Manager Cybersecurity

Why This Role Exists
We build and operate large, mission‑critical software platforms that run in customer operational technology (OT) environments, often integrated with cloud services and enterprise systems.

These platforms must remain secure across trust boundaries—cloud, enterprise IT, and customer OT networks—while operating in environments actively targeted by real‑world adversaries.

This role exists to ensure those systems are secure by design, not by after‑the‑fact controls.

As the Security Architect, you will define, defend, and evolve the security architecture that allows modern, cloud‑connected applications to operate safely on customer OT networks. This is an architecture leadership role focused on system design, threat‑driven decisions, and long‑term risk reduction, not operational execution.

What You’ll Do

You are the security architecture authority for application platforms deployed into OT environments under Autonomy and Automation.

You will:

• Own and evolve security architecture patterns across:

  • Authentication and authorization (human and machine)

  • API security and service‑to‑service trust

  • Data protection and trust boundary enforcement

• Design architectures that safely bridge cloud services and customer OT networks

• Apply modern network and IAM patterns in environments that are not cloud‑native

• Explicitly incorporate Purdue Model principles, including zones, conduits, and segmentation, into architecture decisions

• Define how applications securely communicate across:

  • Cloud ↔ Enterprise ↔ OT boundaries

  • High‑trust and low‑trust network zones

• Lead architecture‑level threat modeling, with particular focus on:

  • “Red network” threats to OT environments

  • Lateral movement, protocol abuse, and weak segmentation

• Establish reference security architectures for large Java‑based platforms operating on OT networks

• Provide security architecture sign‑off at design and release decision points

• Translate security requirements into clear, developer‑consumable guardrails

• Influence platform and product roadmaps to remove systemic, repeatable security risks

Overall accountability for security outcomes remains with the Security Engineering Manager; you own the technical security architecture decisions that shape those outcomes.

How You’ll Work

This is an architecture‑first role, focused on making correct security decisions before systems are built and deployed.

You will work in environments that include:

• Cloud services integrated with on‑premise and customer‑managed OT networks

• Java application platforms (Spring / Spring Boot)

• Modern IAM architectures (OAuth2, OIDC, service identities) adapted for constrained, non‑cloud‑native environments

• Public Key Infrastructure (PKI) used to establish identity and trust for:

  • Services and applications

  • Devices and workloads operating in OT environments

• Encrypted communications across all trust boundaries, including:

  • Cloud ↔ Enterprise ↔ OT

  • Zone‑to‑zone and conduit communications aligned to the Purdue Model

• Segmented networks designed to limit blast radius and resist lateral movement

You will design and review architectures that:

• Use PKI and certificates to authenticate systems, services, and endpoints

• Enforce encryption in transit as a baseline, even in legacy or constrained OT networks

• Explicitly mitigate red‑network threats, including credential theft, protocol abuse, and unauthorized east‑west movement

• Balance strong security controls with real‑world customer and operational constraints

You will spend your time designing, reviewing, and influencing architecture, not administering tooling, rotating certificates, or operating infrastructure.

Explicitly Out of Scope

This role does not include:

• Day‑to‑day vulnerability management or ticket queues

• SOC, incident response, or on‑call rotations

• Compliance audit execution or evidence collection

• Cloud infrastructure ownership or operations

• Hands‑on CI/CD tooling administration

This role exists to make hard architecture decisions early, not to clean up avoidable mistakes later.

What We’re Looking For

You are likely a strong fit if you have:

• Strong understanding of cloud security fundamentals (identity, networking, trust boundaries, shared responsibility)

• Experience designing systems that run on customer OT networks, not just enterprise IT or cloud

• Deep understanding of modern network and IAM patterns applied outside pure cloud environments

• Working knowledge of the Purdue Model, including zones, conduits, and segmentation strategies

• Experience securing network communications in OT environments, including:

  • Encrypted communications

  • Authentication of services and endpoints

  • Mitigation of lateral movement and protocol abuse

• Ability to reason clearly about red‑network threats to OT systems and design architectural mitigations

• Strong background in Java application development and application security

• Expertise in authentication and authorization architectures (OAuth2, OIDC, identity federation)

• Experience defining API security patterns and service‑to‑service trust models

• Advanced threat modeling skills at system and platform scale

• Confidence making—and defending—architecture decisions that impact multiple teams

Nice to Have

• Experience with regulated, safety‑critical, or industrial systems

• Familiarity with zero‑trust concepts applied in constrained networks

• Prior experience partnering closely with AppSec, platform, and product teams

Experience Profile

• 7–10+ years in software engineering and security

• 3–5+ years in a security architecture or senior security engineering role

• Demonstrated ownership of architecture decisions across multiple platforms or products