Director Cybersecurity, Data Privacy, & Compliance

Director Cybersecurity, Data Privacy, & Compliance

Cottonwood Heights, Utah, United States

Working at Breeze Airways is an exciting endeavor and a serious commitment to bring "The World's Nicest Airline" to life. We work cross-functionally with truly awesome Team Members to deliver on our mission: "To make the world of travel simple, affordable, and convenient. Improving our guests travel experience using technology, ingenuity and kindness."

Breeze is hiring- join us!

The Director Cybersecurity, Data Privacy, & Compliance leads the enterprise cybersecurity, data privacy, and data governance programs while ensuring regulatory compliance across all operational and commercial functions of Breeze Airways. This role defines and executes the organization's information security strategy, establishes and matures the enterprise data privacy and governance framework, ensures compliance with applicable federal, state, and international privacy regulations (including CCPA/CPRA, state privacy laws, and GDPR where applicable), and oversees aviation-specific regulatory compliance obligations related to data and technology (including DOT, TSA, and FAA requirements). The Director also provides strategic oversight for responsible AI/ML governance as the organization adopts emerging technologies. This responsibility extends into all business units within the organization including airport systems, maintenance and engineering, inflight, aircraft, safety, commercial, back office, infrastructure, and cloud.

Here's What You'll Do

• Set the strategy for new technologies and information security products that will support information security requirements for the company and its customers, business partners, and vendors.
• Establish the strategy to mitigate information security risks within the organization.
• Collaborate closely with senior-level technology leaders to develop and plan the information security architecture strategy.
• Lead ongoing threat and vulnerability assessments and substantive testing of information security controls.
• Work closely with other teams, including network engineers, data engineers, software engineers, and business teams to achieve common goals.
• Serve as the escalation point and information security expert for solution designs and technical consulting services.
• Direct complex information security principles and requirements into business initiatives that securely drive innovation, improve customer experience, and control costs
• Oversee and perform technology security risk assessments
• Perform due diligence reviews and manage the remediation efforts of SOC 1/SOC 2 reports, penetration tests, and PCI audits.
• Develop, implement, and maintain the enterprise data privacy program, including privacy policies, standards, and procedures aligned with applicable laws and regulations (CCPA/CPRA, state privacy laws, GDPR where applicable, and emerging federal privacy legislation)
• Guide to the Data Subject Access Request (DSAR) and individual rights management process.
• Lead Privacy Impact Assessments (PIAs) and Data Protection Impact Assessments (DPIAs) for new systems, applications, vendor engagements, and business initiatives
• Champion privacy-by-design and privacy-by-default principles across technology, business partners and business projects.
• Direct the organization's data breach notification and incident response process in coordination with Legal, Communications, and executive leadership, ensuring compliance with all applicable breach notification requirements.
• Manage and deliver enterprise-wide privacy awareness training and education programs.
• Evaluate and manage privacy risks associated with third-party vendors, business partners, and data processors through contractual controls and ongoing monitoring.
• Establish and lead the enterprise data governance framework, including data ownership, data stewardship, and accountability models across business units.
• Define, develop, and implement data security and governance standards including data classification, encryption, data loss prevention, data access governance for structured and unstructured data, and monitoring to prevent data-related security incidents.
• In coordination with the data analytics team, refine data quality standards, and partner with business and technology teams to ensure data integrity across critical systems.
• Develop and implement policies and frameworks for the responsible and ethical use of artificial intelligence and machine learning technologies across the organization.
• Assess and manage risks related to AI/ML models, including data bias, algorithmic fairness, transparency, and explainability.
• Ensure AI/ML initiatives comply with emerging regulatory requirements and industry best practices for responsible AI.
• Collaborate with data science, business teams, data and software engineering, to embed governance controls into the AI/ML development lifecycle.
• Ensure compliance with aviation-specific regulatory requirements related to data, technology, and cybersecurity, including DOT, TSA, and FAA mandates.
• Monitor and assess the impact of evolving federal, state, and international regulations on the organization's cybersecurity, privacy, and data governance posture.
• Create, update, and improve upon key performance indicators gauging the company's level of compliance and provide reports to leadership.
• Maintain strong oversight of third parties and business partners to safeguard against undue risk and ensure contractual and regulatory compliance.
• Coordinate with Legal and other departments on regulatory examinations, audits, and inquiries related to cybersecurity, data privacy, and data governance.
• Other duties as assigned by the VP of Technology.
• Achieve performance measures and adhere to established standards in conjunction with Breeze Aviation Group Values of Safety, Kindness, Integrity, Ingenuity and Excellence.

Here's What You'll Need To Be Successful

Minimum Qualifications

• 4-year degree in Computer Science, Systems Engineering, Information Technology, Management Information Systems, or a related discipline, or an additional 2+ years of training/experience in lieu of degree
• 8+ years of experience in information security, data privacy, data governance, or a related field
• 4+ years in a leadership role
• 2+ years of experience developing and implementing data governance frameworks, policies, and standards.
• 2+ years of experience with data governance tools and platforms (e.g., data catalogs, metadata management, DLP solutions)
• 2+ years of experience with privacy management platforms and DSAR automation tools
• Deep technical expertise in technology infrastructure, networking, cybersecurity, cloud computing, and enterprise systems architecture is a must
• Demonstrated knowledge of data privacy regulations (e.g., CCPA/CPRA, state privacy laws, GDPR) and experience building or managing a privacy compliance program is also required
• The Director of Cybersecurity must:
• Be a U.S. citizen who is therefore eligible to seek a security clearance at the Secret Level
• Serve as the primary contact for cyber-related intelligence information and cybersecurity-related activities and communications with TSA and the Cybersecurity and Infrastructure Security Agency (CISA)
• Be accessible to TSA and CISA 24-hours a day, seven-days a week
• Coordinate cyber and related security practices and procedures internally
• Work with appropriate law enforcement and emergency response agencies

Preferred Qualifications

• Industry certification in security (e.g., CISSP, CISM, CISA, and/or GIAC)
• Industry certification in privacy (e.g., CIPP/US, CIPP/E, CIPM, CIPT)
• Familiarity with aviation industry regulatory requirements (DOT, TSA, FAA) as they relate to data and technology
• Experience developing AI/ML governance frameworks or responsible AI policies
• Experience in a regulated industry (aviation, financial services, healthcare, etc.)

Skills/Talents

• Ability to work well under pressure, prioritize projects, meet deadlines, and maintain flexibility
• High level of integrity and ethics, able to handle sensitive and/or proprietary information with discretion and confidentiality
• Self-starter must have a positive attitude and strong desire for success
• Strong attention to detail, organization, and time management skills
• Ability to translate complex regulatory and technical requirements into actionable business policies and procedures
• Strong knowledge of privacy laws, data protection regulations, and compliance frameworks (NIST, ISO 27001, PCI DSS, SOC 2)
• Proven leadership and managerial skills, with the ability to inspire, motivate, and develop high-performing teams.
• Excellent oral and written communication skills, with the ability to present to executive leadership, regulators, and cross-functional teams
• Strong analytical and problem-solving abilities, with a focus on driving continuous improvement and innovation in technology systems and processes.
• Ability to work with individuals and teams at all levels in the organization
• Strong stakeholder management skills with the ability to influence without direct authority across business units
<