Senior IT Security Architect

About The Position

Requirements

• Bachelor’s degree in Computer Science, Information Technology, Engineering, or equivalent experience in a related discipline.
• 10+ years of enterprise security architecture experience spanning cloud, identity, network, endpoint, application, and data security.
• 3+ years of hands-on Azure security architecture: landing zones, Key Vault, managed identity, private endpoints, Microsoft Sentinel, and Azure-native data platforms (Databricks, Synapse, Fabric).
• Deep identity architecture experience with core protocols (OAuth/OIDC, SAML, SCIM, federation), conditional access, MFA strategy, and B2C customer identity. Hands-on experience with Microsoft Entra ID and Okta preferred.
• Expert-level experience with EDR/EPP and Identity Protection platforms (CrowdStrike preferred).
• Expert-level experience with enterprise DLP, data classification (e.g., BigID), and CASB/SASE architecture (Netskope preferred).
• Expert-level experience with enterprise email security (Proofpoint preferred) and edge protection (Cloudflare preferred).
• Working experience with Infrastructure-as-Code security: Terraform and/or Bicep, policy-as-code, and CSPM platforms.
• Fluency with security and compliance frameworks: NIST CSF, CIS Controls, PCI-DSS, SOX, and applicable privacy regulations (CCPA).
• CISSP, CCSP, or equivalent security certification required.
• Demonstrated track record of authoring architecture documentation that survives review, implementation, and audit.
• Proficiency with monitoring, logging, change management, and CMDB tooling (ServiceNow experience a plus).

Nice To Haves

• Retail, PCI, and store-systems experience strongly preferred (POS, payment, store network, third-party retail integrations).

Responsibilities

• Author reference architecture and design documents across all security domains. Designs must be implementable, testable, and resistant to drift.
• Lead security architecture positions at the Architecture Review Board (ARB). Define and enforce architectural gates for development-to-production progression. Present options, trade-offs, and a recommended path for each decision.
• Lead complex, cross-functional security architecture initiatives of strategic importance to the organization. Advise senior leadership on security matters of significant impact, and provide input to department goals, planning, and budget priorities.
• Design and govern Azure landing zones, managed identity patterns, Key Vault and private-endpoint baselines, CSPM policy, and Terraform/Bicep security guardrails. Lead security architecture for Databricks, Synapse, and Fabric data platforms, including data-lake segmentation and access control.
• Design integration patterns for Microsoft Entra ID and Okta, conditional access, MFA strategy, B2C customer identity, Azure Virtual Desktop access, and BYOD access. Architect CrowdStrike Identity Protection integration with the identity estate.
• Partner with network architecture on segmentation for headquarters and store environments, SASE/CASB/NPA architecture (Netskope), edge protection (Cloudflare), and vendor/BYOD network zones. Drive zero-trust maturity across corporate, retail, and cloud perimeters.
• Set architectural direction for EDR/EPP/IDP (CrowdStrike), endpoint management (Tanium), CASB (Netskope), and email security (Proofpoint). Guide the decommissioning of legacy platforms and the onboarding of replacements.
• Design DLP, data classification (BigID), consent management, and data retention patterns. Govern the security and privacy architecture of AI platforms, vendors, and internal AI tooling, including model-training and data-handling terms.
• Support vendor risk assessments, review SOC 2 Type 2 reports, evaluate vendor SSO/SCIM/RBAC/audit-logging, and author SDLC security standards (secrets management, logging baselines, secure deployment patterns).
• Design security architecture for store systems, point-of-sale, handheld devices, and third-party store integrations. Ensure PCI-DSS alignment across applicable environments.
• Draft and maintain architectural standards and patterns: naming conventions, IaC security patterns, API gateway baselines, cloud tagging, and logging/compliance defaults.
• Map architectural initiatives to NIST CSF (Govern, Identify, Protect, Detect, Respond, Recover), CIS Controls, SOX, and PCI-DSS, borrowing from ISO 27001 and other best practices where applicable. Contribute to security policies and standards.
• Provide guidance, coaching, and training in security architecture across the Company within area of expertise — to security engineers and analysts as well as partners in infrastructure, network, cloud, and application teams.
• Participate in root cause analysis and architectural remediation for incidents, breaches, and HR/Legal investigations. Translate lessons learned into architectural changes.
• Comply with and contribute to change control, development lifecycle, and release management policies. Ensure architectural changes are represented at CAB and documented appropriately.