Data Protection Operations Lead

Airbnb

17h•Remote

About The Position

Airbnb was born in 2007 when two hosts welcomed three guests to their San Francisco home, and has since grown to over 5 million hosts who have welcomed over 2 billion guest arrivals in almost every country across the globe. Every day, hosts offer unique stays and experiences that make it possible for guests to connect with communities in a more authentic way. The Community You Will Join: Airbnb is a mission-driven company dedicated to helping create a world where anyone can belong anywhere. It takes a unified team committed to our core values to achieve this goal. Airbnb's various functions embody the company's innovative spirit and our fast-moving team is committed to leading as a 21st century company. The strategic goal of the Risk and Compliance Operations team is to focus on creating the standardized operational security processes and protocols in order to ensure there is proper Risk Governance and Compliance for Community Support teams in specific domains, including product, process, and engineering in accordance with company policies and contractual agreements. The Difference You Will Make: As a key member of our team, you’ll drive operational excellence, foster innovation, and champion security and productivity. You’ll play a pivotal role in designing and maintaining provisioning frameworks, collaborating with engineering partners to optimize permission models and tooling, and balancing speed with robust security across all processes. Your expertise will be essential in leading cross-functional Customer Support initiatives, securing alignment, and building strategic partnerships with teams like InfoSec, Partner Management, Legal, and Privacy to advance our mission. Through your work with stakeholders, you will: Develop and execute improvement roadmaps. Manage projects for implementing new security and privacy controls. Lead process enhancements and optimize access controls. Define audit and reporting mechanisms for both internal and vendor teams. Deliver best-in-class privacy and data protection for Operations. You’ll be joining a newly formed team with the rare opportunity to shape its culture and direction—bringing vision, leadership, and an entrepreneurial spirit as our team grows. A Typical Day: Governance & Reporting: Measure, report, and govern privileged access controls to ensure compliance. Requirements & Implementation: Document and translate PAM (Privileged Access Management) requirements for technology partners, supporting efficient, modern, and sustainable solutions. Stakeholder Collaboration: Work cross-functionally to develop and iterate on PAM requirements across Process, Data, and Technology domains. Policy & Standards: Partner with the policy governance team to socialize and publish updates to the PAM Standard. Authentication & Security: Apply your mastery of authentication platforms (Active Directory, LDAP, Kerberos, Radius) and PAM principles (JIT provisioning) to make recommendations to policy and provisioning processes and technology teams. Regulatory Compliance: Ensure alignment with industry regulations and standards (NIST, ISO/IEC, FFIEC), particularly within financial services. Risk Management: Proactively identify, assess, and mitigate PAM risks, driving continuous improvement and accountability. Stakeholder Engagement: Report on existing and emerging PAM/information security risks to senior leadership with transparency and clarity. Quality Assurance: Design and execute thorough test strategies for privileged access processes, collaborate on defect resolution, and recommend improvements for usability, resilience, and security. Documentation: Maintain clear, comprehensive records of policies, approval processes, and test outcomes. Industry Engagement: Stay up-to-date with emerging trends and best practices in privileged access management. Access Management policies: Define and maintain access management policies for different user personas (admin, developer, user, viewer). Leadership: Coach and train team members, ensuring accurate and efficient Human in the Loop processes. Access lifecycle: Oversee the full lifecycle of access (create, edit, delete, view, hide, etc.). Build and refine abstractions to inform access decisions, considering: User roles/personas Tenant or organizational affiliation Privileges assigned via specific permissions or group memberships

Requirements

8+ years of hands-on experience with Access and Privileged Access Management (PAM) operations in a technology-driven environment.
Demonstrated experience in PAM operational tasks, including safe creation and management, privileged account onboarding, policy development, and least-privilege access model implementation.
Solid background in identity and access management (IAM) principles and industry best practices.
Experience with operationalizing Just-In-Time (JIT) privilege models, role-based access controls (RBAC), and enforcing Segregation of Duties (SoD).
Working knowledge of authentication protocols (e.g., SAML, OAuth, OpenID Connect, Active Directory, LDAP, Kerberos).
Familiarity with cloud-based privileged access management, including the classification and management of non-human identities (service accounts, API keys, etc.).
Strong understanding of security standards and regulatory frameworks (NIST, ISO/IEC, FFIEC) relevant to access management.
Strong SQL abilities, including querying and dashboard creation.
Clear, concise communication skills, with a proven ability to collaborate across engineering, security, product, and operational teams without a technical background to drive alignment and best-in-class solutions.
Experience in documenting policies, procedures, and reporting on PAM-related risk and compliance metrics.
Demonstrated ownership and accountability for continuous improvement in PAM controls and risk management.
Proactive in identifying and mitigating security risks related to privileged access.
Comfortable working in a fast-paced environment and contributing to cross-functional or global initiatives.
Demonstrated ability to build and coach teams.

Nice To Haves

Familiarity with access management challenges specific to cloud-native environments (AWS, GCP, Azure).
Involvement in developing or maintaining Privileged Access Management strategies that address both human and non-human identities, including business users, developers, and service accounts.

Responsibilities

Develop and execute improvement roadmaps.
Manage projects for implementing new security and privacy controls.
Lead process enhancements and optimize access controls.
Define audit and reporting mechanisms for both internal and vendor teams.
Deliver best-in-class privacy and data protection for Operations.
Measure, report, and govern privileged access controls to ensure compliance.
Document and translate PAM (Privileged Access Management) requirements for technology partners, supporting efficient, modern, and sustainable solutions.
Work cross-functionally to develop and iterate on PAM requirements across Process, Data, and Technology domains.
Partner with the policy governance team to socialize and publish updates to the PAM Standard.
Apply your mastery of authentication platforms (Active Directory, LDAP, Kerberos, Radius) and PAM principles (JIT provisioning) to make recommendations to policy and provisioning processes and technology teams.
Ensure alignment with industry regulations and standards (NIST, ISO/IEC, FFIEC), particularly within financial services.
Proactively identify, assess, and mitigate PAM risks, driving continuous improvement and accountability.
Report on existing and emerging PAM/information security risks to senior leadership with transparency and clarity.
Design and execute thorough test strategies for privileged access processes, collaborate on defect resolution, and recommend improvements for usability, resilience, and security.
Maintain clear, comprehensive records of policies, approval processes, and test outcomes.
Stay up-to-date with emerging trends and best practices in privileged access management.
Define and maintain access management policies for different user personas (admin, developer, user, viewer).
Coach and train team members, ensuring accurate and efficient Human in the Loop processes.
Oversee the full lifecycle of access (create, edit, delete, view, hide, etc.). Build and refine abstractions to inform access decisions, considering: User roles/personas Tenant or organizational affiliation Privileges assigned via specific permissions or group memberships