Information Security Consultant - SaaS Security

About The Position

Requirements

• Bachelor’s degree in Information Security, Computer Science, Risk Management, or a related field (or equivalent professional experience).
• 5+ years of experience in Information Security, Cloud Security, SaaS Security, or Cyber Risk Management roles (this can be a combination of academic, research-based, or professional environment).

Nice To Haves

• 8+ years of experience in Information Security, SaaS Security, Cloud Security, GRC, or Cyber Risk Management within a large or complex organization.
• Deep expertise in SaaS security governance models, including defining security baselines, standards, and risk tiering in federated environments.
• Proven experience operating as a security consultant or advisor, influencing decisions across business, IT, legal, privacy, and compliance stakeholders without direct authority.
• Strong understanding of enterprise SaaS ecosystems, including common platforms (e.g., M365, Salesforce, ServiceNow, Workday, Atlassian) and typical risk patterns in their usage and integrations.
• Advanced knowledge of identity and access governance for SaaS, including role design, entitlement risk, least‑privilege models, and lifecycle access considerations (advisory focus only).
• Demonstrated ability to translate regulatory and privacy requirements (e.g., GDPR, CCPA/CPRA, industry regulations) into practical SaaS security guidance and control expectations.
• Experience partnering effectively with Third‑Party Risk teams, consuming vendor onboarding outputs and extending security oversight into post‑onboarding SaaS usage and lifecycle risk.
• Demonstrated experience assessing SaaS security risk and advising on secure usage, configuration expectations, and lifecycle governance.
• Strong working knowledge of SaaS architectures and shared responsibility models, including identity, data protection, logging, and integrations.
• Experience reviewing vendor security documentation (e.g., SOC 2 Type II, ISO 27001, SIG/CAIQ, pen test summaries) and translating findings into risk‑based recommendations.
• Hands‑on experience coordinating security requirements across multiple domain owners (IAM, Cloud, Privacy, Legal, IT, GRC) in a federated operating model.
• Solid understanding of identity and access management concepts relevant to SaaS (SSO, MFA, RBAC, provisioning models), with an advisory not operational focus.
• Knowledge of common security and compliance frameworks, such as NIST CSF/800‑53, ISO 27001/27002, Cloud Security Alliance (CSA) SaaS Security Capability Framework (SSCF), Cloud Controls Matrix (CCM), and SOC 2 Trust Services Criteria.
• Strong written and verbal communication skills, with the ability to document security expectations, risk summaries, and governance decisions clearly for both technical and non‑technical stakeholders.
• Proven ability to influence without authority, balance security risk with business needs, and drive alignment across cross‑functional teams.
• Strong documentation and communication skills, with a track record of producing clear security standards, risk narratives, executive‑ready summaries, and governance artifacts.
• Experience supporting audits and regulatory inquiries, ensuring SaaS security decisions and exceptions are defensible and well‑documented.
• Strong understanding of the Cloud Security Alliance (CSA) SaaS Security Capability Framework (SSCF), Cloud Controls Matrix (CCM), and SaaS-specific guidance.
• Professional security certifications such as CISSP, CISM, CCSP, CRISC, or ISO 27001 Lead Implementer/Auditor (preferred).
• Familiarity with SaaS security tooling (SSPM, CASB, GRC platforms) from a requirements definition, oversight, or reporting perspective, not tool administration.
• Ability to balance security rigor with business enablement, enabling SaaS adoption while maintaining risk transparency and control consistency.

Responsibilities

• Provide security advisory and risk analysis for SaaS usage within the enterprise, focusing on how SaaS applications are configured, accessed, and used post‑onboarding.
• Coordinate with cyber domain owners (Third-Party Security, IAM, Data Protection, Cloud, Privacy, IT Operations, SOC, etc.) to collaboratively define, document, and maintain SaaS security baselines and minimum control expectations.
• Partner with the Third‑Party Onboarding team by consuming their assessment outputs, and focus on usage‑level, configuration‑level, and lifecycle security considerations beyond initial vendor due diligence.
• Translate enterprise security, privacy, and regulatory requirements into clear SaaS security standards, guidance, and acceptance criteria for application owners.
• Review SaaS architectures, integrations, and data flows to identify security and data protection risks and provide documented recommendations to stakeholders.
• Review, assess, and secure SaaS applications based on security best practices and benchmarks (e.g., CSA, CIS, NIST), including participation in SaaS vendor security reviews.
• Monitor and identify misconfigurations, excessive permissions, or shadow IT SaaS usage using SSPM tools and drive remediation with application owners.
• Coordinate remediation planning and security exception management for SaaS‑related risks, ensuring alignment across business owners and control owners.
• Support ongoing SaaS security assurance activities, including periodic posture reviews, reassessments, and control attestations in collaboration with relevant teams.
• Provide consultative support during SaaS‑related security incidents or changes, including impact assessment and stakeholder coordination.
• Report SaaS security posture, trends, and systemic risks to security leadership and governance forums to support informed decision‑making.

Benefits

• At MassMutual, we focus on ensuring fair equitable pay, by providing competitive salaries, along with incentive and bonus opportunities for all employees.
• Your total compensation package includes either a bonus target or in a sales-focused role a Variable Incentive Compensation component.
• We help people secure their future and protect the ones they love.
• As a company owned by our policyowners, we are defined by mutuality and our vision to put customers first.
• It’s more than our company structure – it’s our way of life.
• We are a company of people protecting people.
• Our company exists because people are willing to share risk and resources, and rely on each other when it counts.
• At MassMutual, we Live Mutual.
• At MassMutual, we focus on ensuring fair, equitable pay by providing competitive salaries, along with incentive and bonus opportunities for all employees.
• Your total compensation package includes either a bonus target or in a sales-focused role a Variable Incentive Compensation component.
• For more information about our extensive benefits offerings please check out our Total Rewards at a Glance.