Sr. Security Engineer, Corporate Information Security

About Betterment

Betterment is a leading technology-driven financial services company that offers investing savings and retirement solutions for retail investors and investment advisors as well as financial wellness solutions including a 401(k) for small and medium-sized businesses. Our team is passionate about our mission to empower people to build wealth with confidence and ease. Were headquartered in NYC and offer hybrid NY-based positions (four days/week in-office with no required office days during the summer and winter holidays).

About the Role

Betterment is hiring a Sr. Security Engineer Corporate Information Security to be a principal member of the Workforce Security team. Were responsible for managing identity and logical access across the company owning change management for the systems employees and contractors rely on every day and operating the technologies that secure them: Okta Google Workspace Slack Atlassian Glean Jamf and the SaaS portfolio that surrounds them. As we extend centralized management to a small Windows and Linux footprint youll help shape how we do that securely from day one.

This is a hands-on senior IC role focused on designing implementing and continuously improving identity architecture privileged access controls endpoint hardening standards and our overall workforce security posture. Youll embed secure access patterns across SaaS managed browser mobile and workstation environments partnering closely with other Security teams IT Legal Compliance and the business units we serve.

In parallel youll partner with our AI Governance & enablement team to evaluate enable and secure the use of AI tools (ChatGPT Claude Glean Assistant and the agentic tooling thats coming next) establishing practical guardrails that let employees move quickly without compromising data or systems.

This role is based out of our NYC office. Below weve reflected the base salary range for this position. Actual salaries may vary depending on factors including but not limited to location experience and performance. The range listed is just one component of Betterments total compensation package for employees.

• New York City: $00

This job may also be eligible for variable compensation in the form of a company incentive bonus.

A Day in the Life

Your weeks blend strategic architecture hands-on implementation and operational support:

• Identity & Access Architecture: Define and evolve the workforce IAM roadmap. Architect identity patterns across Okta and our SaaS estate SSO at scale RBAC that holds up under growth and lifecycle automation that reaches every downstream system from HRIS through joiner/mover/leaver. Build a sustainable Identity Governance & Administration (IGA) practice including User Access Review campaigns that produce real evidence rather than rubber stamps.
• Security Design: Lead initiatives across authentication authorization federation and privileged access. Design time-bound just-in-time and break-glass patterns (PIM-equivalent) for high-risk roles so standing privilege trends toward zero. Govern non-human identities service accounts API tokens OAuth integrations and the AI agents that increasingly act on users behalf. Embed Zero Trust and least-privilege principles into every workforce system you touch.
• Securing & Monitoring Corporate Communications: Manage the security of corporate communication platforms including email and Slack through tools such as Abnormal Security and Proofpoint. Responsibilities include DLP enforcement to protect PII and conducting email investigations for spam phishing and other threats.
• Endpoint Mobile & Browser Security: Define and enforce hardening standards aligned with CIS benchmarks. Own configuration baselines for macOS Windows and Linux Desktops with mobile and managed browser controls layered on top. Architect enterprise browser security extension governance session protection and DLP at the browser layer.
• Vulnerability & Posture Management: Lead the workforce vulnerability management program for endpoints and corporate SaaS. Design remediation SLAs by severity and asset class run remediation campaigns that actually close findings and partner with IT Systems to surface and fix identity and configuration misconfigurations. Operate SaaS posture tooling (e.g. Wiz Vanta Drata or peers) as the connective tissue across our SaaS estate.
• AI Tool Security: Establish and enforce a secure architecture for AI tool usage data handling boundaries connector security identity-aware access controls and detection for misuse with a bias toward enabling the business safely rather than gating it.
• Governance & Operations: Run UAR campaigns end-to-end drive remediation of audit findings (SOC 2 ISO 27001) and partner with our MDR MSP and internal teams to mature identity-related detection and incident response. Augment and assist with cross-functional GRC capabilities

What Were Looking For:

• Experience: 6 years in security engineering with deep experience in IAM and corporate security ideally with time in a regulated environment.
• IAM depth: Strong command of authentication and authorization protocols (SAML OIDC OAuth SCIM LDAP) enterprise IAM platforms (Okta and Entra ID) RBAC design and lifecycle automation. Comfortable with Identity Center / SSO patterns at scale and PIM-equivalent / break-glass models for privileged access.
• Endpoint mobile & browser: Familiarity with endpoint management and EDR; an opinion on operationalizing CIS benchmarks across macOS and Windows without crushing the user experience; comfort extending security to mobile and managed browser surfaces.
• Vulnerability & posture: Experience designing remediation SLAs running remediation campaigns to actual closure and operating SaaS posture tooling (Wiz Vanta Drata or peers).
• Automation mindset: Comfortable building tools and pipelines not just configuring them; Python Go or similar with a track record of automation that survives the person who built it.
• AI fluency: Curiosity for AI tools and workflows; an instinct for enabling responsibly rather than reflexively blocking.
• Communication: Strong writing RFCs one-pagers audit narratives and the cross-functional patience to bring stakeholders along.
• Compliance posture: Comfort operating in SOC 2 and ISO 27001/NIST environments balancing risk reduction with business enablement.
• Enterprise network: Experience with network monitoring & alerting perimeter blocking intelligence gathering/sharing and other network related security controls (ZTNA); building/testing ACLs firewall rules cryptography VPNs and tunneling/encapsulation.

Preferred Qualifications

• Hands-on experience with Privileged Access Management (CyberArk BeyondTrust Delinea) Identity Governance & Administration (Saviynt SailPoint ConductorOne Lumos) or modern secrets management (HashiCorp Vault Doppler).
• Real-world Zero Trust implementation experience not as a slide.
• Working knowledge of policy-as-code (OPA / Rego) or similar.
• Experience partnering with an MDR / managed SOC and shaping their detection content.
• Security certifications such as CISSP or vendor IAM certifications.

Join a team built on these core values

We change lives

Be a part of a community of innovators working to transform financial outcomes for real people. Your work will make an impact always laddering up to our mission; to empower people to build wealth with confidence and ease.

We set audacious goals

We set them for the company our customers and ourselves and we wont stop until we reach them. We dont just show up; we give our all then celebrate our wins.

We value all perspectives

When we collaborate were at our best. We believe diverse perspectives lead to better outcomes and strive to uphold our supportive and inclusive community.

We simplify financial services

Were financial services pioneers always finding new ways to improve optimize and enhance. Constant improvement is in our DNA.

Our Commitment to Your Total Well-being:

• We offer a competitive suite of benefits including medical dental and vision coverage; life and AD&D insurance; short- and long-term disability; infertility support and WPATH-aligned transgender health benefits; an Employee Assistance Program (EAP); transit benefits and FSA and HSA options
• Ownership: Equity for all employees including new hire and refresher grants.
• Time: Flexible paid time off paid parental leave and a fully paid four-week sabbatical in your sixth year.
• Growth: Company-paid professional coaching for all employees.
• Wealth: Day-one 401(k) match plus matching on qualified student loan payments.

What happens next

Well take a few weeks to review all applications. If wed like to spend more time with you well reach out to arrange next steps which will include 3-4 sets of meetings with your future colleagues.

In the interview process well look to learn more about your skills experiences capabilities and motivators. Many of our questions will be aimed at understanding how you might operate here at Betterment. Depending on the role we may ask you to complete a case study exercise or technical assessments as we want to collect a robust set of data points to better inform our decisions.

On average it takes us around 3-5 weeks to make a hiring decision depending on your availability and sense of urgency. As a best practice we aim to interview at least 2-3 final round candidates before making a hiring decision. Please note that as we usually receive an overwhelming number of applications for open positions were unable to offer individual feedback during the interview process.

We recognize that interviewing for a new role is a big deal. We appreciate you considering Betterment as the next step in your career and our Recruiting Team is here to support and advocate for you through the interview process!

Betterment is dedicated to providing accommodations to candidates upon request. If you need accommodations at any point throughout the interview process please reach out to your recruiter.

Please note that in any materials you submit you may redact or remove age-identifying information such as age date of birth or dates of school attendance or graduation. You will not be penalized for redacting or removing this information.

Come join us!

Were an equal opportunity employer and comply with all applicable federal state and local fair employment practices laws. We strictly prohibit and do not tolerate discrimination against employees applicants or any other covered persons because of race color religion creed national origin or ancestry ethnicity sex gender (including gender nonconformity and status as a transgender or transsexual individual) sexual orientation marital status age physical or mental disability citizenship past current or prospective service in the uniformed services predisposing genetic characteristic domestic violence victim status arrest records or any other characteristic protected under applicable federal state or local law.