Staff Infrastructure Engineer

Job Application for Staff Infrastructure Engineer at SecurityScorecard Back to jobs New Staff Infrastructure Engineer Hybrid (NYC) Apply Here About SecurityScorecard: SecurityScorecard is the global leader in cybersecurity ratings, with over 12 million companies continuously rated, operating in 64 countries. Founded in 2013 by security and risk experts Dr. Alex Yampolskiy and Sam Kassoumeh and funded by world-class investors, SecurityScorecard’s patented rating technology is used by over 25,000 organizations for self-monitoring, third-party risk management, board reporting, and cyber insurance underwriting; making all organizations more resilient by allowing them to easily find and fix cybersecurity risks across their digital footprint. Headquartered in New York City, our culture has been recognized by Inc Magazine as a "Best Workplace,” by Crain’s NY as a "Best Places to Work in NYC," and as one of the 10 hottest SaaS startups in New York for two years in a row. Most recently, SecurityScorecard was named to Fast Company’s annual list of the World’s Most Innovative Companies for 2023 and to the Achievers 50 Most Engaged Workplaces in 2023 award recognizing “forward-thinking employers for their unwavering commitment to employee engagement.” SecurityScorecard is proud to be funded by world-class investors including Silver Lake Waterman, Moody’s, Sequoia Capital, GV and Riverwood Capital. About the Role: SecurityScorecard is looking for a Staff Infrastructure Engineer to own and operate the systems that keep our company running. This is a hands-on, senior-level role based in our New York City office. You will be the primary technical owner of corporate identity, endpoint, collaboration, and AI workflow tooling, with direct daily involvement in security operations. You report to the CISO and work closely with your IT peer in Austin. This role requires someone who can hit the ground running. You will handle incoming IT operations from day one and own the full stack within 90 days. What You Will Own: Identity and Access Management Administer Okta as the primary identity provider, including SSO, MFA, conditional access policies, and lifecycle management Manage automated provisioning and deprovisioning workflows integrated with BambooHR and Google Workspace Own joiner/mover/leaver processes end-to-end, ensuring access is accurate and timely across all systems Maintain and improve Okta Workflows and API integrations for cross-system identity operations Govern service accounts, API keys, and secrets lifecycle in coordination with the security team Endpoint and Device Management Manage macOS fleet using IRU, Intune, and and Level for device management, monitoring, and remote operations Enforce security baselines, patch compliance, and configuration policies across corporate endpoints Serve as the escalation point for device-level issues and coordinate with CrowdStrike Falcon for endpoint security Maintain hardware inventory and oversee device procurement, provisioning, and retirement Collaboration and SaaS Administration Administer Google Workspace, including email, Drive, groups, DLP settings, and admin console operations Manage Atlassian products (Jira and Confluence), including user access, project configuration, and integrations Serve as the technical owner for corporate SaaS applications, onboarding new tools and offboarding deprecated ones with appropriate access controls Maintain an approved software register and own the lightweight security review process for new tool procurement requests Network and Physical Access Infrastructure Manage corporate VPN, office network architecture, and Wi-Fi infrastructure across NYC and Austin locations Administer physical access control systems and coordinate badge provisioning with HR and facilities Maintain firewall policy baselines and escalate anomalies to the security team Data Loss Prevention and Insider Threat Controls Own DLP policy configuration and enforcement at the endpoint, email, and collaboration layers Monitor for shadow IT and unauthorized data movement; escalate confirmed violations per policy Partner with the security team on user behavior anomalies that surface through access logs or DLP alerts Audit, Compliance, and Evidence Collection Assist in SOC 2, ISO 27001, and other compliance audits by producing access logs, provisioning records, device compliance reports, and configuration evidence on request Maintain documentation for all systems under ownership sufficient to support audit and business continuity requirements Contribute to policy development and procedure documentation as the technical subject matter expert Vendor and Third-Party Risk Conduct lightweight security assessments of new SaaS and tooling requests before procurement approval Maintain awareness of vendor security posture for critical corporate tools and surface material changes to the CISO Coordinate vendor off-boarding and ensure credential and access revocation is complete IT Finance and Budget Management Own the IT budget end-to-end — tracking spend across SaaS subscriptions, hardware, vendors, and managed services against approved budgets Manage vendor contracts and renewal cycles, including negotiating pricing, right-sizing licenses to actual usage, and identifying consolidation opportunities across the SaaS portfolio Conduct periodic license utilization reviews across all major platforms (Okta, Google Workspace, Atlassian, CrowdStrike, etc.) and reclaim or downgrade unused seats proactively Build and maintain a cost visibility dashboard or equivalent tracking system so the CISO has accurate, real-time spend visibility at any point Partner with Finance on purchase orders, vendor onboarding, and invoice reconciliation Identify and execute cost savings — through renegotiation, tool consolidation, or usage optimization — and report realized savings to the CISO regularly Forecast annual IT spend and prepare budget proposals for planning cycles with supporting justification Automation Engineering and Internal Tooling Design and build automations that extend beyond IT — creating workflows and tooling that meaningfully improve how other teams (Finance, HR, Security, Engineering, GTM) operate Identify high-friction, manual processes across the organization and own the full solution lifecycle from scoping through deployment and maintenance Integrate across the SaaS stack using APIs, Zapier, BlinkOps, Okta Workflows, and AI-assisted tooling to build durable, observable automations — not one-off scripts Serve as the internal expert on what's automatable and what isn't — advising department heads and the CISO on where automation investment has the highest leverage Maintain a backlog of automation opportunities prioritized by impact and complexity, and drive it forward without waiting to be asked Document all automations thoroughly so they can be understood, maintained, and extended by others Mentorship and Team Development Serve as the direct technical mentor to IT peers — actively investing in their growth through regular 1:1s, workflow reviews, and hands-on pairing sessions Identify skill gaps across the team and design development plans that stretch engineers toward greater ownership and independence over time Share institutional knowledge proactively — ensuring team members have the context needed to cover critical systems and respond confidently during incidents or escalations Model the engineering and operational standards you want the team to grow into — documentation discipline, automation-first thinking, security rigor, and clear communication to leadership Provide candid, constructive feedback and advocate for your team's growth and recognition with leadership Email Security Own corporate email security infrastructure, including DMARC, DKIM, and SPF configuration, enforcement, and ongoing monitoring Administer email gateway and anti-phishing controls, ensuring policies are current and effective against evolving threats Investigate and respond to email-based security incidents, including phishing reports, spoofing attempts, and business email compromise indicators Coordinate with the security team on email threat intelligence and policy tuning Privileged Access Management Own the governance of highly privileged accounts across corporate infrastructure — including break-glass accounts, shared admin credentials, and service accounts with elevated permissions Enforce PAM policies, including just-in-time access, session recording, and regular privileged access reviews Ensure no standing privileged access exists without documented business justification and periodic revalidation Coordinate with the security team on privileged access anomalies and integrate PAM telemetry into security monitoring workflows On-Call and Incident Response Expectations This role carries on-call responsibilities — you are expected to be reachable and responsive during active incidents outside of business hours when corporate infrastructure, identity systems, or endpoints are involved Participate in a shared on-call rotation with IT peers, with clear escalation paths and runbooks for common incident types Response expectations are calibrated to severity — a locked-out executive at 11pm is different from a non-critical SaaS outage, and you'll be expected to exercise that judgment independently On-Call and Incident Response Expectations Occasional travel to SecurityScorecard’s New York office is expected for team alignment, onboarding coordination, and operational continuity — estimated at a few times per year Additional travel may be required for vendor meetings, security conferences, or company off-sites Shipping, Receiving, and Hardware Logistics Manage corporate hardware shipments via FedEx and DHL — including device provisioning shipments to remote employees, returns from offboarded staff, and vendor deliveries to the NYC office Own the end-to-end logistics process for hardware: labeling, tracking, customs documentation for international shipments, and coordinating with building management for receiving Maintain accurate records of all inbound and outbound shipments and reconcile against asset inventory in real time AI Tooling and Workflow Automation Administer and integrate AI tools, including Claude (Anthropic), Zapier, and BlinkOps Build and maintain automated workflows that connect identity, IT, and security processes across the SaaS stack Evaluate new AI-assisted tooling for IT and security use cases and make recommendations to the CISO Security Operations Support Coordinate daily with the security team on access reviews, incident triage, and policy enforcement Support security investigations by pulling logs, revoking access, and isolating systems as needed Work directly with (MSSP and other security vendors on escalations requiring infrastructure context Serve as first responder for endpoint compromise, account takeover, and suspicious access events — triage and contain before escalating to the MSSP or security operations team Required Qualifications: 8 or more years of experience operating at a Staff or Principal level in a hands-on infrastructure or IT engineering role, with a track record of owning systems and functions fully, not just contributing within them Expert-level Okta administration, including Lifecycle Management, Workflows, and API integration Hands-on experience managing macOS fleets at scale, including MDM tooling and device compliance enforcement Strong Google Workspace administration experience in an enterprise environment Proficiency in building and maintaining integrations and automations via APIs, scripting, and workflow platforms — with a portfolio of cross-functional tooling that other teams depend on Experience with workflow automation platforms such as Zapier, BlinkOps, or equivalent Experience owning an IT or SaaS budget, including vendor contract negotiation, renewal management, and license optimization Familiarity with endpoint security tooling — CrowdStrike Falcon or equivalent EDR platform experience required Experience producing audit evidence and operating within a SOC 2, ISO 27001, or equivalent compliance framework Prior experience mentoring or actively developing engineers, with demonstrated impact on their growth and ownership Comfort operating in a security-focused environment where access control, auditability, and least-privilege are non-negotiable Ability to manage competing priorities and operate independently in a lean, high-trust environment Preferred Qualifications: Prior experience at a cybersecurity company or similarly regulated environment — you understand the cultural weight of security-first infrastructure without needing it explained Experience administering and governing AI tools in a corporate environment, including acceptable use policy enforcement and shadow AI controls Experience with HashiCorp Vault or equivalent secrets management platform Exposure to physical access control systems and corporate network infrastructure Experience building automation tooling that serves non-technical stakeholders across functions such as Finance, HR, or GTM Familiarity with Atlassian products (Jira and Confluence) at an administrative level Exposure to FedRAMP authorization environments and the infrastructure controls they require Benefits: Specific to each country, we offer a competitive salary, stock options, Health benefits, and unlimited PTO, parental leave, tuition reimbursements, and much more! The estimated total compensation range for this position is $160,000 - $195,000 (base plus bonus). Actual compensation for the position is based on a variety of factors, including, but not limited to affordability, skills, qualifications and experience, and may vary from the range. In addition to base salary, employees may also be eligible for annual performance-based incentive compensation awards and equity, among other company benefits. SecurityScorecard is committed to Equal Employment Opportunity and embraces diversity. We believe that our team is strengthened through hiring and retaining employees with diverse backgrounds, skill sets, ideas, and perspectives. We make hiring decisions based on merit and do not discriminate based on race, color, religion, national origin, sex or gender (including pregnancy) gender identity or expression (including transgender status), sexual orientation, age, marital, veteran, disability status or any other protected category in accordance with applicable law. We also consider qualified applicants regardless of criminal histories, in accordance with applicable law. We are committed to providing reasonable accommodations for qualified individuals with disabilities in our job application procedures. If you need assistance or accommodation due to a disability, please contact . Any information you submit to SecurityScorecard as part of your application will be processed in accordance with the Company’s privacy policy and applicable law. SecurityScorecard does not accept unsolicited resumes from employment agencies. Please note that we do not provide immigration sponsorship for this position. #LI-DNI Create a Job Alert Interested in building your career at SecurityScorecard? Get future opportunities sent straight to your email. Create alert Apply for this job * indicates a required field Autofill with MyGreenhouse First Name * Last Name * Email * Phone Country * Phone * Location (City) * Locate me Resume/CV * Attach Attach Dropbox Google Drive Enter manually Enter manually Accepted file types: pdf, doc, docx, txt, rtf Cover Letter Attach Attach Dropbox Google Drive Enter manually Enter manually Accepted file types: pdf, doc, docx, txt, rtf Employment Company name Title Start date month Select... Start date year End date month Select... End date year Current role Add another Education School Select... Degree Select... Discipline Select... Add another LinkedIn Profile Total compensation expectations (base plus bonus)? * Do you have hands-on Okta administration experience, including Lifecycle Management, Workflows, and API integrations — not just end-user or helpdesk-level familiarity? * Select... This role is based in our Midtown Manhattan office. Are you able to commute in two days per week on a consistent basis? * Select... Have you managed a macOS device fleet using MDM tooling such as Intune, Jamf, or equivalent at scale? * Select... Are you comfortable with on-call responsibilities that may require you to respond to infrastructure or identity incidents outside of business hours? * Select... Have you personally produced audit evidence and operated within a SOC 2 or ISO 27001 compliance framework? * Select... Have you worked in a hands-on infrastructure or IT engineering role for 7 or more years, including at least 1 year operating at a Staff or Principal level? * Select... Will you now or in the future require VISA sponsorship for employment status? * Select... AI/LLM Usage: Which AI/LLM/agent tools have you used in the last 6 months? For each, note frequency (daily, weekly, occasional) and what you use it for. * AI/LLM Impact: Describe two specific examples where AI improved your work output (speed, quality, clarity, decision-making). Include what you were trying to do, what you asked the tool, and what changed as a result. * A fast-growing SaaS company has just crossed 400 employees. Their IT stack includes Okta, Google Workspace, BambooHR, Jira, Slack, and about 30 additional SaaS tools. Right now, when someone is hired, IT manually creates accounts in each system. When someone leaves, a ticket gets filed and access is removed tool-by-tool over the next few days — sometimes longer. There's no MDM enforcement, no consistent offboarding checklist, and the last SOC 2 audit flagged three terminated employees still holding active access 30+ days after their end date. Walk me through how you'd fix this. What do you build first, what does the end state look like, and how do you make sure it holds up under audit scrutiny six months from now? * Voluntary Self-Identification For government reporting purposes, we ask candidates to respond to the below self-identification survey. Completion of the form is entirely voluntary. Whatever your decision, it will not be considered in the hiring process or thereafter. Any information that you do provide will be recorded and maintained in a confidential file. As set forth in SecurityScorecard’s Equal Employment Opportunity policy, we do not discriminate on the basis of any protected group status under any applicable law. Gender Select... Are you Hispanic/Latino? Select... Race & Ethnicity Definitions If you believe you belong to any of the categories of protected veterans listed below, please indicate by making the appropriate selection. As a government contractor subject to the Vietnam Era Veterans Readjustment Assistance Act (VEVRAA), we request this information in order to measure the effectiveness of the outreach and positive recruitment efforts we undertake pursuant to VEVRAA. Classification of protected categories is as follows: A "disabled veteran" is one of the following: a veteran of the U.S. military, ground, naval or air service who is entitled to compensation (or who but for the receipt of military retired pay would be entitled to compensation) under laws administered by the Secretary of Veterans Affairs; or a person who was discharged or released from active duty because of a service-connected disability. A "recently separated veteran" means any veteran during the three-year period beginning on the date of such veteran's discharge or release from active duty in the U.S. military, ground, naval, or air service. An "active duty wartime or campaign badge veteran" means a veteran who served on active duty in the U.S. military, ground, naval or air service during a war, or in a campaign or expedition for which a campaign badge has been authorized under the laws administered by the Department of Defense. An "Armed forces service medal veteran" means a veteran who, while serving on active duty in the U.S. military, ground, naval or air service, participated in a United States military operation for which an Armed Forces service medal was awarded pursuant to Executive Order 12985. Veteran Status Select... Voluntary Self-Identification of Disability Form CC-305 Page 1 of 1 OMB Control Number 1250-0005 Expires 04/30/2026 Why are you being asked to complete this form? We are a federal contractor or subcontractor. The law requires us to provide equal employment opportunity to qualified people with disabilities. We have a goal of having at least 7% of our workers as people with disabilities. The law says we must measure our progress towards this goal. To do this, we must ask applicants and employees if they have a disability or have ever had one. People can become disabled, so we need to ask this question at least every five years. Completing this form is voluntary, and we hope that you will choose to do so. Your answer is confidential. No one who makes hiring decisions will see it. Your decision to complete the form and your answer will not harm you in any way. If you want to learn more about the law or this form, visit the U.S. Department of Labor’s Office of Federal Contract Compliance Programs (OFCCP) website at . How do you know if you have a disability? A disability is a condition that substantially limits one or more of your “major life activities.” If you have or have ever had such a condition, you are a person with a disability. Disabilities include, but are not limited to: Alcohol or other substance use disorder (not currently using drugs illegally) Autoimmune disorder, for example, lupus, fibromyalgia, rheumatoid arthritis, HIV/AIDS Blind or low vision Cancer (past or present) Cardiovascular or heart disease Celiac disease Cerebral palsy Deaf or serious difficulty hearing Diabetes Disfigurement, for example, disfigurement caused by burns, wounds, accidents, or congenital disorders Epilepsy or other seizure disorder Gastrointestinal disorders, for example, Crohn's Disease, irritable bowel syndrome Intellectual or developmental disability Mental health conditions, for example, depression, bipolar disorder, anxiety disorder, schizophrenia, PTSD Missing limbs or partially missing limbs Mobility impairment, benefiting from the use of a wheelchair, scooter, walker, leg brace(s) and/or other supports Nervous system condition, for example, migraine headaches, Parkinson’s disease, multiple sclerosis (MS) Neurodivergence, for example, attention-deficit/hyperactivity disorder (ADHD), autism spectrum disorder, dyslexia, dyspraxia, other learning disabilities Partial or complete paralysis (any cause) Pulmonary or respiratory conditions, for example, tuberculosis, asthma, emphysema Short stature (dwarfism) Traumatic brain injury Disability Status Select... PUBLIC BURDEN STATEMENT: According to the Paperwork Reduction Act of 1995 no persons are required to respond to a collection of information unless such collection displays a valid OMB control number. This survey should take about 5 minutes to complete. Submit application Powered by Greenhouse