Principal Cybersecurity Cloud Engineer

About The Position

Requirements

• Bachelor’s degree in Computer Science, Engineering, or related field (or equivalent experience).
• 10+ years in security engineering/architecture with significant cloud security experience (SaaS or technology companies preferred).
• Deep, hands-on expertise with:
• CNAPP (Wiz or equivalent) deployment at scale, policy design, tuning, automation; and Microsoft Defender for Cloud (policies, plans, recommendations, regulatory compliance, alerting).
• DevSecOps / CI/CD: integrating security tests and gates in GitHub Actions (or similar), artifact/image scanning, and automated compliance evidence; securing pipeline identities, secrets, and supply chain integrity.
• Infrastructure as Code (IaC): production-grade Terraform Enterprise/Terraform Cloud (modules, registries, workspaces), plan-time checks, and drift control.
• Policy engineering: designing and implementing cloud security policies (Azure Policy initiatives; OPA/Sentinel policy-as-code) and mapping to frameworks (NIST, CIS).
• Azure security (Entra ID/AAD, RBAC, networking, Key Vault, monitoring).
• Multi-cloud, hands-on experience with Azure and AWS services.
• Container and Kubernetes security: cluster hardening, workload identity/RBAC, network policies, admission controls, image signing/verification, runtime protection, and container registries (ACR/ECR, JFrog Artifactory).
• Security automation: scripting (e.g., Python/PowerShell) to build guardrails, detections, and tooling.
• Experience establishing and reporting KRIs/KPIs and improving cloud security posture at scale using data-driven metrics (e.g., NIST, CIS, STIG).
• Experience delivering cloud implementations in regulated environments, including U.S. Government / U.S. Public Sector requirements (FedRAMP, NIST SP 800-53) and Canadian Government / Public Sector requirements (PBMM, GC Cloud Guardrails, ITSG-33 or equivalent) — including control mapping, automation, and continuous monitoring.
• Excellent stakeholder skills—operate as a trusted advisor to product, platform, compliance, and executive teams.
• Self-starter who can work independently, communicate clearly, and drive cross-functional outcomes with a bias for automation and measurable posture improvement.
• Proven track record operating as a Cloud Security Architect across CNAPP, Wiz, Terraform, and CI/CD pipeline architectures—defining cloud policies, integrating cloud-native and CNAPP controls, and leveraging their control frameworks for continuous compliance.
• Hands-on experience securing Kubernetes (AKS) using Wiz Sensor tooling (deployment, operations, and integration with detection and remediation workflows).

Nice To Haves

• Microsoft AZ-500, SC-100, SC-200 certifications strongly preferred.
• One of the security certifications, such as CISSP or CCSP.
• DevOps experience with infrastructure, cloud, and application pipelines.
• Hands-on experience with container and image scanning; SAST, DAST; and penetration testing tools.
• Knowledge of large language models (LLMs) and hands-on experience designing and building generative-AI–powered agents.
• Experience with Python, Java, .NET, C#, Rego, and YAML.

Responsibilities

• Lead CNAPP implementation: Plan and execute end-to-end rollout of Wiz (and related CNAPP tooling) across Azure (and select AWS), including policy design, tuning, and alert-to-action workflows.
• Harden clouds at scale: Design and enforce guardrails (Azure Policy, Defender for Cloud plans, identity controls, network segmentation, logging/monitoring) and extend patterns to AWS where applicable.
• DevSecOps & IaC governance: Embed security into CI/CD and Terraform workflows (pre-merge checks, plan/policy gates, artifact signing, SBOMs/attestations) and establish reusable modules and policy-as-code patterns to prevent misconfigurations before deploying; enforce baselines at plan time.
• Compliance engineering: Translate FedRAMP, CIS, and other frameworks into technical controls, automated evidence, continuous monitoring, and remediation playbooks.
• Cloud security architecture & blueprint: Own and evolve the cloud security reference architecture (standardized landing zones, identity and access patterns, network segmentation, encryption standards, logging/monitoring baselines, and guardrails) for Azure (primary) and AWS (in scope); advise product and platform teams on secure designs, lead design reviews, and mentor engineers.
• Incident & posture improvement: Partner with SecOps and AppSec teams to triage findings, evaluate risks, recommend remediation steps, and drive measurable improvements across vulnerabilities, identities, data, and workloads.
• Executive advisory: Communicate risk, trade-offs, and roadmaps to senior leadership; influence prioritization through clear metrics and business outcomes.
• Build automated guardrails and drift detection/auto-remediation using Terraform (and/or Bicep/ARM where applicable), integrating controls into CI/CD to consistently enforce secure defaults.
• Kubernetes/AKS security: Partner with platform teams to harden AKS (RBAC, network policies, workload identity), implement admission controls, and operationalize Wiz Sensors and CNAPP findings into engineering workflows and secure runtime baselines.

Benefits

• We offer excellent time away from work programs, comprehensive wellness initiatives and recognition through competitive pay and benefits.
• With a commitment to community impact, including volunteer days and our charity, Dayforce Cares we provide opportunities for you to thrive both in your career and personal life.