Business Title Application Engineering Technical Lead II

Global Risk and Security (GR&S) at Vanguard enables business strategy protects client and Vanguard interests (e.g. assets and data) and stewards a strong risk culture. Our teams leverage enterprise-wide insights deep expertise and trusted advice so that across Vanguard leaders and crew drive faster stronger risk-informed decisions.

Within GR&S the Enterprise Security and Fraud (ES&F) sub-division is responsible for the global protection of Vanguard crew property data and client assets. We are the trusted advisors that protect the pride of Vanguard with state-of-the-art security and fraud capabilities. We are a world-class destination of highly engaged passionate and diverse talent expected to continuously learn and develop in an ever-changing security landscape.

Our crew are our greatest resource by joining our team you will build collaborative long-term relationships and enjoy a suite of benefits that includes comprehensive health and wellness care work-life balance and an investment in your future at its core.

Privileged Access Management (CyberArk) Technical Lead

Role Summary

Were seeking a handson Technical Lead to own and evolve our CyberArkbased Privileged Access Management platform. You will provide daytoday technical leadership architect and deliver platform enhancements drive automation (PowerShell first) and integrate PAM with AWS (EC2 Windows Linux) workloads and CI/CD pipelines (GitHub). Youll be the escalation point for complex incidents mentor engineers and ensure controls meet security audit and uptime expectations.

Key Responsibilities

Technical Leadership & Delivery

• Serve as the technical owner for the CyberArk PAM platform (e.g. PVWA PSM CPM CCP REST APIs) setting technical direction prioritizing work and guiding a small squad of PAM engineers.

• Translate risk compliance and audit requirements into secure reliable designs standards and runbooks; review and approve platform changes.

Platform Engineering & Automation

• Design implement and optimize platform policies platforms safes rotations and reconciliation; automate repeatable tasks using PowerShell (preferred) and Python (nice to have).

• Build and maintain GitHubbased CI/CD (Actions/workflows) to version test and deploy CyberArk configuration-ascode and custom utilities; enforce branching and codereview standards.

Cloud & OS Integrations

• Integrate PAM with AWS (with emphasis on EC2 Windows and Linux hosts): onboard privileged accounts and secrets and harden session flows (PSM/PSMP).

• Champion JIT privileged access patterns for cloud and onprem minimizing standing privilege while preserving operational velocity.

Operations Reliability & Troubleshooting

• Own incident response and problem management for PAM: lead major incident bridges perform root cause analysis and implement corrective/preventive actions.

• Define and track SLAs(e.g. vault availability checkout/rotation success PSM session health onboarding cycle time); build dashboards and actionable alerts.

Security & Compliance

• Ensure adherence to internal SOPs and user procedures for PAM operation and access hygiene

• Partner with Audit Risk and Security Engineering to evidence controls complete assessments and pass audits without exceptions.

Stakeholder Management & Mentoring

• Collaborate with platform app and infrastructure owners to onboard use cases plan releases and communicate changes.

• Coach and upskill engineers in PAM concepts secure automation and operational excellence.

Required Qualifications

• 7 years TL experience including 3 years leading technical delivery or a platform engineering squad.

• Expert troubleshooting across Windows and Linux including credential flows session brokering networking DNS/Kerberos/LDAP and endpoint agents.

• PowerShell development: modules robust error handling logging/telemetry parallelization and secure secret handling.

• GitHub: Actions/workflows environment protection rules reusable workflows code reviews and artifact/version management.

• AWS: Practical experience with EC2 and OSlevel onboarding (Windows & Linux) SSM/Run Command/Session Manager tagging/autoonboarding patterns VPC/security group fundamentals.

• Strong understanding of CyberArk components (PVWA CPM PSM EPM/Endpoint Privilege Management) policy design platform plugins and API usage.

• Proven ability to write clear runbooks/SOPs influence architecture decisions and lead incident bridges.

Preferred Qualifications

• Python for REST/API integrations data shaping and service utilities.

• Experience with secrets management for apps/automation (e.g. Secrets Manager/APIbased retrieval).

• IaC exposure (CloudFormation or Terraform) for PAMadjacent infrastructure.

• Familiarity with logging/observability stacks (CloudWatch Splunk) and SIEM integrations for PAM events.

Special Factors

Sponsorship

About Vanguard

At Vanguard we dont just have a missionwere on a mission.

To work for the long-term financial wellbeing of our clients. To lead through product and services that transform our clients lives. To learn and develop our skills as individuals and as a team. From Malvern to Melbourne our mission drives us forward and inspires us to be our best.

How We Work

Vanguard has implemented a hybrid working model for the majority of our crew members designed to capture the benefits of enhanced flexibility while enabling in-person learning collaboration and connection. We believe our mission-driven and highly collaborative culture is a critical enabler to support long-term client outcomes and enrich the employee experience.