SaaS Senior Engineer, Information Security, Architecture and Engineering - Technology Solutions Group

What Makes Us a Great Place To WorkWe are proud to be consistently recognized as one of the world’s best places to work. We are currently the top ranked consulting firm on Glassdoor’s Best Places to Work list and have earned the #1 overall spot a record seven times. Extraordinary teams are at the heart of our business strategy, but these don’t happen by chance. They require intentional focus on bringing together a broad set of backgrounds, cultures, experiences, perspectives, and skills in a supportive and inclusive work environment. We hire people with exceptional talent and create an environment in which every individual can thrive professionally and personally.Who You’ll Work WithYou’ll join our Technology Solutions Group. This team considers the full spectrum of people, tech, and process to help others at Bain achieve their goals. We aim to understand our partners in the business so well that our proposed architectures, apps, and automations really do improve their work lives. If you’re the sort of person who embraces change, who has an entrepreneurial spirit, and who friends and family still call for tech advice, this might be a great team for you.WHERE YOU’LL FIT WITHIN THE TEAMThe SaaS security engineer will lead and scale our SaaS security program, with primary ownership of our SSPM platform and related initiatives. The role is technical, and candidates must possess a solid understanding of information security, cloud infrastructure, and SaaS application configuration practices. The role also requires an understanding of business goals/strategy and operational requirements in a fast-paced environment, and the ability to communicate clearly and effectively both business risk impacts and the technical actions required to resolve them.The SaaS security engineer supports the growing third-party ecosystem, working to reduce misconfiguration risk, improve identity hygiene, and strengthen necessary monitoring and governance recommendations across a variety of cloud-based applications. They are an integrated team member working with product owners, application administrators, system engineers, cybersecurity engineers and systems administrators. At times, the SaaS security engineer acts as a liaison with business stakeholders to understand the strategy and execution outlook. The role is heavily security-focused and ingrained in the third-party application lifecycle to deliver security principles and validation at all times.What You’ll DoSaaS security engineers have a strong work ethic, perform analytical and critical thinking, and are masterful at meeting change requests on demand. They are expected to work well with business units and possess superior listening and communication skills, in addition to expected technical expertise. SaaS security engineers embody security-first principles, constantly assess the threat landscape and adapt quickly to manage enterprise risk, as well as integration and deployment requirements.Essential FunctionsTechnical work (40%)Own and operate the SaaS Security Posture Management (SSPM) platformOnboard new SaaS applications into SSPM and define security baselinesDesign and implement secure configuration standards for enterprise SaaS platforms (M365, Salesforce, ServiceNow, Slack, etc.)Develop and maintain SaaS security configuration benchmarksImprove identity and access controls across SaaS applications (RBAC, MFA, SSO enforcement)Integrate SSPM findings into SIEM/SOAR platformsDevelop detection logic for anomalous SaaS behaviorBuild dashboards and reporting to track SaaS posture and risk trendsAutomate security checks and remediation workflows via APIs and scriptingEnhance SaaS monitoring and logging coverageServe as a point of contact for security-based escalations and remain tightly involved through resolution.Assist in third party technical reviews and solution advisement, identifying gaps in existing controls and recommending solutions to vendorsPartner with Senior Manager and stakeholders to problem solve Support team growth and improvement (30%)Establish scalable SaaS security review processes for new application onboardingContribute to development of SaaS security standards and governance frameworksImprove joiner/mover/leaver access governance processesIdentify tooling gaps and recommend new security capabilitiesCreate documentation and playbooks for SaaS security operationsMentor junior security engineers or IT administrators on SaaS security best practicesDrive continuous improvement initiatives to reduce manual security effortTrack and report on SaaS security KPIs to inform program maturityVulnerability and Misconfiguration handling (20%)Monitor, triage, and remediate SaaS misconfigurations identified by SSPM, automating and documenting to scale to operationsIdentify excessive permissions, risky OAuth grants, and policy driftPartner with application owners to drive timely remediation of high-risk findingsPerform periodic access reviews and privilege auditsReduce stale accounts, toxic permission combinations, and overprivileged rolesSupport SaaS-related security incidents and root cause analysisAct as an escalation point for technical teams to get support in resolving vulnerabilities and misconfigurationsCommunicate results in a manner understood by technical and non-technical business units based on risk tolerance and threat to the business, and gain support through influential messagingMaintain strong third-party awareness via database sources, documentation, etc., to understand the weakness, probability and remediation options supplied by vendors as well as workaroundsCommunications and Leadership (10%)Partner with IT, Engineering, Legal, Procurement, and Risk teams to improve SaaS security postureProvide clear reporting on SaaS risk exposure and remediation progressSupport SaaS security discussions in vendor risk and audit engagementsLead security conversations with application owners and executive stakeholders as neededAdvocate for secure-by-default SaaS configurations across the organizationAbout YouHybrid: This role follows a hybrid model, requiring in-office presence at least 1 day per week.RequiredUndergraduate or similar level of relevant work experience3-7+ years business and/or security experienceBreadth of analytical, technical and project and time management skillsUnderstanding of SaaS security risks and misconfigurationsUnderstanding of OAuth and API securityUnderstanding of SSO, MFA, RBAC, and common IdPsPreferredCISSP, GIAC, Security+, or other relevant course work and certifications3-5 years of enterprise SaaS administration experience (M365, Salesforce, Slack, etc.)Understanding of IT environments and practices related to one or more of the following disciplinesNetworkingInfrastructure configuration and resiliencySystem architecture and configurationOperating systemsApplication developmentOperational/IoT technologyCloud OperationsU.S. Compensation InformationCompensation for this role includes base salary, annual discretionary performance bonus, 401(k) plan with an annual employer contribution based on years of service and Bain’s best in class benefits package (details listed below).RoleSome local governments in the United States require a good-faith, reasonable salary range to be included in job postings for open roles. The estimated annualized compensation for this role is as follows: In Boston, MA, the good-faith, reasonable annualized full-time salary range for this role is between $108,250 – $130,000; placement within this range will vary based on several factors including, but not limited to experience, education, licensure/certifications, training and skill level In Chicago, IL, the good-faith, reasonable annualized full-time salary range for this role is between $103,500-$124,250; placement within this range will vary based on several factors including, but not limited to experience, education, licensure/certifications, training and skill level Annual discretionary performance bonus This role may also be eligible for other elements of discretionary compensation 4.5% 401(k) company contribution, which increases after 3 years of service and is 100% vested upon start dateBain & Company's comprehensive benefits and wellness program is designed to help employees achieve personal independence, protection and stability in the areas most important to you and your family. Bain pays 100% individual employee premiums for medical, dental and vision programs, offering one of the most comprehensive medical plans for employees without impacting your paycheck Generous paid time off, including parental leave, sick leave and paid holidays Fully vested 401(k) company contribution Paid Life and Long-Term Disability insurance Annual fitness reimbursementsIt is unlawful in Massachusetts to require or administer a lie detector test as a condition of employment or continued employment. An employer who violates this law shall be subject to criminal penalties and civil liability.