Cloud Security Manager

Job Description

At Boeing, we innovate and collaborate to make the world a better place. We're committed to fostering an environment for every teammate that's welcoming, respectful and inclusive, with great opportunity for professional growth. Find your future with us.

The Boeing Company is looking for a Cloud Security Manager to join the team in Seattle, WA;
North Charleston, SC;
Chicago, IL;
El Segundo, CA;
Mesa, AZ;
San Diego, CA;
Berkeley, MO;
Hazelwood, MO.

The Cloud Security & Policy-as-Code Manager will lead the team that translates security and regulatory requirements into automated, enforceable cloud and Kubernetes guardrails. You will own policy lifecycle, admission control, continuous compliance automation, and security posture reporting across multi-cloud environments. This role combines people leadership, cross-functional influence, and hands‑on technical work to build scalable, auditable controls that enable rapid, compliant delivery.

Position Responsibilities:

* Lead and grow the Policy-as-Code team responsible for security and compliance controls across Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP)

* Define and operate a unified guardrail framework that enforces both security and compliance requirements (policy-as-code, admission controllers, Terraform guardrails)

* Own the policy lifecycle: authoring, testing, versioning, staged rollout, monitoring, and deprecation of automated policies

* Build continuous compliance automation: evidence collection, attestations, audit reporting, and remediation workflows that reduce manual audit effort

* Integrate policy enforcement into Continuous Integration (CI)/Continuous Delivery (CD), Infrastructure as Code (IaC) pipelines, Developer Experience (Dev Ex) workflows, and account provisioning operated by Foundations

* Establish operability criteria for policy enforcement (performance, false-positive tolerance, rollback procedures) and require operability signoff prior to production enforcement

* Drive cross-team collaboration with Cloud Foundations, Platform Acceleration, Dev Ex, Runtime Site Reliability Engineer (SRE), Legal & Compliance, and Enterprise Security to ensure policies are accurate, testable, and adoptable

* Respond to high-severity security or compliance incidents affecting the platform; lead technical remediation and convert findings into durable policy or platform changes

* Track and report security and compliance Key Performance Indicators (KPIs); use telemetry to prioritize policy coverage and reduce risk

* Contribute hands-on to critical policy implementations, admission controller integrations, or automation scripts as needed

Basic Qualifications (Required Skills/Experience):

* 5+ years of experience in cloud security, platform security engineering, and/or cloud engineering

* 5+ years of experience implementing policy-as-code and admission control for cloud and Kubernetes (e.g., Azure Policy, AWS Configuration, GCP Organization Policy, Open Policy Agent (OPA)/Gatekeeper, Coverity)

* 3+ years of experience in leadership and/or team lead capacity

* 3+ years of experience with cloud provider security primitives and compliance controls across Azure, AWS, and GCP (identity, encryption, networking, logging)

* 3+ years of experience automating security and compliance controls in IaC and CI/CD pipelines (Terraform policy checks, pre-commit scanning, pipeline gates)

* Experience producing automated audit evidence and supporting compliance frameworks (National Institute of Standard Technology (NIST), Federal Risk and Authorization management Program (FedRAMP), Service Organization Control 2 (SOC2), or equivalent)

* Ability and willingness to perform hands-on technical work (policy modules, admission controllers, automation) alongside managerial duties

Preferred Qualifications (Desired Skills/Experience):

* Experience with excellent stakeholder management and communication skills

* Experience influencing architecture, platform, and development teams

* Experienced in feeding policy and telemetry into security event/correlation platforms and building automated incident response and orchestration workflows, including tying policy…