Senior Director of Governance, Risk, Compliance & Privacy

Expedia Group brands power global travel for everyone, everywhere. We design cutting-edge tech to make travel smoother and more memorable, and we create groundbreaking solutions for our partners. Our diverse, vibrant, and welcoming community is essential in driving our success.

Why Join Us?

To shape the future of travel, people must come first. Guided by our Values and Leadership Agreements, we foster an open culture where everyone belongs, differences are celebrated and know that when one of us wins, we all win.

We provide a full benefits package, including exciting travel perks, generous time-off, parental leave, a flexible work model (with some pretty cool offices), and career development resources, all to fuel our employees' passion for travel and ensure a rewarding career journey. We’re building a more open world. Join us.

Senior Director of Governance, Risk, Compliance & Privacy

Expedia Technology builds innovative products, services, and tools to deliver high-quality experiences for travelers, partners, and our employees. A singular technology platform powered by data and machine learning provides secure, differentiated, and personalized experiences for the traveler and our partners that drive loyalty and customer satisfaction.   

The Enterprise Information Security team is seeking a strategic leader to drive world-class governance, regulatory alignment, and compliance across Expedia Group’s technology and business environments. This role is essential in embedding cybersecurity, risk management practices and privacy across the organization, grounded in frameworks such as NIST Cybersecurity Framework and ISO/IEC 27001.

What you’ll do:  

• Responsibilities include PCI-DSS certification, SOC2 attestation, CCPA and GDPR compliance, enterprise-wide policy development and enforcement, and oversight of Enterprise Information Security (EI) contract language.
• Partnering closely with both technology and business stakeholders, this role will drive long-term compliance initiatives, promote sustainable risk reduction, and mature Expedia Group’s global security posture through actionable governance and operational excellence.
• Lead and drive a team of 40+ Security Analyst and Compliance Experts partnering and collaborating with business and technology teams to develop actionable solutions for security compliance, certifications, and governance.
• Work closely with product management to prioritize and establish roadmap for the team and provide oversight for the creation, revision, implementation, and compliance of security directives, policies, procedures, and controls and own and evolve privacy and compliance programs aligned to global regulations such as GDPR, CCPA, and SOX.
• Drive risk identification, mitigation strategies, and control effectiveness through ongoing risk assessments, third-party reviews, and continuous control monitoring and coordinate and respond to internal and external audits, including PCI, SOC2, ISO 27001, and regulatory assessments and develop and maintain scalable processes for control testing, evidence collection, and audit readiness across all environments
• Ensure alignment with industry standards and frameworks such as NIST CSF, ISO/IEC 27001, and PCI-DSS and lead third-party risk management activities, including vendor onboarding reviews, ongoing risk assessments, and contractual security requirements

Who you are:  

• Experience leading a large and diverse globally distributed team.
• Must have well developed change management skills; be effective in working across organizational boundaries to build a case for changes, and to execute on the change plan from strategy through to ongoing operation and continuous process improvement.
• Knowledge of current security controls and landscape including traditional data center and cloud computing platforms (preferably AWS).
• Experienced in, and able to formulate, the effectiveness and benefits of security compliance and certification initiatives in the context of overall business risk mitigation, security posture, and the company’s operational objectives
• Demonstrated knowledge of security industry standards, privacy regulations, compliance testing and leading practices (e.g. PCI, OWASP, NIST, CIS, PCI, GDPR)
• Familiar with third-party risk management processes, including vendor security assessments, contract reviews, and remediation tracking.

The total cash range for this position in Seattle is $244,500.00 to $342,000.00. Employees in this role have the potential to increase their pay up to $391,000.00, which is the top of the range, based on ongoing, demonstrated, and sustained performance in the role.

Starting pay for this role will vary based on multiple factors, including location, available budget, and an individual’s knowledge, skills, and experience. Pay ranges may be modified in the future.

Accommodation requests

If you need assistance with any part of the application or recruiting process due to a disability, or other physical or mental health conditions, please reach out to our Recruiting Accommodations Team through the Accommodation Request.

We are proud to be named as a Best Place to Work on Glassdoor in 2024 and be recognized for award-winning culture by organizations like Forbes, TIME, Disability:IN, and others.

Expedia Group's family of brands includes: Brand Expedia®, Hotels.com®, Expedia® Partner Solutions, Vrbo®, trivago®, Orbitz®, Travelocity®, Hotwire®, Wotif®, ebookers®, CheapTickets®, Expedia Group™ Media Solutions, Expedia Local Expert®, CarRentals.com™, and Expedia Cruises™. © 2024 Expedia, Inc. All rights reserved. Trademarks and logos are the property of their respective owners. CST: 2029030-50

Employment opportunities and job offers at Expedia Group will always come from Expedia Group’s Talent Acquisition and hiring teams. Never provide sensitive, personal information to someone unless you’re confident who the recipient is. Expedia Group does not extend job offers via email or any other messaging tools to individuals with whom we have not made prior contact. Our email domain is @expediagroup.com. The official website to find and apply for job openings at Expedia Group is careers.expediagroup.com/jobs.

Expedia is committed to creating an inclusive work environment with a diverse workforce. All qualified applicants will receive consideration for employment without regard to race, color, religion, gender, gender identity or expression, sexual orientation, national origin, genetics, disability, age, or veteran status. This employer participates in E-Verify. The employer will provide the Social Security Administration (SSA) and, if necessary, the Department of Homeland Security (DHS) with information from each new employee's I-9 to confirm work authorization.