Security Controls Engineer

The Senior Security Controls Engineer designs, implements, and continuously improves technical security controls that reduce risk across on-premises, cloud, and endpoint environments. This role specializes in hardening, benchmark compliance, configuration risk reduction, compensating controls for non-patchable vulnerabilities, and control automation at scale. The engineer partners with IT operations, platform teams, and risk/compliance to ensure controls are effective, measurable, and audit-ready., 0-10% (as needed for site visits, projects, or audits), * Engineer and maintain preventive and detective controls across endpoints, servers, network, identity, and cloud services (Azure/AWS).

• Lead configuration hardening initiatives using industry benchmarks (e.g., CIS) and establish secure configuration baselines for common platforms (Windows, Linux, network devices, cloud services).
• Design compensating controls for vulnerabilities that cannot be remediated through patching (e.g., configuration changes, isolation, access controls, WAF rules, EDR policy tuning, segmentation).
• Own the technical control lifecycle: control requirements design implementation testing/validation monitoring continuous improvement.
• Develop and maintain control-as-code and automation (PowerShell/Python/Terraform/CI-CD) to deploy and enforce configurations consistently.
• Implement configuration compliance monitoring, drift detection, and remediation workflows; integrate with ticketing/ITSM for exception handling.
• Partner with Vulnerability Management to translate findings into durable mitigations (hardening, compensating controls, secure defaults) and reduce recurring exposure.
• Collaborate with SOC/IR to improve detections and containment policies aligned to threats and incidents; tune controls based on lessons learned.
• Produce audit-ready evidence: control narratives, diagrams, test results, screenshots/exports, and KPI dashboards.
• Maintain standards, procedures, and runbooks for control engineering; mentor junior engineers and provide technical leadership to cross-functional teams.

Typical Deliverables

• Secure configuration baselines and reference architectures for key platforms.
• Benchmark compliance reporting (coverage, drift, exceptions) with remediation plans.
• Compensating control designs and validation artifacts for non-patchable risk.
• Automation modules/scripts (policy-as-code) to deploy or enforce controls at scale.
• Control test plans, operational metrics, and audit evidence packages., * Control engineering mindset: designs controls that are measurable, testable, and durable.
• Risk-based prioritization: focuses effort where likelihood and impact are highest.
• Systems thinking: understands dependencies and minimizes operational disruption.
• Automation-first: reduces manual work by codifying and scaling controls.
• Stakeholder partnership: collaborates with IT and product teams to drive adoption.

Success Measures (KPIs)

• Reduction in recurring high/critical findings attributable to configuration or control gaps.
• Benchmark compliance coverage (%) and drift rate over time across in-scope assets.
• Mean time to mitigate (MTTM) for non-patchable vulnerabilities using compensating controls.
• Control effectiveness test pass rate and audit evidence readiness (time to produce evidence).
• Automation impact: number of controls deployed/enforced via code and reduction in manual effort.

Working Conditions

This role requires the ability to work effectively with production systems and coordinate maintenance windows, change control, and emergency response activities when required.

Please note this job description is not designed to cover or contain a comprehensive listing of activities, duties or responsibilities that are required of the employee for this job. Duties, responsibilities and activities may change at any time with or without notice.

EEO StatementACA provides equal employment opportunities (EEO) to all applicants for employment without regard to race, color, religion, gender, sexual orientation, gender identity or expression, national origin, age, disability, genetic information, marital status, amnesty, or status as a covered veteran in accordance with applicable federal, state and local laws. ACA complies with applicable state and local laws governing non-discrimination in employment in every location in which the company has facilities.

• 7+ years in security engineering, systems engineering, or infrastructure engineering with a strong focus on security controls and hardening.
• Hands-on expertise with Windows and Linux hardening, identity controls, and endpoint security control configuration.
• Experience implementing benchmark-based configuration standards (e.g., CIS) and managing exceptions/risk acceptances.
• Strong understanding of networking fundamentals (segmentation, firewalls, proxies, routing) and how to apply compensating controls.
• Cloud security controls experience in Azure and/or AWS (IAM, network controls, logging, security services).
• Proficiency in scripting/automation (PowerShell and/or Python); familiarity with infrastructure as code (e.g., Terraform) preferred.
• Ability to translate risk into technical control requirements and document controls for audit and compliance purposes.
• Excellent written and verbal communication; ability to work across infrastructure, application, and governance teams., * Experience with configuration management and compliance platforms (e.g., Intune, Group Policy, SCCM/MECM, Ansible, Chef, Puppet).
• Experience with vulnerability scanning and exposure management tools (e.g., Tenable, Qualys, Rapid7) and mitigation engineering workflows.
• Experience tuning EDR policies and implementing detection/response guardrails (e.g., Microsoft Defender for Endpoint, SentinelOne, CrowdStrike).
• Experience with SIEM/SOAR integration for control telemetry and automated response.
• Security certifications (one or more): CISSP, GIAC (GSECEDIA), CCSP, AZ-500, AWS Security Specialty, or equivalent.
• Prior work in regulated industries (financial services, healthcare) with control evidence expectations (SOC 2, PCI DSS, GLBA).