Role Overview and Company Mission We are seeking an exceptional Lead Cloud Security Architect to join our dedicated InfoSec team. This is a highly strategic role focused on securing our multi-cloud infrastructure (primarily AWS and GCP) and ensuring compliance across all services and platforms. You will be the visionary driving the security roadmap, leading the design and implementation of security controls that enable our engineering teams to innovate safely and quickly. This position requires deep hands-on expertise with cloud-native security tools, a strong offensive security mindset, and proven leadership in a fast-paced, high-compliance environment.

Key Responsibilities

Architectural Leadership and Strategy

• Develop and maintain a comprehensive cloud security architecture strategy, roadmaps, and reference patterns aligned with industry best practices (e.g., NIST, CIS, ISO 27001) and regulatory requirements (e.g., SOC 2, HIPAA, GDPR).
• Lead the security design and architecture reviews for all new infrastructure, applications, and services before deployment to production.
• Design and implement security controls for containerized environments (Kubernetes, Docker) and serverless architectures (AWS Lambda, GCP Cloud Functions).
• Establish and enforce a robust "Security-as-Code" methodology, integrating security checks directly into the CI/CD pipeline using tools like Terraform, CloudFormation, and GitOps practices.

Threat Management and Compliance

• Conduct continuous threat modeling of critical cloud environments and define mitigation strategies for identified risks.
• Oversee the implementation of Identity and Access Management (IAM) best practices, including least privilege access, role-based access control (RBAC), and privileged access management (PAM) across all cloud accounts.
• Manage and optimize Cloud Security Posture Management (CSPM) tools to proactively identify configuration drift and compliance violations.
• Define data protection strategies, including encryption at rest and in transit, key management services (AWS KMS, GCP KMS), and data loss prevention (DLP) controls.

Team and Incident Response

• Mentor and guide other security engineers and developers on secure coding practices, cloud security fundamentals, and architectural patterns.
• Act as the primary escalation point for complex security incidents and lead forensic investigations within the cloud environment.
• Collaborate closely with Engineering, DevOps, and Compliance teams to foster a culture of security ownership and shared responsibility.

Required Qualifications

• Experience: 8+ years of experience in Information Security, with at least 4 years focused specifically on Cloud Security Architecture in large-scale, production environments.
• Cloud Expertise: Expert-level, hands-on experience with security services in AWS (e.g., IAM, Security Hub, GuardDuty, WAF) and/or GCP (e.g., Cloud Armor, IAM, Security Command Center). Multi-cloud experience is highly preferred.
• DevSecOps: Deep understanding of the DevSecOps lifecycle and practical experience implementing security automation and governance using tools like HashiCorp Vault, Falco, or Checkmarx.
• Containers: Proven ability to secure Kubernetes clusters (e.g., network policies, admission controllers, service mesh security).
• Networking: Strong command of cloud networking principles, including VPCs, Transit Gateways, private link endpoints, and hybrid cloud connectivity security.
• Coding/Scripting: Proficiency in at least one scripting language (Python, Go, or Bash) for automation and security tool development.
• Certifications (Highly Desired): AWS Certified Security - Specialty, Google Cloud Professional Cloud Security Engineer, or CISSP.

Deliverables and Metrics The success of this role will be measured by:

• Reduction in critical misconfigurations identified by CSPM tools.
• Improvement in the mean time to detect (MTTD) and mean time to respond (MTTR) to security incidents.
• Successful and timely achievement of audit and compliance milestones (e.g., 100% successful SOC 2 Type II audit).
• The deployment and adoption rate of new, secure-by-default infrastructure templates across engineering teams.
• Overall maturity rating of the cloud security program (e.g., according to a CMMI-style model).

Benefits, Culture, and Growth We offer a highly competitive compensation package, including equity options, and a commitment to work-life balance. We support continuous learning through a generous annual budget for training, certifications, and security conferences. Our culture is collaborative, transparent, and strongly focused on ownership. You will be empowered to make high-impact technical decisions and will report directly to the Head of Information Security, with a clear path to a Director-level role as the team expands. Flexible hybrid work model offered.

Continuation to Meet 7,000 Characters

Deep Dive on Data Protection and Privacy: A critical focus area will be establishing a comprehensive data classification scheme across the organization and enforcing controls based on sensitivity. This includes leveraging cloud-native tools for automated data discovery and protection, specifically focusing on PII (Personally Identifiable Information) and regulated data. The architect must have a deep technical understanding of key lifecycle management, rotation policies, HSM integration, and the security implications of multi-region data replication. You will be the technical lead for all internal discussions related to data residency and privacy controls, translating legal requirements into enforceable infrastructure configurations. This includes ensuring all data flows comply with privacy by design principles, applying masking techniques where necessary, and maintaining a robust audit trail for all data access activities. The ability to articulate the risk posture associated with various data storage patterns is mandatory.

Advanced Kubernetes and Container Security: Beyond basic control plane security, this role requires expertise in securing the entire container supply chain. This means defining and implementing image signing and verification processes, running advanced vulnerability scanning on build and runtime images, and establishing admission control policies to block insecure configurations from being deployed. Experience with service mesh technologies (Istio, Linkerd) for securing microservice traffic (mTLS) is a strong requirement. Furthermore, the architect must be able to deploy runtime security monitoring using tools like Sysdig Secure or Aqua Security to detect and respond to container escape attempts and suspicious process execution within the cluster. You will design the segmentation strategy using Kubernetes network policies to isolate sensitive workloads effectively, ensuring lateral movement is strictly controlled.

Cloud Financial Governance (FinSecOps): While primarily a security role, the successful candidate will integrate security decisions with cost efficiency. You will be expected to analyze cloud spending related to security services and propose optimizations without compromising the security posture. This involves rightsizing security appliances, optimizing logging and monitoring retention policies, and strategically choosing between cloud-native, third-party, or open-source security tools based on a total cost of ownership (TCO) analysis. The role involves frequent collaboration with Finance and Engineering Leadership to present security value in terms of risk reduction and ROI.

Security Tool Evaluation and Vendor Management: You will be responsible for the end-to-end evaluation, testing, and deployment of new security technologies. This includes creating detailed proof-of-concept (PoC) frameworks, managing vendor relationships, negotiating technical requirements, and planning the phased rollout and eventual operational handover of new tools to the Security Operations Center (SOC). Current areas of focus include extending our XDR capabilities and strengthening our application security testing (AST) suite.

Compliance and Audit Leadership: You will serve as the technical lead during external audits (SOC 2, penetration tests). This includes preparing required evidence, translating complex compliance requirements into actionable technical controls, and documenting the control effectiveness and design. You will champion the implementation of automated evidence collection mechanisms to reduce the manual effort associated with recurring compliance checks, using compliance-as-code frameworks.

Why Join Us? We offer challenging problems at scale and the autonomy to design and implement your solutions using cutting-edge technologies. Our team is fully committed to a continuous learning environment where experimentation is encouraged and failure is treated as a learning opportunity. We are building the next generation of cloud-native services, and your security decisions will have a direct impact on millions of users globally. We value diversity of thought and experience, promoting a supportive and inclusive atmosphere where every voice is heard.

How to Apply: Please submit your resume, a link to your LinkedIn or professional portfolio detailing your experience with large-scale cloud security projects, and a brief summary of your cloud security philosophy. We look forward to reviewing your application!

The role necessitates a high degree of proficiency in public key infrastructure (PKI) management, including certificate issuance, revocation, and automated renewal for both internal and external-facing services. Experience defining the architecture for secure API Gateways and ensuring uniform application of security headers and rate limits across all ingress traffic is also a core requirement. We are committed to fostering a strong internal security community, and you will be expected to present on security topics internally to raise the overall organizational security posture. The ability to perform risk quantification is a major plus.