AVP, AWS Security Engineer

Where Ambition Meets Innovation Build a career that matches all your initiative with an impressive dose of innovation. From cutting-edge resources and a collaborative environment to the freedom to make an impact and more, you’ll find the ingredients you need at LPL Financial to shape your success while helping clients pursue their financial goals. At LPL, security is everyone's responsibility — and the Security & Governance pod within our Cloud Center of Excellence is where that responsibility becomes a property of our AWS landing zone. As AVP, Security & Governance, you raise LPL's cloud security posture to meet the standards of our enterprise Information Security organization and the application and infrastructure teams shipping into the landing zone. Security & Governance is involved in every aspect of CCOE, so you partner closely with the Network Engineering pod within Foundations and collaborate with every other CCOE team and pod. You codify controls in Security Hub CSPM and AWS Config (including custom conformance packs), partner with Security Engineering on Wiz signal, and support our enterprise vulnerability management team — all while staying hands-on in AWS and Terraform. If you'd rather codify a control once than chase it ten times, and want to operate as the security partner to every engineering team in our cloud, this is your seat. Job Overview: As the AVP, AWS Security Engineer, you are a hands-on senior cloud security engineer in the Security & Governance pod within the Foundations team in LPL's Cloud Center of Excellence (CCOE). At LPL, security is everyone's responsibility, and Security & Governance is involved in every aspect of CCOE — so you partner closely with the Network Engineering pod within Foundations and collaborate with every other team and pod across CCOE (Foundations, Platforms, Containers, Support, Delivery) to raise our cloud security posture to meet the standards of LPL's enterprise Information Security organization and the application and infrastructure teams delivering into our AWS landing zone. You codify controls today in Security Hub CSPM and AWS Config — including custom conformance packs — and you help adopt additional control-management systems as the landscape evolves. You partner with the Security Engineering team within LPL's Information Security organization (a peer of Security Architecture), which manages Wiz, to jointly monitor Wiz signal and drive resolution of Wiz findings; you separately drive resolution of Security Hub findings within CCOE (the two often diverge). You support LPL's enterprise vulnerability management department on cloud-workload findings rather than owning vulnerability management end-to-end, and you contribute directly to the Account Factory for Terraform (AFT) foundational base layer so security baselines are codified into the platform. LPL is an AWS-first CCOE: a multi-account landing zone with 100+ private reusable Terraform modules that enable 60+ AWS services, all delivered through Terraform Cloud and GitHub Actions. You spend the majority of your time hands-on in Terraform, security-findings triage, control authoring, and incident response across LPL's US offices and India Global Capability Center (GCC). Responsibilities: Codify and continuously improve LPL's cloud control library — Security Hub CSPM as today's AWS-native control system, AWS Config with custom conformance packs to express controls as code, and additional control-management systems as the landscape evolves — and triage, investigate, and drive resolution of Security Hub findings within CCOE Partner with the Security Engineering team within LPL's enterprise Information Security organization (a peer of Security Architecture), which manages Wiz, to jointly monitor Wiz signal and drive resolution of Wiz findings, recognizing that Wiz and Security Hub findings frequently diverge Contribute directly to the Account Factory for Terraform (AFT) foundational base layer — security-control modules, Service Control Policies, AWS Config conformance packs, and reference patterns — so the secure-by-default posture is a property of the platform every account inherits Support LPL's enterprise vulnerability management department on cloud-workload findings: assist with triage, prioritization, and remediation guidance for findings that originate in or affect AWS, without owning vulnerability management end-to-end Operate as the security & governance partner across every CCOE team and pod — Foundations (FinOps, Functional Design Engineering & Strategy, Network Engineering, Monitoring), Platforms, Containers, Support, and Delivery — since Security & Governance is involved in every aspect of CCOE; embed security and governance review into design, code, and delivery touchpoints Partner closely and day-to-day with the Network Engineering pod within Foundations (VP, AVP, and engineers) on shared network-security controls: segmentation and micro-segmentation, ingress/egress inspection, encryption in transit, WAF, Shield, and certificate lifecycle Collaborate cross-organization with Security Architecture and Security Engineering — peer teams within LPL's Information Security organization — to evaluate, pilot, and operationalize additional security solutions (CNAPP, CSPM, CWPP, runtime defense, DSPM, secrets scanning) and to ensure CCOE's posture meets InfoSec and application-team requirements Translate regulatory requirements (FINRA, SEC, PCI, SOX) into automated, code-reviewed controls; lead cloud-security incident response within CCOE's scope as a senior responder; partner with Internal Audit and Information Security on evidence collection, attestation, and audit response; drive blameless post-incident reviews to durable control improvements Embed agentic AI capabilities into the team's engineering practice (e.g., Cursor, Claude Code, Bedrock, MCP servers, agentic IaC and review workflows) and into the platform's self-service experience for internal customers Embed agentic AI capabilities into security governance: AI-assisted triage of Security Hub and Wiz findings, automated control authoring (Terraform and AWS Config conformance pack drafts from natural-language intent), conversational interfaces for control inquiries, and MCP-backed agents that join Security Hub, AWS Config, Wiz signal, and Terraform context into one queryable view Operate as a hands-on senior cloud engineer: spend the majority of your time in Terraform code, security tooling configuration, vulnerability remediation, design reviews, peer reviews, and incident response — hands-on engineering is the primary leverage point Personally participate in 24x7 on-call rotations as a senior technical responder and escalation point for production incidents Partner with peer engineers, AVPs, and VPs across the Cloud Center of Excellence — the five CCOE teams (Foundations, Platforms, Containers, Support, Delivery) and the five Foundations pods (Security & Governance, FinOps, Functional Design Engineering & Strategy, Network Engineering, Monitoring) — to align roadmaps and remove cross-team and cross-pod blockers Champion AWS Well-Architected Framework adoption (with emphasis on the Security pillar) and drive continuous improvement against operational, security, reliability, and compliance outcomes Contribute to the private Terraform module library and the Account Factory for Terraform (AFT) foundational base layer, including security-control modules and reference patterns Raise engineering quality across the pod through code review, design partnership, and technical pairing — acting as a force multiplier without direct reports Participate in Agile/Scrum ceremonies (sprint planning, standups, backlog grooming, retrospectives) and partner with the RTE and PMO on delivery commitments and dependencies Represent the pod's security posture in architecture review boards, internal audit, and customer engagements; communicate technical risk and trade-offs clearly to engineers and to non-technical executives What are we looking for? We’re looking for strong collaborators who deliver exceptional client experiences and thrive in fast-paced, team-oriented environments. Our ideal candidates pursue greatness, act with integrity, and are driven to help our clients succeed. We value those who embrace creativity, continuous improvement, and contribute to a culture where we win together and create and share joy in our work. Requirements: 7+ years of progressive technical experience including 3+ years in a senior cloud security, network security, or cloud infrastructure engineering role; Bachelor's degree in Computer Science, Engineering, or a related discipline (or equivalent work experience) 3+ years of hands-on production AWS at scale in a multi-account landing zone with strong production Terraform delivered through Terraform Cloud and GitHub Actions 3+ years experience operating as a senior individual contributor (AVP, Senior Engineer, Staff Engineer, or equivalent), influencing technical direction and uplifting peer engineers without direct authority — including code review leadership, design-review participation, and technical mentorship 3+ years experience personally participating in 24x7 production on-call rotations in a fast-paced, security-conscious, regulated environment (financial services strongly preferred) 5+ years hands-on production experience codifying cloud security controls in Security Hub CSPM and AWS Config (including custom conformance packs), with awareness of the broader CSPM and control-management landscape (Wiz, Prisma Cloud, Lacework, Orca) and how those systems integrate with Security Hub Core Competencies: Treats every security finding as a chance to fix a class of issues in code — prefers a one-time control change over a recurring ticket Operates as the governance voice within an engineering organization where security is everyone's responsibility — raises the bar through controls and partnership, not policing Leads in a matrixed environment without direct reports: drives outcomes through partnership, code, clear technical writing, and credibility with peer engineers, AVPs, and VPs — not through positional authority or people management Strong partnership instincts with Security Architecture, Security Engineering, and Network Engineering peers — operates as one team across boundaries Continuous learner, especially in cloud-native, IaC, platform engineering, and applied AI Sets vision and translates ambiguous strategy into executable engineering roadmaps Bias for self-service, automation, and reducing toil for downstream internal customers Builds high-trust relationships across the US and India organization and across functions (Architecture, Security, FinOps, Application Engineering, Network, Audit) Calm, decisive incident commander; fosters a strong post-incident learning culture Excellent written and verbal communication, executive presence, and ability to influence without direct authority Thrives in matrixed, fast-paced, regulated environments with imperfect information Preferences: AWS Certified Security – Specialty Hands-on production exposure to Wiz, Prisma Cloud, Lacework, Orca, or a comparable CNAPP / CSPM platform — enough to be an effective partner to the team that operates it Hands-on experience with Service Control Policies (SCPs), AWS Config conformance packs (including custom packs), and policy-as-code (Sentinel, OPA / Conftest) Familiarity with industry security frameworks (CIS Benchmarks, NIST 800-53, NIST CSF, FedRAMP) and translating them into automated controls Hands-on experience with AWS networking primitives (VPC, Transit Gateway, PrivateLink, Network Firewall, Route 53) and the security controls that wrap them Master's degree in Computer Science, Engineering, or MBA Experience integrating agentic AI / GenAI tooling (Cursor, Claude Code, Copilot, Bedrock, MCP) into platform, IaC, and engineering practice Strong scripting / programming proficiency in Python, Bash, or PowerShell AWS Solutions Architect - Professional AWS Certified Generative AI Developer - Associate HashiCorp Certified: Terraform Associate (004) or Authoring & Operations Open-source contributions, public technical writing, or conference speaking on cloud, IaC, or platform engineering topics Experience with FinOps practices and cloud cost management at scale Pay Range: $125,145.00 - $208,575.00 Actual base salary varies based on factors, including but not limited to, relevant skill, prior experience, education, base salary of internal peers, demonstrated performance, and geographic location. Additionally, LPL Total Rewards package is highly competitive, designed to support your success at work, at home, and at play – such as 401K matching, health benefits, employee stock options, paid time off, volunteer time off, and more. Your recruiter will be happy to discuss all that LPL has to offer! Company Overview: LPL Financial Holdings Inc. (Nasdaq: LPLA) is among the fastest growing wealth management firms in the U.S. As a leader in the financial advisor-mediated marketplace(6) , LPL supports over 32,000 financial advisors and the wealth management practices of approximately 1,100 financial institutions, servicing and custodying approximately $2.3 trillion in brokerage and advisory assets on behalf of approximately 8 million Americans. The firm provides a wide range of advisor affiliation models, investment solutions, fintech tools and practice management services, ensuring that advisors and institutions have the flexibility to choose the business model, services, and technology resources they need to run thriving businesses. For further information about LPL, please visit At LPL, independence means that advisors and institution leaders have the freedom they deserve to choose the business model, services, and technology resources that allow them to run a thriving business. They have the flexibility to do business their way. And they have the freedom to manage their client relationships, because they know their clients best. Simply put, we take care of our advisors and institutions, so they can take care of their clients. For further information about LPL, please visit Join the LPL team and help us make a difference by turning life’s aspirations into financial realities. Please log in or create an account to apply to this position. Principals only. EOE. Information on Interviews: LPL will only communicate with a job applicant directly from an @lplfinancial.com email address and will never conduct an interview online or in a chatroom forum. During an interview, LPL will not request any form of payment from the applicant, or information regarding an applicant’s bank or credit card. Should you have any questions regarding the application process, please contact LPL’s Human Resources Solutions Center at View phone number on click.appcast.io. EAC 5.19.26 LPL Financial is the nation’s largest independent broker-dealer.* Our company is widely known for its financial strength, exceptional service, and favorable industry reputation among financial professionals. To understand who we are, it’s important to know our core belief: financial guidance is a fundamental need for everyone. LPL Financial creates the space to let you do what you do best – create personal, long-term client relationships that turn financial aspirations into realities. Each year, thousands of financial professionals successfully manage billions of dollars in assets. Because our company is not too big and not too small, you can seize the opportunity to make a real impact. To learn more about our organization visit our About LPL page. * As reported by Financial Planning magazine, June 1996-2019, based on total revenue. Want to learn more about the benefits of working at LPL? Check out the links below! We Are LPL Benefits Culture Social Responsibility