CMG Financial is hiring a Security Engineer for their cloud environment to help secure their Azure-primary cloud and hybrid environment. The role involves hardening cloud posture, tightening identity and access, and building detection and automation to maintain a defensible environment.
Responsibilities:
- Operate and tune Microsoft Defender for Cloud (CSPM/CNAPP) across Azure subscriptions, remediating misconfigurations and excessive access
- Enforce preventative guardrails with Azure Policy and benchmark configuration against CIS Benchmarks and the NIST Cybersecurity Framework
- Apply least-privilege access in Microsoft Entra ID using Azure RBAC, PIM, and Conditional Access, and run periodic access reviews and attestations
- Use Microsoft Purview and Defender for Cloud data-aware posture (DSPM) to classify and protect sensitive cloud data
- Embed security into Terraform and GitHub Actions pipelines, including IaC scanning, policy-as-code, and secrets management
- Support threat modeling and secure design reviews for new and changing cloud workloads
- Engineer Microsoft Sentinel data ingestion (data connectors, Data Collection Rules and Endpoints) and build detections
- Integrate Microsoft Defender for Cloud and Defender XDR signals into Sentinel for unified detection and response
- Support cloud threat hunting, incident response, and automation of enrichment and remediation
- Map cloud controls to recognized frameworks and produce control evidence for regulatory examinations and investor and agency audits
Requirements:
- Bachelor's degree in Computer Science, Cybersecurity, Information Systems, or a related field, or equivalent practical experience
- 3+ years in cloud security or cloud engineering, including hands-on Microsoft Azure security
- Microsoft Defender for Cloud, Azure Policy, and Microsoft Entra ID (Azure RBAC, PIM, Conditional Access)
- Cloud security posture management (CSPM/CNAPP), with the ability to find and remediate misconfigurations and excessive access
- Infrastructure-as-Code with Terraform and CI/CD security in GitHub Actions
- Scripting and automation with Python, PowerShell, and KQL. Using GenAI to generate and validate scripts is welcomed and approved
- Microsoft Sentinel, including Log Analytics ingestion (data connectors, DCR/DCE)
- Security architecture, design review, and threat modeling, with working knowledge of NIST CSF and CIS Benchmarks
- AZ-500, SC-100, or a relevant GIAC credential (GCSA, GCDA, or GCFR)
- Hands-on AWS security (the role is Azure-primary; AWS is a plus)
- GitHub Advanced Security (GHAS); container and Kubernetes (AKS) security
- Secrets and key management (Azure Key Vault)
- Experience in financial services, mortgage, or other highly regulated industries, including producing audit and examination evidence