Infrastructure Security Architect

SUMMARY/OBJECTIVES

The Infrastructure Security Architect is responsible for providing guidance on developing secure and resilient infrastructure architectures in regulated financial institutions. This position involves designing and maintaining layered infrastructure and security frameworks following NIST SP 800-53 and NIST SP 800-100, and integrating security and resiliency measures across compute, network, virtualization, cloud, storage, and backup environments, as well as throughout the systems development life cycle. The architect ensures that administrative, technical, and physical controls are implemented to maintain the confidentiality, integrity, and availability of customer information as required by FDIC/Interagency Guidelines, while supporting system availability and performance.

This role is responsible for the design and security oversight of secure on-premises and cloud infrastructure, specifically within Microsoft Azure. Key technologies oversight includes Palo Alto next-generation firewalls, VMware NSX, CyberArk PKI/certificate management, Cisco ASA remote-access VPN, Zerto disaster-recovery orchestration, and Cohesity backup/recovery platforms. The security architect leads cross-functional teams, establishes policies, standards, and procedures, provides mentorship to engineers, and works in close collaboration with business executives to ensure infrastructure and security projects align with organizational objectives and comply with regulatory requirements.

ESSENTIAL FUNCTIONS

• Develop and maintain robust infrastructure and security architectures that integrate compute, network, storage, and virtualization with layered security controls, following NIST guidance.

• Design and manage macro and micro segmentation across data centers and hybrid clouds, leveraging VMware NSX distributed firewalling for micro segmentation, encryption, and centralized policy.

• Architect secure Azure and hybrid environments, demonstrating expertise in designing cloud and hybrid solutions across compute, network, storage, monitoring, and security.

• Deployment of Palo Alto firewalls, including design, configuration, security oversight, and troubleshooting.

• Implement CyberArk certificate management to secure machine identities and integrate CyberArk solutions.

• Provide secure remote access using Cisco ASA and AnyConnect, ensuring policy-based access and multifactor authentication.

• Conduct risk assessments, develop infrastructure and security plans, and ensure controls meet regulatory requirements (NIST, FDIC, GLBA, PCI, Sarbanes-Oxley Act (SOX)).

• Lead cross-functional architecture reviews, mentor engineers, and coordinate with networking, infrastructure, development, and operations teams.

• Coordinate with vendors (Microsoft Azure, Palo Alto, VMware, CyberArk, Cisco, Zerto, Cohesity, etc...) for support and integration; communicate priorities to executives and stakeholders.

• Ensure strict compliance with the Bank's policies and procedures, code of conduct, and regulatory guidelines.

• Assist other employees by interacting with them through healthy and positive interactions.

• Continuously update skills by participating in professional training and conferences.

• Security implementation for Infrastructure as Code (IaC): Develop and maintain automation scripts using Terraform, ARM templates, to ensure efficient cloud deployments.

• Hybrid Cloud & Integration: Architect hybrid cloud solutions integrating on-premises systems with Azure services like Azure Files, ExpressRoute, and VPN Gateway.

• Emerging Technologies: Stay up to date with advancements in AI, ML, Open Banking APIs, and Blockchain to explore innovative banking solutions.

• All other tasks, responsibilities, or duties, as directed by management.

• Reasonable accommodation(s) may be made to enable individuals with disabilities to perform the essential functions.

COMPETENCIES

• Technical Leadership: Upholds industry best practices and standards; maintains awareness of advancements in technology; formulates effective troubleshooting methodologies; exhibits comprehensive understanding of system and security architecture, as well as extensive expertise in cloud computing, virtualization, and cybersecurity.

• Innovation & Problem Solving: Staying aware of technological trends and applying creative thinking; uses analytical thinking and strategic alignment to overcome challenges.

• Business Acumen & Communication: Translates technical concepts into business terms; collaborates with business leaders to identify opportunities; communicates effectively and establishes clear vision.

• Regulatory & Risk Awareness: Understands and applies NIST and FDIC/GLBA requirements to align infrastructure and security architecture with compliance mandates.

• Mentorship & Delegation: Delegates tasks effectively, empowers team members, and mentors' junior staff.

• Excellent communication and people skills.

• Must be able to remain composed under pressure and respond to customer and coworker concerns regularly upholding the IT Vision and Mission statements.

• Ability to use the computer efficiently and the capacity to learn new software programs as they are rolled out by the Bank.

• Must possess basic English language skills to write and speak clearly, and effectively with coworkers, customers, and senior leaders.

• Must be well-organized, accurate, and attentive to detail.

Qualifications, Education, AND CERTIFICATION Requirements

• Education: Bachelor's degree in computer science, Information Systems, Cybersecurity, Engineering, or a related field required; Master's degree preferred.

• Experience: 8+ years of progressive experience in infrastructure and security architecture and design, preferably in financial services or other regulated industries.

• Demonstrated experience designing secure and resilient architectures for Azure and hybrid cloud environments.

• Experience with Palo Alto firewalls (PCNSE-level), VMware NSX micro segmentation, CyberArk certificate management, Cisco ASA/AnyConnect remote-access VPN, Zerto replication, and Cohesity data-protection platforms.

• Experience designing and operating network segmentation strategies, virtualization and compute infrastructure, firewall policies, encryption solutions, and certificate management.

• Demonstrated expertise in leading cross-functional teams, overseeing project management initiatives, and effectively communicating with executive stakeholders.

• Deep understanding of NIST SP 800-53, NIST SP 800-100, and FFIEC/FDIC guidelines.

• Strong knowledge of network protocols, routing, switching, virtualization, containers, zero-trust architecture, compute infrastructure, and identity management.

• Experience with automation tools and scripting (PowerShell, Python, Terraform/Ansible) for infrastructure as code and security policy automation.

• Familiarity with DevSecOps, CI/CD pipelines, vulnerability management, and SIEM integration.

• Certifications: Candidates should hold or be working toward some of the following certifications:

• Microsoft Certified: Azure Solutions Architect Expert

• VMware Certified Design Expert (VCDX)

• Palo Alto Networks Certified Network Security Engineer (PCNSE)

• CyberArk Sentry or Guardian Certifications

• Cisco Certified Network Associate (CCNA) Security

• Other relevant certifications: CISSP, CISM, CCSP, CISA, or other global security credentials.

TRAINING REQUIREMENTS/CLASSES

• On the job training and any additional training as needed.

• Required annual compliance training.

• Workday Learning as assigned by manager for technical and leadership training.

• New Employee Orientation as well as continual update of processes of banking systems.

PHYSICAL DEMANDS

• Must be able to sit for extended periods of time.

• Must be able to effectively access and interpret information on computer screens, documents, and reports.

WORK ENVIRONMENT

This position is located in a cubicle environment that may be loud throughout the day. Telecommuting roles no matter if hybrid or 100% full time telecommuting must have a secure home office environment that is free from background noise and distractions. They must also have a reliable private internet connection that is not supplied by use of cellular data (hot spot). Cable or fiber connections are preferred. Requirements are subject to change, as new systems and technology is delivered. Travel may be required to come to meetings as needed.