IS Principal Security Architect

SUMMARY:

The Principal Security Architect is a key member of the CISO organization responsible for establishing and governing secure technology architecture across hybrid on-premises and multi-cloud environments. This role serves as a trusted subject matter expert partnering with infrastructure, application, data, and cloud platform teams to translate security strategy, regulatory expectations, and industry best practices into practical reference architectures, security standards, and design requirements. The Principal Security Architect leads architecture review and assurance activities to ensure solutions are implemented in alignment with approved designs and enterprise standards, and drives remediation of identified security and control gaps across identity, network segmentation, data protection, monitoring, CI/CD, and third-party integrations.

Owns enterprise security reference architectures, design standards, and security patterns across the organization. Has authority to approve, require modification of, or reject proposed designs that do not meet established security requirements, and ensures deviations are formally governed through the enterprise exception management process.

RESPONSIBILITIES:

Engage in project intake and early design phases to define security requirements prior to implementation. Partner with infrastructure, application, and cloud teams to embed security-by-design into initial architecture decisions and reduce downstream rework and exception volume.

Serve as a subject matter expert for the evaluation, design, and secure adoption of infrastructure, cloud platforms, applications, and enterprise technologies, ensuring security requirements are incorporated throughout the solution lifecycle.

Lead security architecture review and assurance activities by assessing proposed and existing designs, network and application architecture diagrams, and technology implementations against enterprise standards, reference architectures, threat models, and control requirements; defining security requirements and guardrails; and validating implemented solutions align with approved designs and enterprise standards.

Identify and drive remediation of security and control gaps across identity, network segmentation, data protection, logging/monitoring, key management, CI/CD, and third-party integrations in partnership with Infrastructure, Application, Data, and Cloud Platform teams.

Design security architecture for Microsoft Fabric and lakehouse patterns (Bronze/Silver/Gold), including secure data ingestion pipelines (e.g., Data Factory), least-privilege access using service principals and managed identities, strong data governance controls such as classification, labeling, lineage, and policy enforcement via Microsoft Purview, and secure storage and access boundaries through encryption and customer-managed keys (where applicable). Define secure ingestion and connectivity patterns for on-premises systems (e.g., EMR/Epic, relational databases) and third-party platforms (e.g., Snowflake), including segmentation, traceability, and segregation of duties between data engineering and data consumers.

Define and enforce security architecture for AI platforms and agent-based solutions (e.g., Copilot Studio, Azure AI services), including identity and access controls for service principals and managed identities, least-privilege connector design, data protection and prompt handling safeguards, logging and traceability of agent actions, and integration with enterprise data governance controls (e.g., Microsoft Purview).

Assess and integrate acquired entities into the enterprise security architecture by evaluating inherited environments, identifying control gaps, and defining transition architectures that align to enterprise standards while accounting for operational constraints.

Define and maintain Microsoft Entra ID security architecture standards, including Conditional Access, phishing-resistant MFA, PIM, RBAC design, privileged access workflows, and application identity governance.

Define secure network architecture patterns including segmentation, private networking, egress controls, firewall policy, and DNS security considerations across on-premises and cloud environments.

Define enterprise logging, telemetry, and monitoring architecture requirements, including SIEM integration, retention standards, and visibility requirements across on-premises, cloud, research, and AI environments.

Own and maintain enterprise security configuration standards and baselines across endpoints, infrastructure, cloud platforms (Azure and AWS), identity services, AI/agent platforms, and controlled environments including research and AI enclaves. This includes Windows, Linux and macOS systems, network devices, cloud-native services, Microsoft Entra ID, and AI agent frameworks. Ensure alignment with CIS Benchmarks and internal policy requirements and validate adoption through architecture governance and coordination with engineering and control validation teams, with particular focus on protecting sensitive data within research and AI workloads.

Perform detailed security risk assessments across infrastructure, endpoints, identity, networks, applications, and data platforms; translate findings into actionable risk narratives, compensating controls, and prioritized roadmaps.

Evaluate new technologies and platforms for architectural fit, integration requirements, and risk implications, providing recommendations aligned to enterprise security strategy and standards.

Provide architectural guidance during major incidents and support post-incident reviews to identify control gaps and improve future-state design.

Attend and actively contribute to team, project, project management, problem management, cloud migration and major incident conference calls as required.

Participate in compliance and audit activities in support of internal and external audit requirements.

Maintains work effort status within SLA's on Brown University Health's Service Desk and Task Management Platforms.

Performs other duties as assigned.

EXPERIENCE:

A minimum of 10 years of IS/IT experience, including 5+ years in information security architecture, engineering, or related senior technical security roles.

A bachelor's degree in information systems (or equivalent experience); MBA or MS in Information Security preferred.

A minimum of 3 active security certifications are required at the time of hire or must be obtained within 6 months of employment, with emphasis on architecture, cloud, and security engineering disciplines, including certifications such as CISSP, CCSP, GIAC (e.g., GCSA, GCLD, GCAD, GCPN, GPCS, GCTD), ISSAP, CKS, CCAK, OSCP/OSCE, or equivalent.

Demonstrated ability to operate as a senior technical leader across multiple security domains, balancing enterprise architecture, cloud security, identity security, AI governance, and data protection requirements.

Demonstrated experience designing and governing security architecture for hybrid (on-premises and cloud) and multi-cloud environments, including segmentation, secure connectivity (VPN, ExpressRoute, Direct Connect equivalents), DNS/routing, egress controls, and cloud governance models (landing zones, guardrails, subscription/account strategy).

Demonstrated experience securing Azure and AWS environments across multiple subscriptions/accounts, including identity, networking, storage, monitoring, and secure landing zone architecture.

Strong technical knowledge of security methodologies, platform hardening, and enterprise security controls across Windows/Linux systems, endpoints, cloud platforms, and enterprise infrastructure.

Strong knowledge of identity and access management, including federation and authentication protocols (SAML, OAuth2, OpenID Connect), Conditional Access, RBAC, privileged access management, and application identity governance.

Experience implementing and supporting phishing-resistant MFA (e.g., FIDO2/WebAuthn, smart cards, certificate-based authentication).

Strong knowledge of encryption and key management, including PKI concepts, secrets management, and KMS/Key Vault.

Experience with automation and integration concepts, including scripting (Python, PowerShell, Bash), cloud CLIs/SDKs, and API/webhook integrations supporting security workflows, telemetry, orchestration, and validation activities.

Experience integrating security controls and governance requirements into infrastructure-as-code (e.g., Terraform, Ansible) and CI/CD workflows.

Experience with SIEM and monitoring platforms supporting enterprise logging, telemetry, alerting, and security visibility requirements; familiarity with SOAR and automated response capabilities is preferred.

Knowledge of vulnerability management processes and tools (e.g., Qualys, Nessus, Rapid7), ensuring architecture and control design support effective risk-based prioritization and remediation governance.

Experience with CSPM/CWPP solutions to identify misconfigurations, vulnerabilities, and risks across multi-cloud environments.

Strong understanding of network security architecture, including segmentation, firewalls, routing, switching, DNS, private networking, and packet analysis concepts.

Strong understanding of regulatory requirements, security frameworks, and risk methodologies (e.g., HIPAA/HITECH, NIST, ISO 27001), including the ability to translate requirements into technical controls, governance standards, and audit evidence.

Proven ability to perform risk, control, vulnerability, and business impact assessments, and translate findings into actionable remediation plans.

Excellent interpersonal, verbal, and written communication skills with the ability to develop standards, architectural diagrams, technical documentation, and executive-level reporting, and communicate security decisions to both technical and non-technical stakeholders.

Motivated self-starter with a track record of taking ownership of security challenges and driving them to resolution.

INDEPENDENT ACTION:

Employee functions independently within department policies and practices; refers specific decisions to security management where authority is outside of the defined departmental RACI Matrix or clarification of departmental policies and procedures may be required.

SUPERVISORY RESPONSIBILITIES:

None

Pay Range:

EEO Statement:

Brown University Health is committed to providing equal employment opportunities and maintaining a work environment free from all forms of unlawful discrimination and harassment.

Location:

Work Type:

Work Shift:

Daily Hours:

Driving Required: