Role Overview

Weare looking to hire a seniorfully technical, hands-on Security Engineerwho can take a security requirement and turn it into a working control, then tune it,monitorit, and improve it over time. You willbe responsible foroperatingthetechnicalsecuritycontrols andplatforms that protect Sargent & Lundy, our clients, andour partners.This is not asecuritygovernance, policy-writing, orprocessmanagement role.

You will work side by side with the IT Infrastructure, Cloud Engineering, Application teams, SOC, and GRC. Controls you buildwillsupportand enhanceoursecuritypostureandalignswithISO 27001, NIST 800-171, and CMMC 2, and protect sensitive data.

Key Responsibilities

Identity and Zero Trust

• Establish,enforceandoperatethe full IAM lifecycle in Microsoft Entra: SSO, MFA, conditional access, lifecycle workflows, entitlement management, and privileged access integration.
• Build and tune Zero Trust controls across identity, device, network, and application layers, including conditional access policies, and continuous verification.
• Partner to integrate IAM with the rest of the security stack so that XSIAM, CASB, DLP, andEDR/XDR all see consistent identitysignal.
• Run technical access reviews and tighten entitlement design where you find drift.

Cloud Security: Azure and Oracle Cloud

• Establish and enforce cloudsecurity controls in Azure and Oracle Cloud Infrastructure: landing zones, network security groups, identity, key management, encryption, logging, and workload protection.
• Operate CSPMtoolingagainst both clouds, triage findings, andprovide secure configurationsat thecloudresource level alongside the cloud engineering team.
• Partner to build secure-by-default templates so cloud teams can deploy without round-tripping every change through security.

Palo Alto Security Platform

• Understand and manage Prisma Access (SASE) for remote users and sites: tunnels, security policy, SSO integration, and trafficforwardingrules.
• Understand and partner with SOC totune Palo Alto XSIAM, including data source onboarding, parser tuning, correlation rules, detection content, and SOAR playbooks that feed Unit 42.

Data Protection and Microsoft Purview DLP

• Implement Microsoft Purview at a deep technical level: Information Protection, DLP, Insider Risk Management, sensitivity labels, and auto-classification.
• Author and tune DLP policies across endpoint, Outlook and Exchange, Teams, SharePoint, OneDrive, and Egnyte. Reduce noise without missing real exposure.
• Handle DLP incident triage, label troubleshooting, and policy iteration based on what productionactually showsyou.

AI Usage Security

• Implement technical controls for safe AI usage across the company: data-exposure prevention for generative AI tools, prompt and usage monitoring, and integration with the existing DLP and CASB stack.
• Evaluate emerging AI risks (prompt injection, model abuse,sensitive-dataleakage, shadow AI) and design configurations that mitigate them in our environment.
• Partner with product and engineering teams shipping AI-enabled features so the controls land at the right layer.

Architecture and Design Reviews

• Review the security design of new SaaS, IaaS, PaaS, and in-house applications and produce specific, actionable findings.
• Work with project teamsearlyso controls are designed in, not retrofitted after go-live.

This position offers the flexibility of a hybrid schedule with the expectation of 3 days per week in our downtown Chicago office, and 2 days remote from home.

Required Experience

• Bachelor's degree in Computer Science, Information Systems, Cybersecurity, ora relatedfield. Equivalent professional experience will be considered.
• 5+ years of hands-on Security Engineering experience withdemonstratedownership of enterprise security platforms in production. Pure governance, audit, or policy-only backgrounds will not match the work in this role.
• Deep, hands-on IAM lifecycle experience with Microsoft Entra (SSO, MFA, conditional access, lifecycle workflows) and applied Zero Trust implementation.
• Hands-on cloud security experience with Microsoft Azure (required) and Oracle Cloud Infrastructure (strongly preferred), including technical configuration of native security services.
• Hands-on configuration and operation of the Palo Alto security platform: Prisma (Access and Cloud), Cortex XDR, and XSIAM.
• Implementation-level experience with Microsoft Purview for DLP, including policy authoring, classification, labeling, tuning, and incident handling.
• Working knowledge of AI risks (data exposure, prompt injection, model misuse, shadow AI) and the controls used to mitigate them in an enterprise setting.
• Comfort working across on-prem and cloud environments and across Windows, macOS, and Linux endpoints.
• Familiarity with compliance frameworks (ISO 27001, NIST 800-171, CMMC Level 2, SOC 2) and the ability to translate a control requirement into a working configuration.
• Certifications: CompTIA Security+ or (ISC)SSCPorPCCSE (Palo Alto Networks Certified Cloud Security Engineer) an equivalent foundational technical certificatio

Preferred Experience

• Microsoft Azure Security certification (AZ-500 or equivalent).
• Microsoft Purview Information Protection and DLP certification or equivalent.
• Oracle Cloud Infrastructure security credentials.
• Microsoft Cybersecurity Architect (SC-100),
• CISSPor CCSP.

Soft Skills

• Strong written and verbal communication.You can walk an engineer through a config in one conversation and a business stakeholder through the impact in the next.
• Bias for action. You would rather build a working control and iterate than spend weeks producing a perfect document.
• Comfort with ambiguity. You can take a vague securityaskand break it into a concrete configuration plan.
• Collaboration across teams. You will work daily with SOC, IT Infrastructure, Cloud, App Dev, and GRC, and the role only works if those partnerships do.
• Operational discipline. You document what you build, version your configurations, and leave the next engineer better than you found it.

We do not sponsor employees for work authorization in the U.S. for this position.