Staff Infrastructure Engineer

About The Position

Requirements

• 8 or more years of experience operating at a Staff or Principal level in a hands-on infrastructure or IT engineering role, with a track record of owning systems and functions fully, not just contributing within them
• Expert-level Okta administration, including Lifecycle Management, Workflows, and API integration
• Hands-on experience managing macOS fleets at scale, including MDM tooling and device compliance enforcement
• Strong Google Workspace administration experience in an enterprise environment
• Proficiency in building and maintaining integrations and automations via APIs, scripting, and workflow platforms — with a portfolio of cross-functional tooling that other teams depend on
• Experience with workflow automation platforms such as Zapier, BlinkOps, or equivalent
• Experience owning an IT or SaaS budget, including vendor contract negotiation, renewal management, and license optimization
• Familiarity with endpoint security tooling — CrowdStrike Falcon or equivalent EDR platform experience required
• Experience producing audit evidence and operating within a SOC 2, ISO 27001, or equivalent compliance framework
• Prior experience mentoring or actively developing engineers, with demonstrated impact on their growth and ownership
• Comfort operating in a security-focused environment where access control, auditability, and least-privilege are non-negotiable
• Ability to manage competing priorities and operate independently in a lean, high-trust environment

Nice To Haves

• Prior experience at a cybersecurity company or similarly regulated environment — you understand the cultural weight of security-first infrastructure without needing it explained
• Experience administering and governing AI tools in a corporate environment, including acceptable use policy enforcement and shadow AI controls
• Experience with HashiCorp Vault or equivalent secrets management platform
• Exposure to physical access control systems and corporate network infrastructure
• Experience building automation tooling that serves non-technical stakeholders across functions such as Finance, HR, or GTM
• Familiarity with Atlassian products (Jira and Confluence) at an administrative level
• Exposure to FedRAMP authorization environments and the infrastructure controls they require

Responsibilities

• Administer Okta as the primary identity provider, including SSO, MFA, conditional access policies, and lifecycle management
• Manage automated provisioning and deprovisioning workflows integrated with BambooHR and Google Workspace
• Own joiner/mover/leaver processes end-to-end, ensuring access is accurate and timely across all systems
• Maintain and improve Okta Workflows and API integrations for cross-system identity operations
• Govern service accounts, API keys, and secrets lifecycle in coordination with the security team
• Manage macOS fleet using IRU, Intune, and and Level for device management, monitoring, and remote operations
• Enforce security baselines, patch compliance, and configuration policies across corporate endpoints
• Serve as the escalation point for device-level issues and coordinate with CrowdStrike Falcon for endpoint security
• Maintain hardware inventory and oversee device procurement, provisioning, and retirement
• Administer Google Workspace, including email, Drive, groups, DLP settings, and admin console operations
• Manage Atlassian products (Jira and Confluence), including user access, project configuration, and integrations
• Serve as the technical owner for corporate SaaS applications, onboarding new tools and offboarding deprecated ones with appropriate access controls
• Maintain an approved software register and own the lightweight security review process for new tool procurement requests
• Manage corporate VPN, office network architecture, and Wi-Fi infrastructure across NYC and Austin locations
• Administer physical access control systems and coordinate badge provisioning with HR and facilities
• Maintain firewall policy baselines and escalate anomalies to the security team
• Own DLP policy configuration and enforcement at the endpoint, email, and collaboration layers
• Monitor for shadow IT and unauthorized data movement; escalate confirmed violations per policy
• Partner with the security team on user behavior anomalies that surface through access logs or DLP alerts
• Assist in SOC 2, ISO 27001, and other compliance audits by producing access logs, provisioning records, device compliance reports, and configuration evidence on request
• Maintain documentation for all systems under ownership sufficient to support audit and business continuity requirements
• Contribute to policy development and procedure documentation as the technical subject matter expert
• Conduct lightweight security assessments of new SaaS and tooling requests before procurement approval
• Maintain awareness of vendor security posture for critical corporate tools and surface material changes to the CISO
• Coordinate vendor off-boarding and ensure credential and access revocation is complete
• Own the IT budget end-to-end — tracking spend across SaaS subscriptions, hardware, vendors, and managed services against approved budgets
• Manage vendor contracts and renewal cycles, including negotiating pricing, right-sizing licenses to actual usage, and identifying consolidation opportunities across the SaaS portfolio
• Conduct periodic license utilization reviews across all major platforms (Okta, Google Workspace, Atlassian, CrowdStrike, etc.) and reclaim or downgrade unused seats proactively
• Build and maintain a cost visibility dashboard or equivalent tracking system so the CISO has accurate, real-time spend visibility at any point
• Partner with Finance on purchase orders, vendor onboarding, and invoice reconciliation
• Identify and execute cost savings — through renegotiation, tool consolidation, or usage optimization — and report realized savings to the CISO regularly
• Forecast annual IT spend and prepare budget proposals for planning cycles with supporting justification
• Design and build automations that extend beyond IT — creating workflows and tooling that meaningfully improve how other teams (Finance, HR, Security, Engineering, GTM) operate
• Identify high-friction, manual processes across the organization and own the full solution lifecycle from scoping through deployment and maintenance
• Integrate across the SaaS stack using APIs, Zapier, BlinkOps, Okta Workflows, and AI-assisted tooling to build durable, observable automations — not one-off scripts
• Serve as the internal expert on what's automatable and what isn't — advising department heads and the CISO on where automation investment has the highest leverage
• Maintain a backlog of automation opportunities prioritized by impact and complexity, and drive it forward without waiting to be asked
• Document all automations thoroughly so they can be understood, maintained, and extended by others
• Serve as the direct technical mentor to IT peers — actively investing in their growth through regular 1:1s, workflow reviews, and hands-on pairing sessions
• Identify skill gaps across the team and design development plans that stretch engineers toward greater ownership and independence over time
• Share institutional knowledge proactively — ensuring team members have the context needed to cover critical systems and respond confidently during incidents or escalations
• Model the engineering and operational standards you want the team to grow into — documentation discipline, automation-first thinking, security rigor, and clear communication to leadership
• Provide candid, constructive feedback and advocate for your team's growth and recognition with leadership
• Own corporate email security infrastructure, including DMARC, DKIM, and SPF configuration, enforcement, and ongoing monitoring
• Administer email gateway and anti-phishing controls, ensuring policies are current and effective against evolving threats
• Investigate and respond to email-based security incidents, including phishing reports, spoofing attempts, and business email compromise indicators
• Coordinate with the security team on email threat intelligence and policy tuning
• Own the governance of highly privileged accounts across corporate infrastructure — including break-glass accounts, shared admin credentials, and service accounts with elevated permissions
• Enforce PAM policies, including just-in-time access, session recording, and regular privileged access reviews
• Ensure no standing privileged access exists without documented business justification and periodic revalidation
• Coordinate with the security team on privileged access anomalies and integrate PAM telemetry into security monitoring workflows
• This role carries on-call responsibilities — you are expected to be reachable and responsive during active incidents outside of business hours when corporate infrastructure, identity systems, or endpoints are involved
• Participate in a shared on-call rotation with IT peers, with clear escalation paths and runbooks for common incident types
• Response expectations are calibrated to severity — a locked-out executive at 11pm is different from a non-critical SaaS outage, and you'll be expected to exercise that judgment independently
• Occasional travel to SecurityScorecard’s New York office is expected for team alignment, onboarding coordination, and operational continuity — estimated at a few times per year
• Additional travel may be required for vendor meetings, security conferences, or company off-sites
• Manage corporate hardware shipments via FedEx and DHL — including device provisioning shipments to remote employees, returns from offboarded staff, and vendor deliveries to the NYC office
• Own the end-to-end logistics process for hardware: labeling, tracking, customs documentation for international shipments, and coordinating with building management for receiving
• Maintain accurate records of all inbound and outbound shipments and reconcile against asset inventory in real time
• Administer and integrate AI tools, including Claude (Anthropic), Zapier, and BlinkOps
• Build and maintain automated workflows that connect identity, IT, and security processes across the SaaS stack
• Evaluate new AI-assisted tooling for IT and security use cases and make recommendations to the CISO
• Coordinate daily with the security team on access reviews, incident triage, and policy enforcement
• Support security investigations by pulling logs, revoking access, and isolating systems as needed
• Work directly with (MSSP and other security vendors on escalations requiring infrastructure context
• Serve as first responder for endpoint compromise, account takeover, and suspicious access events — triage and contain before escalating to the MSSP or security operations team

Benefits

• competitive salary
• stock options
• Health benefits
• unlimited PTO
• parental leave
• tuition reimbursements