Sr. Security Engineer, Corporate Information Security

Betterment•New York, NY

6h•$165,000 - $185,000•Hybrid

About The Position

Betterment is hiring a Sr. Security Engineer, Corporate Information Security to be a principal member of the Workforce Security team. This team is responsible for managing identity and logical access across the company, owning change management for the systems employees and contractors rely on daily, and operating the technologies that secure them, such as Okta, Google Workspace, Slack, Atlassian, Glean, Jamf, and the surrounding SaaS portfolio. The role will also contribute to extending centralized management to a small Windows and Linux footprint. This is a hands-on senior individual contributor role focused on designing, implementing, and continuously improving identity architecture, privileged access controls, endpoint hardening standards, and the overall workforce security posture. The engineer will embed secure access patterns across SaaS, managed browser, mobile, and workstation environments, partnering closely with other Security teams, IT, Legal, Compliance, and business units. Additionally, the role will partner with the AI Governance & enablement team to evaluate, enable, and secure the use of AI tools, establishing practical guardrails. This role is based in the NYC office and offers a hybrid work model.

Requirements

6+ years in security engineering with deep experience in IAM and corporate security, ideally with time in a regulated environment.
Strong command of authentication and authorization protocols (SAML, OIDC, OAuth, SCIM, LDAP).
Experience with enterprise IAM platforms (Okta and Entra ID).
Proficiency in RBAC design and lifecycle automation.
Comfortable with Identity Center / SSO patterns at scale and PIM-equivalent / break-glass models for privileged access.
Familiarity with endpoint management and EDR.
Experience operationalizing CIS benchmarks across macOS and Windows.
Comfort extending security to mobile and managed browser surfaces.
Experience designing remediation SLAs, running remediation campaigns to actual closure, and operating SaaS posture tooling (Wiz, Vanta, Drata, or peers).
Comfortable building tools and pipelines; Python, Go, or similar with a track record of automation.
Curiosity for AI tools and workflows; an instinct for enabling responsibly rather than reflexively blocking.
Strong writing skills (RFCs, one-pagers, audit narratives).
Cross-functional patience to bring stakeholders along.
Comfort operating in SOC 2 and ISO 27001/NIST environments, balancing risk reduction with business enablement.
Experience with network monitoring & alerting, perimeter blocking, intelligence gathering/sharing, and other network related security controls (ZTNA).
Experience building/testing ACLs, firewall rules, cryptography, VPNs and tunneling/encapsulation.

Nice To Haves

Hands-on experience with Privileged Access Management (CyberArk, BeyondTrust, Delinea).
Hands-on experience with Identity Governance & Administration (Saviynt, SailPoint, ConductorOne, Lumos).
Hands-on experience with modern secrets management (HashiCorp Vault, Doppler).
Real-world Zero Trust implementation experience.
Working knowledge of policy-as-code (OPA / Rego) or similar.
Experience partnering with an MDR / managed SOC and shaping their detection content.
Security certifications such as CISSP or vendor IAM certifications.

Responsibilities

Define and evolve the workforce IAM roadmap, architecting identity patterns across Okta and the SaaS estate for SSO at scale, robust RBAC, and lifecycle automation.
Build a sustainable Identity Governance & Administration (IGA) practice, including User Access Review campaigns.
Lead initiatives across authentication, authorization, federation, and privileged access, designing time-bound, just-in-time, and break-glass patterns for high-risk roles.
Govern non-human identities, service accounts, API tokens, OAuth integrations, and AI agents.
Embed Zero Trust and least-privilege principles into workforce systems.
Manage the security of corporate communication platforms (email, Slack) using tools like Abnormal Security and Proofpoint, including DLP enforcement and email investigations.
Define and enforce hardening standards aligned with CIS benchmarks for macOS, Windows, and Linux Desktops, with layered controls for mobile and managed browsers.
Architect enterprise browser security, extension governance, session protection, and DLP at the browser layer.
Lead the workforce vulnerability management program for endpoints and corporate SaaS, designing remediation SLAs and running remediation campaigns.
Partner with IT Systems to surface and fix identity and configuration misconfigurations.
Operate SaaS posture tooling (e.g., Wiz, Vanta, Drata) as the connective tissue across the SaaS estate.
Establish and enforce a secure architecture for AI tool usage, data handling, connector security, identity-aware access controls, and detection for misuse.
Run User Access Review (UAR) campaigns end-to-end.
Drive remediation of audit findings (SOC 2, ISO 27001).
Partner with MDR MSP and internal teams to mature identity-related detection and incident response.
Augment and assist with cross-functional GRC capabilities.
Build tools and pipelines for automation using Python, Go, or similar languages.