Senior Security Engineer
Job Summary
About WPP Media
WPP is the trusted growth partner for the worlds leading brands. With exceptional talent trusted data and intelligence and world-class partnerships all united by ourpioneeringagentic marketing platform WPP Open we help clients navigate change capture opportunity and deliver transformational growth.
WPP Media is WPPs AI-driven media operating unit bringing together media data and partnerships to deliver creative personalisation at scale. Connected through WPP Open and powered by Open Intelligence clients see exactly where how and why their media investment is working.
For more information visit .
Role Summary and Impact
DTA is WPPs global data products and technology company. Were on a mission to transform marketing by building the fastest most connected data platform that bridges marketing strategy to scaled activation.
We work with agencies and clients to transform the value of data by bringing together technology data and analytics capabilities. We deliver this through the Open Media Studio an AI-enabled media and data platform for the next era of advertising.
Were endlessly curious. Our team of thinkers builders creators and problem solvers are over 1000 strong across 20 markets around the world.
Senior Security Engineer
We are hiring a Senior Security Engineer based in London to join our Cloud Architecture team focused on security configuration and identity security across client and internal platforms.
This role leads the design and implementation of secure-by-default patterns for identity access and configuration in Microsoft Entra ID (Azure AD) Okta Microsoft 365 Google Workspace and AWS IAM Identity Center with strong API/SCIM and ServiceNow integration.
You will report to the Head of Cloud Architecture and work closely with Platform Engineering EUC/Workplace Security Operations Data Engineering and Client Delivery teams.
The mission is to improve control coverage reduce risk and enable frictionless compliant access for users applications and services. You will translate requirements into practical controls and automation ensuring our platforms meet policy compliance and performance goals including effective monitoring and response through SIEM/SOAR.
Area of expertise
- Identity security architecture across Entra ID (Azure AD) Okta Microsoft 365 Google Workspace and AWS IAM Identity Center.
- Hardening of identity platforms and SaaS configurations: Google Workspace Admin Entra ID tenant and CA policies AWS IAM Identity Center permission sets and SSO.
- SSO and MFA design and rollout (SAML/OIDC passwordless conditional access device/trust signals).
- Lifecycle and JML automation using SCIM and HRIS integrations with ServiceNow (and/or Workday).
- Federation directory services and migration (Entra Connect/Azure AD Connect; ADFS decommissioning).
- Privileged access management and just-in-time elevation (Entra PIM Okta admin roles AWS IAM Identity Center assignments).
- Policy-as-code and configuration baselines for identity/security controls; drift detection and remediation.
- Identity telemetry detections and response via SIEM/SOAR emphasizing Microsoft Sentinel.
- External/B2B identity governance partner access guest lifecycle and app consent governance.
- Alignment to ISO 27001 SOC 2 NIST CSF CIS Benchmarks and GDPR.
Skills and Experience
- Threat-aware builder who designs for misuse cases and closes gaps with strong defaults.
- Automates with code and low/no-code workflows (PowerShell Python Okta Workflows ServiceNow).
- Pragmatic about risk; balances security usability and delivery timelines.
- Clear communicator who can brief stakeholders and write concise standards/runbooks.
- Consultative mindset with experience guiding design authorities and cross-functional teams.
- Measures outcomes (e.g. MFA adoption SSO coverage JML SLA adherence) and iterates.
- Comfortable with complex enterprise environments and multi-tenant identity models.
- Inclusive collaborator who seeks diverse perspectives and documents decisions.
Responsibilities
- Design and implement identity and access controls across Entra ID Okta M365 Google Workspace and AWS IAM Identity Center to raise control coverage and reduce account compromise risk.
- Define and enforce conditional access MFA and passwordless strategies to achieve target adoption rates (e.g. 100% for employees >95% for contractors/partners).
- Google Workspace: OAuth app controls context-aware access DLP secure default sharing.
- Entra ID: conditional access baselines tenant restrictions enterprise app consent policies token protections.
- AWS IAM Identity Center: permission set design assignment governance session duration access portal controls SCIM provisioning hygiene.
- Build automation using SCIM platform APIs and ServiceNow workflows to meet JML SLAs (e.g. provision within hours; deprovision within minutes of HR termination).
- Establish policy-as-code guardrails and configuration baselines; integrate checks into CI/CD and change pipelines to prevent drift.
- Migrate legacy federation (e.g. ADFS) to modern SSO; consolidate directories and domains to reduce complexity and standing privilege.
- Harden admin boundaries IAM roles secrets and privileged access with JIT elevation; track reductions in permanent admin accounts and unused privileged roles.
- Integrate identity logs (Entra ID Okta M365 AWS CloudTrail/Identity Center) into Microsoft Sentinel; build analytics rules and SOAR playbooks to improve alert quality and reduce MTTR.
- Develop identity-focused detections and response playbooks (impossible travel MFA fatigue anomalous OAuth consent risky AWS access patterns) and continuously tune to reduce false positives.
- Run and improve vulnerability/risk management for identity-linked exposures (weak policies stale accounts risky app consent over-permissive permission sets) with prioritization remediation partnerships and SLAs.
- Lead or support incident response for identity-related events; drive post-incident learning control improvements and documentation updates.
- Partner with engineering and EUC teams to embed secure-by-default patterns simplify developer/user experiences and reduce helpdesk burden.
- Map controls to ISO 27001 NIST CSF SOC 2 CIS Benchmarks GDPR and SIEM/SOAR operational requirements; support audits with evidence and runbooks.
- Write clear standards architecture documents integration guides and operational runbooks; present designs at design authority and stakeholder forums.
- Measure and report risk reduction (e.g. dormant account reduction % privileged role minimization policy coverage) and track progress against agreed KPIs and roadmaps.
Requirements
- Well versed in identity/access security engineering or architecture within enterprise environments.
- Hands-on expertise hardening Microsoft Entra ID (Azure AD) Google Workspace Admin and AWS IAM Identity Center configurations plus Okta Microsoft 365 and Active Directory/Entra Connect.
- Proven delivery of SSO/MFA/conditional access programs; experience with passwordless and strong authentication methods.
- Strong experience with SCIM and API-based integrations for JML automation; ServiceNow access workflows approvals and attestation.
- Privileged access management (Entra PIM/Okta) and admin boundary hardening; permission set governance in AWS IAM Identity Center.
- Experience decommissioning legacy federation (e.g. ADFS) and consolidating identity platforms.
- Scripting/coding for automation and configuration (PowerShell and/or Python; Okta Workflows).
- Threat modeling and architecture review focused on identity misuse consent abuse token/session risks and cloud account takeover.
- SIEM/SOAR integration experience ideally with Microsoft Sentinel (data connectors incl. Entra M365 Okta AWS CloudTrail) analytics rules playbooks and incident workflows.
- Effective collaboration with platform/EUC/security ops/data engineering; clear written and verbal communication.
Nice-to-have
- Broader Azure and AWS security architecture experience (Defender for Cloud Apps AWS Organizations/Control Tower SCPs).
- Secrets management (Azure Key Vault HashiCorp Vault) and app-to-app auth patterns.
- Integration of identity telemetry with broader SIEM/SOAR ecosystems; purple-team/attack path reduction for identity.
- Compliance program experience (ISO 27001 SOC 2 NIST CSF GDPR) and audit support.
- Consulting or client-facing delivery experience in complex multi-tenant contexts.
- Relevant certifications (e.g. Okta Certified Professional Microsoft/Azure security AWS Security Specialty CISSP CCSP BCS/TOGAF).
Life at WPP Media & Benefits
Our passion for shaping the next era of media is powered by our commitment toBe Extraordinary investing in our employees to inspire transformational creativity. We alsoLead Optimisticallyfirmly believingin andChampioning Growth and Developmentfor every individual. This commitment allows WPP Media employees toleveragethe extensive global WPP Media & WPP networks to pursue their passions build vital professional connections and learn at thecutting edgeof marketing and advertising.
WeCreate an Open environmentbuilt on trust and respect where everyone feels they belong and has opportunities to progress. This inclusive culture is fostered through a variety of employee resource groups and frequent in-office eventsshowcasingteam wins sharing thought leadership and celebrating holidays and milestone events. Our comprehensive benefits package reflects this commitment including competitive medical group retirement plans vision and dental insurance significant paid time off preferential partner discounts and employee mental health awareness days.
WPP Media is an equal opportunity employer and considers applicants for all positions without discrimination or regard to characteristics. We believe the best work happens whenweretogether fostering creativity collaboration and connection in this open and supportive a hybrid approach with teams in the office around four days a week. If yourequireaccommodations or flexibility please discuss this with the hiring team during the interview process.
Please note this is a UK based role and requires individuals to have the right to work in this location
Please read our Privacy Notice ( for more information on how we process the information you provide.
While we appreciate all applications received only those candidates selected for an interview will be contacted.
#LI-Promoted
Please read our Privacy Noticefor more information on how we process the information you provide.
Required Experience:
Senior IC
About Company
GroupM is the world’s leading media investment company. We make advertising work better for people.