Lead Cyber Security Engineer (Onsite)

Tyson Foods•Springdale, AR

2d•Onsite

About The Position

The SAP Security & Platform Security Engineer is an experienced SAP and Workday security professional with deep expertise in SAP GRC, Workday security configuration, Emergency Access/Firefighter processes, and cross application Segregation of Duties and privileged access controls. This role is responsible for architecting secure integrations for SAP’s Joule AI capabilities and promoting Responsible AI and privacy by design principles. The engineer partners closely with IT, HRIS, Audit, Compliance, and business stakeholders to align SAP and Workday security with the enterprise Privileged Access Management (PAM) program, ensuring secure, compliant, and efficient access across the organization. Essential Duties and Responsibilities Lead the redesign and governance of SAP Emergency Access Management (Firefighter), including policy development, workflow design, automated logging and auditing, and stakeholder training. Architect secure end-to-end SAP security for Business AI/Joule, integrating IAS/IPS, SCIM/IPS provisioning, Global User ID strategy, OIDC authentication, and user bound principal propagation. Implement core AI security controls aligned with Responsible AI principles; including authentication, authorization, encryption, masking, content filtering, and RAG processes. Establish a unified cross application Segregation of Duties (SoD) framework across SAP, Workday, and other enterprise systems, defining risks, rulesets, and mitigating controls. Lead SoD and access risk remediation efforts by refining user access, adjusting roles, and coordinating with audit and compliance teams to meet SOX, GDPR, and regulatory requirements. Integrate SAP and Workday privileged access requirements into the enterprise PAM framework and define standardized workflows for request, approval, usage, and revocation of elevated access. Lead Workday security architecture, including security groups, domain policies, role hierarchies, permission models, and consistent least privilege design. Oversee enterprise access governance, including periodic access reviews, JML processes, and certification cycles to prevent entitlement creep. Act as the primary liaison across IT Security, HRIS, Audit, Compliance, and business stakeholders to ensure alignment of SAP and Workday security with PAM, SoD, and enterprise IAM strategies. Conduct audits, risk assessments, and remediation planning while delivering clear reporting, training, and communication to stakeholders. Outcomes A modern, policy driven SAP Emergency Access program that ensures controlled, traceable, and audit ready emergency access while reducing misuse and backlog. Secure, identity consistent AI enablement for Joule, ensuring AI actions operate strictly within user authorized privileges and comply with Responsible AI requirements. A unified SoD framework that provides enterprise-wide visibility into access risks, minimizes cross process conflicts, and improves audit readiness. Reduced privileged access risk through standardized PAM workflows, centralized oversight, and integrated logging across SAP and Workday. A resilient Workday security architecture with well-structured roles, controlled permissions, and documentation aligned with audit and compliance expectations. A strengthened compliance posture with faster remediation, fewer audit findings, and alignment with SOX, GDPR, and enterprise security standards. Improved lifecycle access governance that prevents entitlement creep and ensures least privilege access across all business areas. More effective cross functional collaboration, resulting in consistent controls, clear ownership, and greater confidence from leadership and audit stakeholders.

Requirements

SAP Security & GRC Expertise: 5–10+ years designing SAP roles and authorizations, managing GRC Access Control, and leading Firefighter, SoD analysis, and access risk remediation in S/4HANA and Fiori.
Workday Security Experience: 3–5+ years configuring Workday’s role-based security model, including domain policies, security groups, hierarchies, granular permissions, and SoD controls.
Privileged Access & Identity Management: Experience designing and operating PAM/EAM workflows, enforcing least privilege access, and supporting audit, monitoring, and compliance processes.
Cross Application SoD & Governance: Ability to define and manage SoD rulesets across SAP and Workday using platforms such as SAP IAG for unified risk visibility and mitigation.
AI & SAP Security Architecture: Understanding of SAP Business AI/Joule, IAS/IPS, SCIM provisioning, OIDC authentication, principal propagation, and AI security controls aligned with Responsible AI principles.
Education & Certifications: Bachelor’s degree in Computer Science, Information Systems, Cybersecurity, or a related field; certifications such as CISSP, CISM, CISA, SAP Security/GRC, or Workday Security preferred.
Leadership & Communication: Strong ability to lead cross functional security initiatives and communicate complex IAM and AI security concepts to technical teams, business partners, auditors, and senior leadership.
SAP security design and GRC expertise
SoD analysis and cross application ruleset creation
SAP S/4HANA, Ariba, Concur, Fieldglass authorization knowledge
Workday security configuration and permission modeling
Workday hierarchies, security groups, and SoD controls
Privileged access management (PAM/EAM) operations
Emergency access workflows, logging, and auditing
SIEM and GRC platform integration
Identity federation (OIDC, SAML, OAuth 2.0)
SCIM/IPS based identity synchronization
AI security (encryption, masking, content filtering)
Responsible AI governance
JML governance and access certification
Risk mitigation and compensating controls
IAM roadmap and program planning
Cross functional leadership
Clear communication of complex security concepts
Strong collaboration with HR, IT, audit, and compliance teams
Analytical problem solving
Change management and process adoption
Leadership for large security initiatives
Team mentoring and capability development
Security awareness advocacy

Responsibilities

Lead the redesign and governance of SAP Emergency Access Management (Firefighter), including policy development, workflow design, automated logging and auditing, and stakeholder training.
Architect secure end-to-end SAP security for Business AI/Joule, integrating IAS/IPS, SCIM/IPS provisioning, Global User ID strategy, OIDC authentication, and user bound principal propagation.
Implement core AI security controls aligned with Responsible AI principles; including authentication, authorization, encryption, masking, content filtering, and RAG processes.
Establish a unified cross application Segregation of Duties (SoD) framework across SAP, Workday, and other enterprise systems, defining risks, rulesets, and mitigating controls.
Lead SoD and access risk remediation efforts by refining user access, adjusting roles, and coordinating with audit and compliance teams to meet SOX, GDPR, and regulatory requirements.
Integrate SAP and Workday privileged access requirements into the enterprise PAM framework and define standardized workflows for request, approval, usage, and revocation of elevated access.
Lead Workday security architecture, including security groups, domain policies, role hierarchies, permission models, and consistent least privilege design.
Oversee enterprise access governance, including periodic access reviews, JML processes, and certification cycles to prevent entitlement creep.
Act as the primary liaison across IT Security, HRIS, Audit, Compliance, and business stakeholders to ensure alignment of SAP and Workday security with PAM, SoD, and enterprise IAM strategies.
Conduct audits, risk assessments, and remediation planning while delivering clear reporting, training, and communication to stakeholders.