receive consideration for employment without regard to race, ethnicity, color, religion, sex, sexual orientation, gender identity, gender expression, age, national origin, protected veteran status, disability status or any other group protected by law. We actively seek qualified candidates who are protected veterans and individuals with disabilities as defined under VEVRAA and Section 503 of the Rehabilitation Act. If you are an individual with a disability and are unable or limited in your ability to use or access our career site as a result of your disability, you may request reasonable accommodations by emailing TalentExperienceGlobalTeam@grp.pearson.com. **Job:** Engineering **Job Family:** TECHNOLOGY **Organization:** Higher Education **Schedule:** FULL\_TIME **Workplace Type:** Remote **Req ID:** 22058 \#location