Staff Infrastructure Engineer

About SecurityScorecard:

SecurityScorecard is the global leader in cybersecurity ratings with over 12 million companies continuously rated operating in 64 countries. Founded in 2013 by security and risk experts Dr. Alex Yampolskiy and Sam Kassoumeh and funded by world-class investors SecurityScorecards patented rating technology is used by over 25000 organizations for self-monitoring third-party risk management board reporting and cyber insurance underwriting; making all organizations more resilient by allowing them to easily find and fix cybersecurity risks across their digital footprint.

Headquartered in New York City our culture has been recognized by Inc Magazine as a Best Workplace by Crains NY as a Best Places to Work in NYC and as one of the 10 hottest SaaS startups in New York for two years in a row. Most recently SecurityScorecard was named to Fast Companys annual list of the Worlds Most Innovative Companies for 2023 and to the Achievers 50 Most Engaged Workplaces in 2023 award recognizing forward-thinking employers for their unwavering commitment to employee engagement. SecurityScorecard is proud to be funded by world-class investors including Silver Lake Waterman Moodys Sequoia Capital GV and Riverwood Capital.

About the Role:

SecurityScorecard is looking for a Staff Infrastructure Engineer to own and operate the systems that keep our company running. This is a hands-on senior-level role based in our New York City office. You will be the primary technical owner of corporate identity endpoint collaboration and AI workflow tooling with direct daily involvement in security operations. You report to the CISO and work closely with your IT peer in Austin.

This role requires someone who can hit the ground running. You will handle incoming IT operations from day one and own the full stack within 90 days.

What You Will Own:

Identity and Access Management

• Administer Okta as the primary identity provider including SSO MFA conditional access policies and lifecycle management
• Manage automated provisioning and deprovisioning workflows integrated with BambooHR and Google Workspace
• Own joiner/mover/leaver processes end-to-end ensuring access is accurate and timely across all systems
• Maintain and improve Okta Workflows and API integrations for cross-system identity operations
• Govern service accounts API keys and secrets lifecycle in coordination with the security team

Endpoint and Device Management

• Manage macOS fleet using IRU Intune and and Level for device management monitoring and remote operations
• Enforce security baselines patch compliance and configuration policies across corporate endpoints
• Serve as the escalation point for device-level issues and coordinate with CrowdStrike Falcon for endpoint security
• Maintain hardware inventory and oversee device procurement provisioning and retirement

Collaboration and SaaS Administration

• Administer Google Workspace including email Drive groups DLP settings and admin console operations
• Manage Atlassian products (Jira and Confluence) including user access project configuration and integrations
• Serve as the technical owner for corporate SaaS applications onboarding new tools and offboarding deprecated ones with appropriate access controls
• Maintain an approved software register and own the lightweight security review process for new tool procurement requests

Network and Physical Access Infrastructure

• Manage corporate VPN office network architecture and Wi-Fi infrastructure across NYC and Austin locations
• Administer physical access control systems and coordinate badge provisioning with HR and facilities
• Maintain firewall policy baselines and escalate anomalies to the security team

Data Loss Prevention and Insider Threat Controls

• Own DLP policy configuration and enforcement at the endpoint email and collaboration layers
• Monitor for shadow IT and unauthorized data movement; escalate confirmed violations per policy
• Partner with the security team on user behavior anomalies that surface through access logs or DLP alerts

Audit Compliance and Evidence Collection

• Assist in SOC 2 ISO 27001 and other compliance audits by producing access logs provisioning records device compliance reports and configuration evidence on request
• Maintain documentation for all systems under ownership sufficient to support audit and business continuity requirements
• Contribute to policy development and procedure documentation as the technical subject matter expert

Vendor and Third-Party Risk

• Conduct lightweight security assessments of new SaaS and tooling requests before procurement approval
• Maintain awareness of vendor security posture for critical corporate tools and surface material changes to the CISO
• Coordinate vendor off-boarding and ensure credential and access revocation is complete

IT Finance and Budget Management

• Own the IT budget end-to-end tracking spend across SaaS subscriptions hardware vendors and managed services against approved budgets
• Manage vendor contracts and renewal cycles including negotiating pricing right-sizing licenses to actual usage and identifying consolidation opportunities across the SaaS portfolio
• Conduct periodic license utilization reviews across all major platforms (Okta Google Workspace Atlassian CrowdStrike etc.) and reclaim or downgrade unused seats proactively
• Build and maintain a cost visibility dashboard or equivalent tracking system so the CISO has accurate real-time spend visibility at any point
• Partner with Finance on purchase orders vendor onboarding and invoice reconciliation
• Identify and execute cost savings through renegotiation tool consolidation or usage optimization and report realized savings to the CISO regularly
• Forecast annual IT spend and prepare budget proposals for planning cycles with supporting justification

Automation Engineering and Internal Tooling

• Design and build automations that extend beyond IT creating workflows and tooling that meaningfully improve how other teams (Finance HR Security Engineering GTM) operate
• Identify high-friction manual processes across the organization and own the full solution lifecycle from scoping through deployment and maintenance
• Integrate across the SaaS stack using APIs Zapier BlinkOps Okta Workflows and AI-assisted tooling to build durable observable automations not one-off scripts
• Serve as the internal expert on whats automatable and what isnt advising department heads and the CISO on where automation investment has the highest leverage
• Maintain a backlog of automation opportunities prioritized by impact and complexity and drive it forward without waiting to be asked
• Document all automations thoroughly so they can be understood maintained and extended by others

Mentorship and Team Development

• Serve as the direct technical mentor to IT peers actively investing in their growth through regular 1:1s workflow reviews and hands-on pairing sessions
• Identify skill gaps across the team and design development plans that stretch engineers toward greater ownership and independence over time
• Share institutional knowledge proactively ensuring team members have the context needed to cover critical systems and respond confidently during incidents or escalations
• Model the engineering and operational standards you want the team to grow into documentation discipline automation-first thinking security rigor and clear communication to leadership
• Provide candid constructive feedback and advocate for your teams growth and recognition with leadership

Email Security

• Own corporate email security infrastructure including DMARC DKIM and SPF configuration enforcement and ongoing monitoring
• Administer email gateway and anti-phishing controls ensuring policies are current and effective against evolving threats
• Investigate and respond to email-based security incidents including phishing reports spoofing attempts and business email compromise indicators
• Coordinate with the security team on email threat intelligence and policy tuning

Privileged Access Management

• Own the governance of highly privileged accounts across corporate infrastructure including break-glass accounts shared admin credentials and service accounts with elevated permissions
• Enforce PAM policies including just-in-time access session recording and regular privileged access reviews
• Ensure no standing privileged access exists without documented business justification and periodic revalidation
• Coordinate with the security team on privileged access anomalies and integrate PAM telemetry into security monitoring workflows

On-Call and Incident Response Expectations

• This role carries on-call responsibilities you are expected to be reachable and responsive during active incidents outside of business hours when corporate infrastructure identity systems or endpoints are involved
• Participate in a shared on-call rotation with IT peers with clear escalation paths and runbooks for common incident types
• Response expectations are calibrated to severity a locked-out executive at 11pm is different from a non-critical SaaS outage and youll be expected to exercise that judgment independently

On-Call and Incident Response Expectations

• Occasional travel to SecurityScorecards New York office is expected for team alignment onboarding coordination and operational continuity estimated at a few times per year
• Additional travel may be required for vendor meetings security conferences or company off-sites

Shipping Receiving and Hardware Logistics

• Manage corporate hardware shipments via FedEx and DHL including device provisioning shipments to remote employees returns from offboarded staff and vendor deliveries to the NYC office
• Own the end-to-end logistics process for hardware: labeling tracking customs documentation for international shipments and coordinating with building management for receiving
• Maintain accurate records of all inbound and outbound shipments and reconcile against asset inventory in real time

AI Tooling and Workflow Automation

• Administer and integrate AI tools including Claude (Anthropic) Zapier and BlinkOps
• Build and maintain automated workflows that connect identity IT and security processes across the SaaS stack
• Evaluate new AI-assisted tooling for IT and security use cases and make recommendations to the CISO

Security Operations Support

• Coordinate daily with the security team on access reviews incident triage and policy enforcement
• Support security investigations by pulling logs revoking access and isolating systems as needed
• Work directly with (MSSP and other security vendors on escalations requiring infrastructure context
• Serve as first responder for endpoint compromise account takeover and suspicious access events triage and contain before escalating to the MSSP or security operations team

Required Qualifications:

• 8 or more years of experience operating at a Staff or Principal level in a hands-on infrastructure or IT engineering role with a track record of owning systems and functions fully not just contributing within them
• Expert-level Okta administration including Lifecycle Management Workflows and API integration
• Hands-on experience managing macOS fleets at scale including MDM tooling and device compliance enforcement
• Strong Google Workspace administration experience in an enterprise environment
• Proficiency in building and maintaining integrations and automations via APIs scripting and workflow platforms with a portfolio of cross-functional tooling that other teams depend on
• Experience with workflow automation platforms such as Zapier BlinkOps or equivalent
• Experience owning an IT or SaaS budget including vendor contract negotiation renewal management and license optimization
• Familiarity with endpoint security tooling CrowdStrike Falcon or equivalent EDR platform experience required
• Experience producing audit evidence and operating within a SOC 2 ISO 27001 or equivalent compliance framework
• Prior experience mentoring or actively developing engineers with demonstrated impact on their growth and ownership
• Comfort operating in a security-focused environment where access control auditability and least-privilege are non-negotiable
• Ability to manage competing priorities and operate independently in a lean high-trust environment

Preferred Qualifications:

• Prior experience at a cybersecurity company or similarly regulated environment you understand the cultural weight of security-first infrastructure without needing it explained
• Experience administering and governing AI tools in a corporate environment including acceptable use policy enforcement and shadow AI controls
• Experience with HashiCorp Vault or equivalent secrets management platform
• Exposure to physical access control systems and corporate network infrastructure
• Experience building automation tooling that serves non-technical stakeholders across functions such as Finance HR or GTM
• Familiarity with Atlassian products (Jira and Confluence) at an administrative level
• Exposure to FedRAMP authorization environments and the infrastructure controls they require

Benefits:

Specific to each country we offer a competitive salary stock options Health benefits and unlimited PTO parental leave tuition reimbursements and much more!

The estimated total compensation range for this position is $160000 - $195000 (base plus bonus). Actual compensation for the position is based on a variety of factors including but not limited to affordability skills qualifications and experience and may vary from the addition to base salary employees may also be eligible for annual performance-based incentive compensation awards and equity among other company benefits.

SecurityScorecard is committed to Equal Employment Opportunity and embraces diversity. We believe that our team is strengthened through hiring and retaining employees with diverse backgrounds skill sets ideas and perspectives. We make hiring decisions based on merit and do not discriminate based on race color religion national origin sex or gender (including pregnancy) gender identity or expression (including transgender status) sexual orientation age marital veteran disability status or any other protected category in accordance with applicable law.

We also consider qualified applicants regardless of criminal histories in accordance with applicable law. We are committed to providing reasonable accommodations for qualified individuals with disabilities in our job application procedures. If you need assistance or accommodation due to a disability please contact

Any information you submit to SecurityScorecard as part of your application will be processed in accordance with the Companys privacy policy and applicable law.

SecurityScorecard does not accept unsolicited resumes from employment agencies. Please note that we do not provide immigration sponsorship for this position. #LI-DNI