Provn
    How it worksBrowse jobsFor companiesBlogLog in

    © 2026 Provn Inc. All rights reserved.

    About•Blog•Terms of Service•Privacy Policy

    Made with love in Seattle

    Arrivia/Director - Data Security & Governance
    Arrivia logo

    Director - Data Security & Governance

    Arrivia
    Type
    full-time
    Work Style
    remote
    Location
    Remote (US)
    Posted
    July 17, 2026
    Description

    To be considered for this role, you must complete the associated challenge

    You will protect arrivia's data wherever it lives — through classification, data loss prevention (DLP), and encryption — the controls that most often separate a clean audit from the highest-severity finding. You own classification, DLP, encryption standards and key management, Data Security Posture Management (DSPM), and data residency, and you make strong data governance the default.

    Reports to: Chief Information Officer (CIO) Direct Reports: Yes — leads the Data Security team (target 2)

    WHAT YOU'LL DO

    • Own information classification, labelling, and handling (ISO/IEC 27001:2022 A.5.12–A.5.14) and the Data Security knowledge area of DAMA-DMBOK.
    • Own Data Leakage Prevention (DLP) across egress channels and PII & SOC adherence reviews and controls (ISO/IEC 27001:2022 A.8.12; NIST CSF 2.0 PR.DS).
    • Own Data Security Posture Management (DSPM) across cloud, SaaS, and endpoints.
    • Own cryptography standards, key management, HSM, and key lifecycle, including tokenization (ISO/IEC 27001:2022 A.8.24; NIST SP 800-57; FIPS 140-3).
    • Own data-access governance, insider-risk, and enterprise data retention / information deletion (ISO/IEC 27001:2022 A.8.10).
    • Own data residency / sovereignty controls and records management / eDiscovery (ISO 15489).
    • AI: Own data governance for AI — training-data and RAG-source controls and prompt/response DLP to prevent leakage to LLMs.

    HOW THIS ROLE FITS THE TEAM

    • Privacy owns the privacy management system and data-subject rights (ISO/IEC 27701; GDPR) — this role owns the technical protection controls (classification, DLP, cryptography, retention).
    • Infrastructure builds backups and storage — this role sets the cryptography standards and keys they use (NIST SP 800-57).
    • App & AI Security owns the model registry and runtime guardrails — this role owns training-data controls and prompt/response DLP.

    WHAT SUCCESS LOOKS LIKE

    • 100% of in-scope repositories classified; DLP on 100% of egress channels; triage within SLA.
    • Encryption standards applied to 100% of regulated data at rest and in transit.
    • PII and SOC adherence reviews on schedule; zero un-remediated high findings.
    • Enterprise data retention at ≥95% conformance; insider-risk triaged within SLA.
    • Automate discovery/classification across ≥95% of repositories; automate DLP enforcement.

    KEY PROJECTS

    • DSPM + classification + DLP modernization (Now) — Discover, classify, and enforce wherever data lives.
    • Encryption key management / HSM program (Next) — Centralized key lifecycle and tokenization.
    Required Qualifications

    Bachelor's degree in Computer Science, Cybersecurity, or a related field, or a minimum of 7 years in security. 5+ years in data security and governance, including team leadership. Hands-on experience with data classification and DLP tooling (e.g., Microsoft Purview, Symantec/Broadcom, Forcepoint) across email, endpoint, and cloud. Experience deploying Data Security Posture Management (DSPM) across cloud, SaaS, and endpoints. Strong knowledge of encryption for data at rest and in transit and hands-on key management, HSM, and key-lifecycle experience (including tokenization). Experience with data-access governance, insider-risk, and enterprise data retention. Knowledge of data residency / sovereignty and records management / eDiscovery. Working knowledge of data governance for AI (training-data/RAG controls and prompt/response DLP). Strong understanding of ISO 27001/27701, HIPAA, PII, PCI, and GDPR principles. Ability to translate complex technology issues into language a wide range of audiences can understand. CISSP required; CIPT, CDPSE, or CISM preferred.

    Benefits & Perks

    Welcome to arrivia. We specialize in making brands better through the power of travel. With more than 55 years of combined experience, we're a merger of three powerhouse brands — ICE, SOR Technology, and WMPH Vacations. With offices on both coasts of the US and around the world, we embrace diversity and a passion for travel across our global staff.

    We're focused on building a customer-first culture, fueled by the best travel experiences for all our members at every point in their journey. Grow with us as we continue our path to deliver innovative solutions and take charge of change.

    Our Core Values:

    • Stay Curious — Explore new challenges and make space to learn, grow and improve
    • Keep it Real — Earn trust through open, honest and clear communication
    • Own it — Seek ways to make an impact and take action
    • Win Together — Create a culture of connection and inclusion where everyone can be their best

    Your Application

    Your application starts with a short challenge.

    On this page

    Top of Page
    Description
    QualificationsBenefits & Perks
    Challenges
    Arrivia logoAbout Arrivia

    Founded in 1997 and rebranded in 2020 to reflect several acquisitions and phenomenal growth as a travel technology provider for companies wishing to reimagine their loyalty and rewards programs. Arrivia is now the world's largest stand-alone travel loyalty provider.