Position Overview

Job Details

Key Responsibilities

• Engineer and maintain preventive and detective controls across endpoints, servers, network, identity, and cloud services (Azure/AWS).
• Lead configuration hardening initiatives using industry benchmarks (e.g., CIS) and establish secure configuration baselines for common platforms (Windows, Linux, network devices, cloud services).
• Design compensating controls for vulnerabilities that cannot be remediated through patching (e.g., configuration changes, isolation, access controls, WAF rules, EDR policy tuning, segmentation).
• Own the technical control lifecycle: control requirements → design → implementation → testing/validation → monitoring → continuous improvement.
• Develop and maintain control-as-code and automation (PowerShell/Python/Terraform/CI-CD) to deploy and enforce configurations consistently.
• Implement configuration compliance monitoring, drift detection, and remediation workflows; integrate with ticketing/ITSM for exception handling.
• Partner with Vulnerability Management to translate findings into durable mitigations (hardening, compensating controls, secure defaults) and reduce recurring exposure.
• Collaborate with SOC/IR to improve detections and containment policies aligned to threats and incidents; tune controls based on lessons learned.
• Produce audit-ready evidence: control narratives, diagrams, test results, screenshots/exports, and KPI dashboards.
• Maintain standards, procedures, and runbooks for control engineering; mentor junior engineers and provide technical leadership to cross-functional teams.

Typical Deliverables

• Secure configuration baselines and reference architectures for key platforms.
• Benchmark compliance reporting (coverage, drift, exceptions) with remediation plans.
• Compensating control designs and validation artifacts for non-patchable risk.
• Automation modules/scripts (policy-as-code) to deploy or enforce controls at scale.
• Control test plans, operational metrics, and audit evidence packages.

Required Qualifications

• 7+ years in security engineering, systems engineering, or infrastructure engineering with a strong focus on security controls and hardening.
• Hands-on expertise with Windows and Linux hardening, identity controls, and endpoint security control configuration.
• Experience implementing benchmark-based configuration standards (e.g., CIS) and managing exceptions/risk acceptances.
• Strong understanding of networking fundamentals (segmentation, firewalls, proxies, routing) and how to apply compensating controls.
• Cloud security controls experience in Azure and/or AWS (IAM, network controls, logging, security services).
• Proficiency in scripting/automation (PowerShell and/or Python); familiarity with infrastructure as code (e.g., Terraform) preferred.
• Ability to translate risk into technical control requirements and document controls for audit and compliance purposes.
• Excellent written and verbal communication; ability to work across infrastructure, application, and governance teams.

Preferred Qualifications

• Experience with configuration management and compliance platforms (e.g., Intune, Group Policy, SCCM/MECM, Ansible, Chef, Puppet).
• Experience with vulnerability scanning and exposure management tools (e.g., Tenable, Qualys, Rapid7) and mitigation engineering workflows.
• Experience tuning EDR policies and implementing detection/response guardrails (e.g., Microsoft Defender for Endpoint, SentinelOne, CrowdStrike).
• Experience with SIEM/SOAR integration for control telemetry and automated response.
• Security certifications (one or more): CISSP, GIAC (GSEC/GCED/GCIA), CCSP, AZ-500, AWS Security Specialty, or equivalent.
• Prior work in regulated industries (financial services, healthcare) with control evidence expectations (SOC 2, PCI DSS, GLBA).

Core Competencies

• Control engineering mindset: designs controls that are measurable, testable, and durable.
• Risk-based prioritization: focuses effort where likelihood and impact are highest.
• Systems thinking: understands dependencies and minimizes operational disruption.
• Automation-first: reduces manual work by codifying and scaling controls.
• Stakeholder partnership: collaborates with IT and product teams to drive adoption.

Success Measures (KPIs)

• Reduction in recurring high/critical findings attributable to configuration or control gaps.
• Benchmark compliance coverage (%) and drift rate over time across in-scope assets.
• Mean time to mitigate (MTTM) for non-patchable vulnerabilities using compensating controls.
• Control effectiveness test pass rate and audit evidence readiness (time to produce evidence).
• Automation impact: number of controls deployed/enforced via code and reduction in manual effort.

Working Conditions