Security Engineer, Information Security, Architecture and Engineering - Technology Soluti

WHAT MAKES US A GREAT PLACE TO WORK

We are proud to be consistently recognized as one of the world’s best places to work. We are currently the top ranked consulting firm on Glassdoor’s Best Places to Work list and have earned the #1 overall spot a record seven times. Extraordinary teams are at the heart of our business strategy, but these don’t happen by chance. They require intentional focus on bringing together a broad set of backgrounds, cultures, experiences, perspectives, and skills in a supportive and inclusive work environment.

We hire people with exceptional talent and create an environment in which every individual can thrive professionally and personally.

You’ll join our Technology Solutions Group. This team considers the full spectrum of people, tech, and process to help others at Bain achieve their goals. We aim to understand our partners in the business so well that our proposed architectures, apps, and automations really do improve their work lives. If you’re the sort of person who embraces change, who has an entrepreneurial spirit, and who friends and family still call for tech advice, this might be a great team for you.

Staff Security Engineers are responsible for the security posture of the full PE platform estate, hosted on Microsoft Azure and running on Azure Kubernetes Service (AKS), from supply chain security and Kubernetes hardening through to data boundary enforcement and AI egress controls. You work across teams as a specialist and trusted partner, embedding security into the development lifecycle rather than bolting it on at the end.

For a platform handling sensitive PE deal data for 10,000+ users, security is a first-class engineering concern, not a compliance checkbox. You set and enforce security standards, build controls as code, and partner with Platform Engineering, Data Platform, Product Engineering, and the Agent / AI squad to reduce risk while enabling rapid delivery.

• Own and operate the platform’s security posture end-to-end across core controls:
  Hashi Corp Vault and/or Azure Key Vault, Istio mTLS, Cilium network policy, Pod Security Standards, and OPA/Gatekeeper policies.
• Design and implement zero-trust security architecture across the estate: defense in depth, least privilege, and explicit security boundary design.
• Conduct lightweight threat modelling (STRIDE) for new services and major features before implementation; document risks, mitigations, and residual risk decisions.
• Manage supply chain security controls: container image scanning, image signing, SBOM generation, and dependency vulnerability management.
• Define and enforce identity and access controls: SAML/OIDC integration patterns, JWT/OAuth concepts, and practical enterprise IdP integration guidance (Okta/Entra).
• Define and maintain data classification controls and enforce them at the platform layer (governed access patterns, masking/tokenization, and API-layer enforcement).
• Own runtime detection controls: operate Falco rules and escalation pathways; integrate relevant signals with the central SIEM and reduce alert noise to maintain usable signal.
• Lead security incident response for the platform; drive containment, remediation, and post-incident security reviews with clear follow‑up actions.
• Run regular security reviews of the AI layer:
  Agent Gateway egress controls, prompt injection risks, PII handling, and data exfiltration controls for model interactions.
• Maintain security runbooks and execute quarterly internal security reviews across teams; ensure controls are tested, auditable, and actively maintained.

• Embed in select PE squad ceremonies (refinement, planning, design reviews) to catch security concerns early and raise testability/operability requirements for security controls.
• Partner with Platform Engineering on secure‑by‑default templates and guardrails (policy‑as‑code libraries, reusable CI checks, pre‑commit hooks) to reduce repeated effort across squads.
• Collaborate with the Data Governance Lead on PII classification, tokenization policy, and regulatory/compliance…