Principal Cybersecurity Cloud Engineer

About The Position

Requirements

• Bachelor’s degree in Computer Science, Engineering, or related field (or equivalent experience).
• 10+ years in security engineering/architecture with significant cloud security experience (SaaS or technology companies preferred).
• Deep, hands-on expertise with:
• CNAPP (Wiz or equivalent) deployment at scale, policy design, tuning, automation; and Microsoft Defender for Cloud (policies, plans, recommendations, regulatory compliance, alerting).
• DevSecOps / CI/CD: integrating security tests and gates in GitHub Actions (or similar), artifact/image scanning, and automated compliance evidence; securing pipeline identities, secrets, and supply chain integrity.
• Infrastructure as Code (IaC): production-grade Terraform Enterprise/Terraform Cloud (modules, registries, workspaces), plan-time checks, and drift control.
• Policy engineering: designing and implementing cloud security policies (Azure Policy initiatives; OPA/Sentinel policy-as-code) and mapping to frameworks (NIST, CIS).
• Azure security (Entra ID/AAD, RBAC, networking, Key Vault, monitoring).
• Multi-cloud, hands-on experience with Azure and AWS services.
• Container and Kubernetes security: cluster hardening, workload identity/RBAC, network policies, admission controls, image signing/verification, runtime protection, and container registries (ACR/ECR, JFrog Artifactory).
• Security automation: scripting (e.g., Python/PowerShell) to build guardrails, detections, and tooling.
• Experience establishing and reporting KRIs/KPIs and improving cloud security posture at scale using data-driven metrics (e.g., NIST, CIS, STIG).
• Experience delivering cloud implementations in regulated environments, including U.S. Government / U.S. Public Sector requirements (FedRAMP, NIST SP 800-53) and Canadian Government / Public Sector requirements (PBMM, GC Cloud Guardrails, ITSG-33 or equivalent) — including control mapping, automation, and continuous monitoring.
• Excellent stakeholder skills—operate as a trusted advisor to product, platform, compliance, and executive teams.
• Self-starter who can work independently, communicate clearly, and drive cross-functional outcomes with a bias for automation and measurable posture improvement.
• Proven track record operating as a Cloud Security Architect across CNAPP, Wiz, Terraform, and CI/CD pipeline architectures—defining cloud policies, integrating cloud-native and CNAPP controls, and leveraging their control frameworks for continuous compliance.
• Hands-on experience securing Kubernetes (AKS) using Wiz Sensor tooling (deployment, operations, and integration with detection and remediation workflows).

Nice To Haves

• Microsoft AZ-500, SC-100, SC-200 certifications strongly preferred.
• One of the security certifications, such as CISSP or CCSP.
• DevOps experience with infrastructure, cloud, and application pipelines.
• Hands-on experience with container and image scanning; SAST, DAST; and penetration testing tools.
• Knowledge of large language models (LLMs) and hands-on experience designing and building generative-AI–powered agents.
• Experience with Python, Java, .NET, C#, Rego, and YAML.

Responsibilities

• Lead CNAPP implementation: Plan and execute end-to-end rollout of Wiz (and related CNAPP tooling) across Azure (and select AWS), including policy design, tuning, and alert-to-action workflows.
• Harden clouds at scale: Design and enforce guardrails (Azure Policy, Defender for Cloud plans, identity controls, network segmentation, logging/monitoring) and extend patterns to AWS where applicable.
• DevSecOps & IaC governance: Embed security into CI/CD and Terraform workflows (pre-merge checks, plan/policy gates, artifact signing, SBOMs/attestations) and establish reusable modules and policy-as-code patterns to prevent misconfigurations before deploying; enforce baselines at plan time.
• Compliance engineering: Translate FedRAMP, CIS, and other frameworks into technical controls, automated evidence, continuous monitoring, and remediation playbooks.
• Cloud security architecture & blueprint: Own and evolve the cloud security reference architecture (standardized landing zones, identity and access patterns, network segmentation, encryption standards, logging/monitoring baselines, and guardrails) for Azure (primary) and AWS (in scope); advise product and platform teams on secure designs, lead design reviews, and mentor engineers.
• Incident & posture improvement: Partner with SecOps and AppSec teams to triage findings, evaluate risks, recommend remediation steps, and drive measurable improvements across vulnerabilities, identities, data, and workloads.
• Executive advisory: Communicate risk, trade-offs, and roadmaps to senior leadership; influence prioritization through clear metrics and business outcomes.
• Build automated guardrails and drift detection/auto-remediation using Terraform (and/or Bicep/ARM where applicable), integrating controls into CI/CD to consistently enforce secure defaults.
• Kubernetes/AKS security: Partner with platform teams to harden AKS (RBAC, network policies, workload identity), implement admission controls, and operationalize Wiz Sensors and CNAPP findings into engineering workflows and secure runtime baselines.

Benefits

• We encourage individuals to apply based on their passions.
• Dayforce encourages personal and professional growth. We offer excellent time away from work programs, comprehensive wellness initiatives and recognition through competitive pay and benefits.
• With a commitment to community impact, including volunteer days and our charity, Dayforce Cares we provide opportunities for you to thrive both in your career and personal life. Our focus is not just on your job but on supporting you to be the best version of yourself.