About the Role

Betterment is hiring a Sr. Security Engineer, Corporate Information Security to be a principal member of the Workforce Security team. We're responsible for managing identity and logical access across the company, owning change management for the systems employees and contractors rely on every day, and operating the technologies that secure them: Okta, Google Workspace, Slack, Atlassian, Glean, Jamf, and the SaaS portfolio that surrounds them. As we extend centralized management to a small Windows and Linux footprint, you'll help shape how we do that securely from day one.

This is a hands-on senior IC role focused on designing, implementing, and continuously improving identity architecture, privileged access controls, endpoint hardening standards, and our overall workforce security posture. You'll embed secure access patterns across SaaS, managed browser, mobile, and workstation environments partnering closely with other Security teams, IT, Legal, Compliance, and the business units we serve.

In parallel, you'll partner with our AI Governance & enablement team to evaluate, enable, and secure the use of AI tools (ChatGPT, Claude, Glean Assistant, and the agentic tooling that's coming next) establishing practical guardrails that let employees move quickly without compromising data or systems.

This role is based out of our NYC office. Below we've reflected the base salary range for this position. Actual salaries may vary depending on factors including but not limited to location, experience, and performance. The range listed is just one component of Betterment's total compensation package for employees.

• New York City: $165,000-185,000

This job may also be eligible for variable compensation in the form of a company incentive bonus.

A Day in the Life

Your weeks blend strategic architecture, hands-on implementation, and operational support:

• Identity & Access Architecture: Define and evolve the workforce IAM roadmap. Architect identity patterns across Okta and our SaaS estate SSO at scale, RBAC that holds up under growth, and lifecycle automation that reaches every downstream system from HRIS through joiner/mover/leaver. Build a sustainable Identity Governance & Administration (IGA) practice, including User Access Review campaigns that produce real evidence rather than rubber stamps.
• Security Design: Lead initiatives across authentication, authorization, federation, and privileged access. Design time-bound, just-in-time, and break-glass patterns (PIM-equivalent) for high-risk roles so standing privilege trends toward zero. Govern non-human identities, service accounts, API tokens, OAuth integrations, and the AI agents that increasingly act on users' behalf. Embed Zero Trust and least-privilege principles into every workforce system you touch.
• Securing & Monitoring Corporate Communications: Manage the security of corporate communication platforms, including email and Slack, through tools such as Abnormal Security and Proofpoint. Responsibilities include DLP enforcement to protect PII and conducting email investigations for spam, phishing and other threats.
• Endpoint, Mobile & Browser Security: Define and enforce hardening standards aligned with CIS benchmarks. Own configuration baselines for macOS, Windows, and Linux Desktops, with mobile and managed browser controls layered on top. Architect enterprise browser security, extension governance, session protection, and DLP at the browser layer.
• Vulnerability & Posture Management: Lead the workforce vulnerability management program for endpoints and corporate SaaS. Design remediation SLAs by severity and asset class, run remediation campaigns that actually close findings, and partner with IT Systems to surface and fix identity and configuration misconfigurations. Operate SaaS posture tooling (e.g., Wiz, Vanta, Drata, or peers) as the connective tissue across our SaaS estate.
• AI Tool Security: Establish and enforce a secure architecture for AI tool usage, data handling boundaries, connector security, identity-aware access controls, and detection for misuse with a bias toward enabling the business safely rather than gating it.
• Governance & Operations: Run UAR campaigns end-to-end, drive remediation of audit findings (SOC 2, ISO 27001), and partner with our MDR MSP and internal teams to mature identity-related detection and incident response. Augment and assist with cross-functional GRC capabilities

What We're Looking For:

• Experience: 6+ years in security engineering with deep experience in IAM and corporate security, ideally with time in a regulated environment.
• IAM depth: Strong command of authentication and authorization protocols (SAML, OIDC, OAuth, SCIM, LDAP), enterprise IAM platforms (Okta and Entra ID), RBAC design, and lifecycle automation. Comfortable with Identity Center / SSO patterns at scale and PIM-equivalent / break-glass models for privileged access.
• Endpoint, mobile & browser: Familiarity with endpoint management and EDR; an opinion on operationalizing CIS benchmarks across macOS and Windows without crushing the user experience; comfort extending security to mobile and managed browser surfaces.
• Vulnerability & posture: Experience designing remediation SLAs, running remediation campaigns to actual closure, and operating SaaS posture tooling (Wiz, Vanta, Drata, or peers).
• Automation mindset: Comfortable building tools and pipelines, not just configuring them; Python, Go, or similar with a track record of automation that survives the person who built it.
• AI fluency: Curiosity for AI tools and workflows; an instinct for enabling responsibly rather than reflexively blocking.
• Communication: Strong writing - RFCs, one-pagers, audit narratives - and the cross-functional patience to bring stakeholders along.
• Compliance posture: Comfort operating in SOC 2 and ISO 27001/NIST environments, balancing risk reduction with business enablement.
• Enterprise network: Experience with network monitoring & alerting, perimeter blocking, intelligence gathering/sharing, and other network related security controls (ZTNA); building/testing ACLs, firewall rules, cryptography, VPNs and tunneling/encapsulation.

Preferred Qualifications

• Hands-on experience with Privileged Access Management (CyberArk, BeyondTrust, Delinea), Identity Governance & Administration (Saviynt, SailPoint, ConductorOne, Lumos), or modern secrets management (HashiCorp Vault, Doppler).
• Real-world Zero Trust implementation experience, not as a slide.
• Working knowledge of policy-as-code (OPA / Rego) or similar.
• Experience partnering with an MDR / managed SOC and shaping their detection content.
• Security certifications such as CISSP or vendor IAM certifications.

Our Commitment to Your Total Well-being:

• We offer a competitive suite of benefits, including medical, dental, and vision coverage; life and AD&D insurance; short- and long-term disability; infertility support and WPATH-aligned transgender health benefits; an Employee Assistance Program (EAP); transit benefits and FSA and HSA options
• Ownership: Equity for all employees, including new hire and refresher grants.
• Time: Flexible paid time off, paid parental leave, and a fully paid four-week sabbatical in your sixth year.
• Growth: Company-paid professional coaching for all employees.
• Wealth: Day-one 401(k) match plus matching on qualified student loan payments.

What happens next

We'll take a few weeks to review all applications. If we'd like to spend more time with you, we'll reach out to arrange next steps, which will include 3-4 sets of meetings with your future colleagues.

In the interview process, we'll look to learn more about your skills, experiences, capabilities, and motivators. Many of our questions will be aimed at understanding how you might operate here at Betterment. Depending on the role, we may ask you to complete a case study exercise or technical assessments, as we want to collect a robust set of data points to better inform our decisions.

On average, it takes us around 3-5 weeks to make a hiring decision, depending on your availability and sense of urgency. As a best practice, we aim to interview at least 2-3 final round candidates before making a hiring decision. Please note that, as we usually receive an overwhelming number of applications for open positions, we're unable to offer individual feedback during the interview process.

We recognize that interviewing for a new role is a big deal. We appreciate you considering Betterment as the next step in your career, and our Recruiting Team is here to support and advocate for you through the interview process!

Betterment is dedicated to providing accommodations to candidates upon request. If you need accommodations at any point throughout the interview process, please reach out to your recruiter.

Please note that in any materials you submit, you may redact or remove age-identifying information such as age, date of birth, or dates of school attendance or graduation. You will not be penalized for redacting or removing this information.

Come join us!