Lead Security Architect – Cloud Data & AI Platforms

Carpenter Technology Corporation•Philadelphia, PA

2d•Remote

About The Position

Carpenter Technology is seeking an experienced Security Architect to lead the security strategy and implementation for our next-generation cloud data & AI platforms. This full-time leadership role holds long-term responsibility for securing a unified analytics environment (built primarily on Microsoft Azure and related services) that will host highly sensitive and regulated data (including ITAR-controlled information). The role requires a visionary leader who can define multi-year security roadmaps and promote a security-first culture, as well as a hands-on expert capable of designing and deploying robust security controls. Operating with influence across both the enterprise cybersecurity team and the data/AI platform team, the Lead Architect will ensure security is embedded by design without stifling innovation, enabling Carpenter to deliver data-driven and AI solutions safely and in compliance with all requirements.

Requirements

Bachelor’s degree in Computer Science, Information Security, or a related field (or equivalent experience).
10+ years of combined experience in information security and/or cloud architecture, including 5+ years of leadership in securing cloud data platforms or enterprise analytics solutions.
Track record of successfully delivering security for large-scale data or AI platforms in a modern cloud environment.
Strong expertise in cloud security technologies and best practices.
Hands-on experience with public cloud services (e.g., Azure, AWS, or GCP), with deep knowledge of securing cloud data services (data lakes, warehouses, streaming, etc.).
Demonstrated skills in key security domains: Identity & Access Management (roles, SSO/MFA, identity governance), Network Security (VPC/VNet design, firewalls, VPN/ExpressRoute, zero-trust network access), Cryptography (data encryption strategies, key management systems (KMS), PKI), Data Protection & DLP (implementing classification, DLP tools/policies, data masking), Monitoring & DevSecOps (cloud logging/telemetry, SIEM integration, incident management, and automating security controls via code (e.g., Terraform, Azure Policy, CI/CD security checks)).
Experience securing sensitive and regulated data in a cloud environment.
Knowledge of regulatory frameworks (such as ITAR, HIPAA, GDPR, or similar) and experience implementing controls to comply with them.
Capable of translating regulatory and risk requirements into actionable technical solutions (e.g., enforcing geo-restrictions, user screening, encryption, and auditing to meet compliance).

Nice To Haves

Master’s degree or MBA a plus.
Professional certifications such as CISSP, CISM, CCSP, or relevant cloud security certifications (e.g., Azure Security Engineer, AWS Security) strongly preferred, demonstrating a commitment to ongoing professional development.
Familiarity with modern analytics platforms (for instance, Azure Synapse, Microsoft Fabric, Databricks, or similar) and their security models is highly desirable.

Responsibilities

Own the security architecture and roadmap for Carpenter’s cloud-based data analytics and AI platform.
Develop and maintain secure design patterns that cover data ingestion, storage, processing, and AI model deployment, ensuring controls are built-in across all components.
Apply Zero Trust principles in every layer (identity, network, data access, applications) to minimize risk and attack surface.
Work with leadership to align security investments with business strategy and risk appetite.
Implement robust identity and access controls across the platform.
Leverage enterprise identity services (e.g. Azure AD) to enforce single sign-on, multi-factor authentication, and conditional access policies.
Define role-based access control (RBAC) models for data and analytics services, ensuring users and service accounts have least-privilege access.
Establish governance for workspace permissions, data access roles, and secrets management (e.g., keys, credentials) using appropriate tools.
Safeguard data in transit and at rest through encryption and strong key management.
Ensure all sensitive data (including ITAR-regulated content) is encrypted end-to-end with appropriate customer-managed keys and meets required cryptographic standards.
Implement data masking, anonymization, and tokenization techniques where needed.
Coordinate with data governance teams to define data classification and handling rules, and enforce them through technical controls.
Design the network security architecture for the data platform in collaboration with infrastructure teams.
Implement secure network segmentation and firewall policies that limit exposure and lateral movement (e.g., using private endpoints, VPC/VNet isolation).
Ensure any hybrid connectivity or data pipelines connecting on-premises systems to the cloud are protected via encrypted channels and strict firewall rules.
Continually evaluate and harden underlying cloud infrastructure components, aligning with best practices and reference frameworks (NIST, CIS benchmarks, etc.).
Ensure the platform complies with internal policies and external regulations.
Implement governance controls to meet standards such as ITAR, CMMC/NIST 800-171, and SOC/ISO 27001 as applicable.
Define and monitor adherence to infrastructure and data security baselines across dev, test, and production environments.
Work closely with risk management to assess and mitigate any platform-related risks that could impact operational continuity, data privacy, or regulatory compliance.
Document security controls and provide evidence for audits and assessments as needed.
Integrate data governance tools (e.g., data catalog, lineage, DLP systems) with the platform to enable sensitivity labeling, data lineage tracking, and policy enforcement for data usage.
Establish continuous monitoring and auditing of user activities, data access events, and configuration changes in the platform.
Aggregate logs and telemetry into the corporate SIEM for advanced threat detection and maintain detailed audit trails for forensics and compliance verification.
Develop security and trust frameworks for AI services and agents running on the platform.
Ensure AI/ML solutions respect data access controls and do not expose sensitive information.
Define Responsible AI policies and implement guardrails around AI model usage (e.g., ensuring proper training data governance, limitations on autonomous actions, and bias/ethics reviews).
Collaborate with data science teams to integrate security in the AI model lifecycle, from development to deployment (e.g., secure model endpoints, API protections).
Institute robust incident detection and response processes for the data & AI platform.
Work with the Cybersecurity Operations Center (SOC) to tailor alerting for this environment and ensure runbooks cover cloud/data-specific incident scenarios.
Lead or support incident handling for any security events on the platform, including triage, containment, root-cause analysis, and recovery.
Use insights from incidents and near-misses to strengthen the platform’s security posture (continuous improvement).
Serve as the bridge between cybersecurity and data/AI teams, effectively reporting into both and aligning their objectives.
Champion a culture of security-by-design and infrastructure-as-code, advising engineers and data professionals on integrating security into their workflows (automation of controls, DevSecOps practices).
Provide thought leadership by tracking emerging threats and cloud capabilities, and proactively adjusting strategies to address them.
Influence peers and executives through clear communication of security risks, wins, and needs, building consensus for key security initiatives.