Resume required: Yes
Posted date: 2026-07-17
Street Address: 191 Rosa Parks St Suite 800 Cincinnati, OH 45202 United States of America
Full job description:
The Data Protection & Security Engineer will serve as the primary owner of First Student's data protection capability while also providing hands-on security engineering support across cloud, infrastructure, and application security domains. This is a practitioner role. The position partners with IT, I&O, and Legal teams to design and operate security controls that protect student, employee, and operational data across cloud and on-premises environments. The role defines what must be protected and how, coordinates with I&O and Data teams to ensure controls are implemented correctly, and builds validation and reporting of outcomes.
This role is a direct replacement for a departing senior team member who owned both data protection and security engineering. Candidates must be comfortable holding both domains simultaneously and ramping quickly into an active program.
The Data Protection & Security Engineer will serve as the primary owner of First Student's data protection capability while also providing hands-on security engineering support across cloud, infrastructure, and application security domains. This is a practitioner role. The position partners with IT, I&O, and Legal teams to design and operate security controls that protect student, employee, and operational data across cloud and on-premises environments. The role defines what must be protected and how, coordinates with I&O and Data teams to ensure controls are implemented correctly, and builds validation and reporting of outcomes.
This role is a direct replacement for a departing senior team member who owned both data protection and security engineering. Candidates must be comfortable holding both domains simultaneously and ramping quickly into an active program.
Responsibilities:
Identify and assess:
Own enterprise data protection risk assessments, classification standards, and control effectiveness evaluations. Identify data exposure risk across cloud, SaaS, and on-premises environments. Contribute to vulnerability assessments and architecture reviews within the Cybersecurity function.
Securely build & protect:
Design and define data protection control requirements and standards for DLP, encryption, key management, and data governance across cloud and on-premises environments. Work with I&O and Data teams to ensure controls are implemented to Cybersecurity specifications; validate implementation outcomes. Provide security engineering expertise across cloud infrastructure and endpoint security domains.
Monitor, hunt, detect:
Monitor for data misuse, exfiltration, and policy violations. Integrate DLP detection capabilities with SOC workflows. Support SIEM log source expansion and alert quality improvements in coordination with the Security Operations function.
Respond, recover, sustain:
Lead Cybersecurity response activities for data exposure incidents, including investigation direction, containment guidance to I&O, remediation oversight, and lessons learned.
Govern, manage, comply, & manage risk:
Develop and maintain data protection policies aligned with FERPA, CCPA, Canadian provincial privacy laws, and enterprise risk objectives. Own the data classification framework and drive operationalization across key data stores and workflows. Contribute to management reporting, risk acceptance documentation, and work tracking.
Lead and coordinate:
Provide technical oversight of cybersecurity analysts. Review work product and deliverables for quality, accuracy, and alignment with standards. Serve as a technical escalation point within the team for data protection and cybersecurity questions.
Desired qualifications:
Education and certifications:
Bachelor's degree in Computer Science, Information Systems, or equivalent experience.
7+ years of cybersecurity experience with at least 4 years in data protection, cloud security, or cybersecurity engineering.
Industry certifications such as SANS/GIAC (for example, GDSA, GDAT, or equivalent), CISSP, CISM preferred.
Knowledge & experience:
Hands-on experience configuring and operating DLP platforms (M365 Purview strongly preferred; CrowdStrike Falcon Data Protection preferred; equivalent experience acceptable).
Experience implementing data classification frameworks in enterprise environments with regulated data (FERPA, COPPA, CCPA, or Canadian privacy law familiarity preferred).
Strong understanding of AWS security services and cloud-native data protection controls (S3 bucket policies, KMS, Macie, CloudTrail).
Security engineering experience: familiarity with SIEM log sources, endpoint security platforms (CrowdStrike Falcon preferred), and vulnerability management tooling (Rapid7 preferred).
Proficiency with Python or PowerShell for automation, reporting, and control validation.
Familiarity with NIST CSF, CIS Controls, and how to translate regulatory requirements into technical controls.
Experience working across organizational boundaries, such as defining requirements for teams that own implementation and validating outcomes without direct execution authority.
Prior experience providing technical oversight or mentorship to others.
Personal attributes:
Operates independently and takes clear ownership of outcomes. Comfortable defining requirements and holding other teams accountable for implementation without direct control over execution.
Comfortable holding multiple technical domains simultaneously (data protection and security engineering) and prioritizing across them without daily direction.
Effective at working across organizational boundaries by communicating requirements clearly, escalating when standards are not met, and building productive working relationships.
Strong communication skills; able to translate technical data risk into terms meaningful to Legal, and management and executive stakeholders.
High integrity and ownership mindset. Proactive approach to risk reduction.
Additional Information
Occasional off-hour or weekend work may be required, including participation in on-call rotation for cybersecurity incidents.
Minimal business travel expected.
Remote or Hybrid (Cincinnati, OH HQ) opportunities available.
First for a reason:
At First Student, we are a family of 60,000+ employees who take pride in safely transporting more than 5 million students and passengers to and from their destinations each day! Our family of brands include Transco, Total Transportation, Maggies Paratransit, and GVC II. Our employees are at the forefront of safety and innovation; they create and implement the most advanced training and technology the transportation industry has to offer.
In the state of Washington, all technician and driving positions, including but not limited to van drivers and any other position requiring employees to drive a company-owned vehicle, are considered safety-sensitive and are therefore subject to drug and alcohol testing, including cannabis.
All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, disability or veteran status. First is also committed to providing a drug-free workplace. First will consider for employment qualified applicants with criminal histories consistent with the requirements of the San Francisco Fair Chance Ordinance, Los Angeles Fair Chance Ordinance, and any other fair chance law. Philadelphia's Fair Criminal Record Screening Standards Ordinance Poster is at this link or upon request https://www.phila.gov/media/20210423160847/Fair-Chance-Hiring-law-poster.pdf.
Job reference: JR15770