Lead Security Engineer

Duetto's platform processes real-time pricing decisions for thousands of hotels, resorts, and casinos worldwide — and this role owns the security posture that makes that possible. As Senior Security Engineer, you'll lead security across cloud infrastructure, engineering, operations, compliance, and customer trust: a broad, high-autonomy mandate that spans AWS architecture, SOC 2 and ISO 27001 readiness, vulnerability management, incident response, and the enterprise security reviews that help close deals. If you're a hands-on security engineer who can operate at the technical depth of a cloud security specialist and communicate at the level of an executive or enterprise customer, this is the role.

What Makes Us Different?

Duetto is the hospitality industry's leading revenue management platform, founded in 2012 by former Wynn Resorts executives who knew the industry needed better technology. We built the world's first Revenue & Profit Operating System — a suite of tools (GameChanger, ScoreBoard, BlockBuster, Advance and more) that goes beyond room pricing to give hotels, resorts and casinos a complete picture of their revenue and profitability. Trusted by clients ranging from independent boutique hotels to global chains, we've been named the #1 Revenue Management Software by HotelTechAwards four years running and the #1 Best Place to Work in Hotel Tech in 2025. Backed by GrowthCurve Capital since 2024, we're accelerating our investment in AI — and we're genuinely passionate about the industry we serve. We build products we're proud of, for customers we care about.

What You'll Be Doing

• You'll own Duetto's overall security posture across cloud, product, infrastructure, IT, compliance, and customer assurance — leading cloud security across AWS (IAM, logging, network security, encryption, Kubernetes and container security, backup posture, and configuration risk) and partnering with Engineering and DevOps to embed security into the SDLC, CI/CD pipelines, and production operations.
• You'll lead vulnerability management end-to-end — owning Snyk Pro and Lacework (or equivalents) for code, dependency, and cloud security operations, including alert triage, posture management, prioritisation, remediation tracking, and reporting across infrastructure, application, cloud, containers, and endpoints.
• You'll serve as the primary security incident leader for major incidents, investigations, escalations, root cause analysis, and executive reporting — and lead IR tabletop exercises, DR tabletop exercises, backup testing coordination, and BCP security reviews.
• You'll own SOC 2 Type 2 readiness, ISO 27001 readiness, ISO 42001 AI governance alignment, and NIST CSF maturity tracking — maintaining the security risk register, risk treatment plans, security roadmap, and security debt backlog.
• You'll partner with Legal and Privacy on DPA, DTIA, DPF, GDPR, SCCs, and subprocessor management, and own customer-facing security assurance including strategic RFPs, security questionnaires, enterprise security reviews, Trust page content, and sales support calls.
• You'll provide security guidance to IT on MDM, endpoint security, AV/EDR coverage, access reviews, and SaaS security controls — and report security posture, risks, incidents, remediation status, and audit readiness to executive leadership.

What We're Looking For

You may be a good fit if you have:

• 8+ years of experience in security, cloud security, DevSecOps, security engineering, infrastructure security, or security operations
• Strong hands-on knowledge of AWS — you can review cloud architecture and identify risk, not just read about it
• Experience securing DevOps environments, CI/CD pipelines, Kubernetes and container environments, cloud IAM, logging, secrets management, and infrastructure-as-code
• Experience with SOC 2 Type 2 audits and a working familiarity with ISO 27001, NIST CSF, and GDPR security requirements
• Experience with vulnerability management, penetration testing programmes, and incident response
• The ability to translate technical risks into business-level priorities and communicate clearly with Engineering, Legal, Sales, auditors, customers, and executives

Strong candidates may also have:

• Hands-on experience with Snyk, Lacework, Vanta, MDM platforms, endpoint protection, and cloud posture tools
• Prior ownership of SOC 2 Type 2 audit readiness end-to-end
• ISO 27001 implementation or certification support experience
• Experience supporting enterprise SaaS security reviews and customer trust programmes
• Familiarity with ISO 42001 or AI governance frameworks

Why Duetto?

• Full ownership of a consequential security programme. This isn't a supporting role in a large security team — you'll own the posture, the compliance roadmap, the incident response, and the customer trust programme. The scope is real and so is the impact.
• AI is how we work. Duetto is an AI-first engineering organisation, which makes AI governance and ISO 42001 alignment genuinely relevant here — you'll be working at the frontier of how security intersects with AI-augmented software development.
• Technical depth meets commercial exposure. You'll be reviewing cloud architecture with Engineering one day and supporting an enterprise security review with a global hotel brand the next — the breadth keeps the work interesting.
• A platform that demands real security. Millions of pricing decisions processed daily, 80+ integration partners, global enterprise customers — the stakes are high enough to make the work matter.

The Details

• Location: Remote (US/Canada)
• Department: Engineering / Security

Duetto is an equal opportunity employer. We celebrate diversity and are committed to creating an inclusive environment for all employees. All qualified applicants will receive consideration for employment without regard to race, colour, religion, sex, sexual orientation, gender identity, national origin, disability, veteran status, or any other characteristic protected by applicable law.

Sound like you?

You don't need every item on this list. If you're a hands-on security engineer with strong AWS and DevSecOps chops, compliance programme experience, and the communication skills to operate across Engineering, Legal, and enterprise customers — we'd love to hear from you.

 

 

#LI-REMOTE