Sr. Security Engineer, Corporate Information Security

Betterment•New York City, NY

7d•Hybrid

About The Position

Betterment is hiring a Sr. Security Engineer, Corporate Information Security to be a principal member of the Workforce Security team. This team is responsible for managing identity and logical access across the company, owning change management for the systems employees and contractors rely on every day, and operating the technologies that secure them: Okta, Google Workspace, Slack, Atlassian, Glean, Jamf, and the SaaS portfolio that surrounds them. As the company extends centralized management to a small Windows and Linux footprint, this role will help shape how that is done securely from day one. This is a hands-on senior individual contributor role focused on designing, implementing, and continuously improving identity architecture, privileged access controls, endpoint hardening standards, and the overall workforce security posture. The engineer will embed secure access patterns across SaaS, managed browser, mobile, and workstation environments, partnering closely with other Security teams, IT, Legal, Compliance, and the business units served. In parallel, the engineer will partner with the AI Governance & enablement team to evaluate, enable, and secure the use of AI tools (ChatGPT, Claude, Glean Assistant, and the agentic tooling that's coming next), establishing practical guardrails that let employees move quickly without compromising data or systems. This role is based out of Betterment's NYC office.

Requirements

6+ years in security engineering with deep experience in IAM and corporate security, ideally with time in a regulated environment.
Strong command of authentication and authorization protocols (SAML, OIDC, OAuth, SCIM, LDAP), enterprise IAM platforms (Okta and Entra ID), RBAC design, and lifecycle automation.
Comfortable with Identity Center / SSO patterns at scale and PIM-equivalent / break-glass models for privileged access.
Familiarity with endpoint management and EDR; operationalizing CIS benchmarks across macOS and Windows without crushing the user experience; comfort extending security to mobile and managed browser surfaces.
Experience designing remediation SLAs, running remediation campaigns to actual closure, and operating SaaS posture tooling (Wiz, Vanta, Drata, or peers).
Comfortable building tools and pipelines, not just configuring them; Python, Go, or similar with a track record of automation.
Curiosity for AI tools and workflows; an instinct for enabling responsibly rather than reflexively blocking.
Strong writing skills (RFCs, one-pagers, audit narratives) and cross-functional patience.
Comfort operating in SOC 2 and ISO 27001/NIST environments, balancing risk reduction with business enablement.
Experience with network monitoring & alerting, perimeter blocking, intelligence gathering/sharing, and other network related security controls (ZTNA); building/testing ACLs, firewall rules, cryptography, VPNs and tunneling/encapsulation.

Nice To Haves

Hands-on experience with Privileged Access Management (CyberArk, BeyondTrust, Delinea), Identity Governance & Administration (Saviynt, SailPoint, ConductorOne, Lumos), or modern secrets management (HashiCorp Vault, Doppler).
Real-world Zero Trust implementation experience.
Working knowledge of policy-as-code (OPA / Rego) or similar.
Experience partnering with an MDR / managed SOC and shaping their detection content.
Security certifications such as CISSP or vendor IAM certifications.

Responsibilities

Define and evolve the workforce IAM roadmap, architecting identity patterns across Okta and the SaaS estate, including SSO at scale, RBAC, and lifecycle automation.
Build a sustainable Identity Governance & Administration (IGA) practice, including User Access Review campaigns.
Lead initiatives across authentication, authorization, federation, and privileged access, designing time-bound, just-in-time, and break-glass patterns for high-risk roles.
Govern non-human identities, service accounts, API tokens, OAuth integrations, and AI agents.
Embed Zero Trust and least-privilege principles into every workforce system.
Manage the security of corporate communication platforms, including email and Slack, through tools such as Abnormal Security and Proofpoint, enforcing DLP and conducting investigations.
Define and enforce hardening standards aligned with CIS benchmarks for macOS, Windows, and Linux Desktops, with mobile and managed browser controls layered on top.
Architect enterprise browser security, extension governance, session protection, and DLP at the browser layer.
Lead the workforce vulnerability management program for endpoints and corporate SaaS, designing remediation SLAs, running remediation campaigns, and partnering with IT Systems to fix identity and configuration misconfigurations.
Operate SaaS posture tooling (e.g., Wiz, Vanta, Drata, or peers) as the connective tissue across the SaaS estate.
Establish and enforce a secure architecture for AI tool usage, data handling boundaries, connector security, identity-aware access controls, and detection for misuse.
Run UAR campaigns end-to-end, drive remediation of audit findings (SOC 2, ISO 27001), and partner with MDR MSP and internal teams to mature identity-related detection and incident response.
Augment and assist with cross-functional GRC capabilities.