Sr. Cyber Security Engineer

Virtuoso, Ltd.•Fort Worth, TX

About The Position

Virtuoso® is the leading global travel agency network specializing in luxury and experiential travel. This by-invitation-only organization comprises over 1,200 travel agency locations with more than 20,000 travel advisors in 58 countries throughout North America, Latin America, the Caribbean, Europe, Asia-Pacific, Africa and the Middle East. Drawing upon its preferred relationships with 2,500 of the world’s best hotels and resorts, cruise lines, airlines, tour companies and premier destinations, the network provides its upscale clientele with exclusive amenities, rare experiences and privileged access. Annual sales of (U.S.) $35 billion make Virtuoso a powerhouse in the luxury travel industry. For more information, visit www.virtuoso.com. The Senior Cyber Security Engineer is a hands-on technical leader responsible for designing, building, and owning Virtuoso’s security infrastructure in a cloud-first environment anchored in Microsoft Azure. This role moves well beyond monitoring and reporting — the engineer architects Zero Trust security controls, drives DevSecOps adoption across engineering teams, and owns the full lifecycle of security tooling from evaluation through production. The Sr. Cybersecurity Engineer leads vulnerability management, incident response capabilities, and SIEM/SOAR operations, while maintaining ISO 27001 and PCI-DSS compliance programs and delivering executive-level security intelligence to leadership. This individual is the primary technical authority for protecting Virtuoso’s data, systems, and cloud workloads — a builder who makes the environment demonstrably more secure every quarter.

Requirements

5–7 years of progressive cybersecurity experience with demonstrated ownership of engineering-level deliverables (not just monitoring or support functions).
Bachelor’s degree in Information Technology, Computer Science, Cybersecurity, or a related field — or equivalent practical experience with professional certifications.
Proven track record of designing and shipping security capabilities in cloud environments, not solely operating inherited tooling.
Deep working knowledge of ISO 27001, NIST Cybersecurity Framework (CSF), and NIST SP 800-53.
Hands-on experience implementing PCI-DSS controls in cloud or hybrid environments.
Familiarity with MITRE ATT&CK framework for threat modeling and detection engineering.
Cloud security architecture and engineering — Azure primary; familiarity with multi-cloud patterns.
Incident response leadership: from detection through containment, eradication, and post-mortem.
Security automation and scripting (PowerShell, Python) for tooling integration and workflow acceleration.
DevSecOps and CI/CD pipeline security integration.
Strong written and verbal communication — ability to translate technical risk into executive-level narrative.
Threat intelligence analysis and operationalization.
Microsoft Azure Security Services: Microsoft Defender for Cloud, Microsoft Sentinel, Azure Policy, Azure Firewall, Azure Security Center.
Microsoft Entra ID (Azure AD): Conditional Access, Privileged Identity Management (PIM), Identity Protection, SSPR.
Microsoft 365 Defender / Microsoft 365 Security Suite: Defender for Endpoint, Defender for Identity, Defender for Office 365, Secure Score.
Snowflake Security: Data access controls, dynamic data masking, network policies, audit logging, and alerting.
Cato Networks SASE / Firewall Platform: Policy design, traffic inspection, and incident investigation.
Endpoint Detection & Response (EDR) Platforms: Deployment, tuning, investigation, and threat containment.
Vulnerability Management Platforms: Qualys, Rapid7, Tenable or equivalent — scan configuration, reporting, and remediation tracking.
Security Scripting & Automation: PowerShell and Python for automating security workflows, API integrations, and tooling pipelines.
SIEM / SOAR: Microsoft Sentinel — analytics rules, KQL queries, SOAR playbook development, workbook design.

Nice To Haves

AZ-500 — Microsoft Azure Security Engineer Associate (Highly Preferred): Directly validates the Azure-native security engineering skills central to this role.
CISSP — Certified Information Systems Security Professional: Validates breadth of security knowledge and engineering-level thinking across domains.
CCSP — Certified Cloud Security Professional: Validates cloud security architecture knowledge essential for a cloud-first environment.
OSCP — Offensive Security Certified Professional: Demonstrates hands-on penetration testing capability and attacker mindset.
CompTIA Security+ / PenTest+: Accepted as a foundational certification for candidates building toward CISSP or OSCP.
Infrastructure as Code (IaC): Terraform, Bicep, or ARM templates with security policy enforcement and drift detection.
CI/CD Pipeline Security: Azure DevOps or GitHub Actions — integrating SAST, DAST, SCA, and secrets scanning into build pipelines.
Application & Network Penetration Testing: Experience scoping, executing, or managing internal or third-party assessments.
Zero Trust Architecture Implementation: Practical experience applying Zero Trust principles across identity, devices, network, and data workloads.

Responsibilities

Design and architect security controls across Virtuoso’s Azure-primary cloud environment, including network segmentation, encryption standards, and identity boundaries.
Architect and implement Zero Trust security principles across cloud, hybrid, and SaaS environments.
Own Microsoft Defender for Cloud and Azure Policy configurations — design guardrails, enforce compliance baselines, and remediate posture findings.
Design and implement Azure Firewall rules, network security groups, and Cato Networks SASE policies.
Architect, implement, and continuously improve Virtuoso’s SIEM/SOAR platform — own analytics rules, playbooks, workbooks, and data connector onboarding.
Design and lead incident response capabilities: build runbooks, lead tabletop exercises, and drive post-incident reviews that produce measurable hardening.
Operate and tune endpoint detection and response (EDR) platforms; investigate and contain endpoint threats with full ownership through closure.
Own the enterprise vulnerability management program end-to-end: tooling selection, scan cadence, automation of remediation tracking, and SLA enforcement with asset owners.
Lead the threat intelligence program — ingest, analyze, and operationalize threat feeds into detection rules and preventive controls.
Conduct and coordinate penetration testing activities; translate findings into prioritized engineering remediation plans.
Own identity security in Microsoft Entra ID (Azure AD): design Conditional Access policies, Privileged Identity Management (PIM) workflows, and enforce least-privilege across the environment.
Define and enforce authentication standards (MFA, phishing-resistant authenticators, passwordless) across all workforce and privileged accounts.
Lead DevSecOps integration — embed automated security gates (SAST, DAST, SCA, secrets scanning) into Azure DevOps and GitHub Actions CI/CD pipelines.
Build and maintain security automation using PowerShell, Python, and Azure-native tools (Logic Apps, Azure Functions) to reduce manual effort and accelerate response.
Own Infrastructure as Code (Terraform, Bicep, ARM templates) security practices — design secure templates and enforce policy-as-code.
Support ISO 27001 and PCI-DSS compliance programs — maintain control documentation, manage evidence collection, and lead internal audit cycles without external handholding.
Support GDPR and CPRA compliance requirements, translating regulatory obligations into technical controls.
Design and maintain security monitoring, access controls, and data masking configurations for the Snowflake data platform.
Evaluate, implement, and own security tooling decisions; manage vendor relationships and license optimization for the security stack.
Produce executive-level security metrics, dashboards, and risk reports that translate technical posture into business-relevant language for leadership and the board.
Engage with the security community through threat intelligence sharing, industry groups, and continuous learning; bring external insights back to improve Virtuoso’s defenses.