ACLU
Director, Security Architecture & Engineering
Location:
New York, NY
Employment type:
Full-time
Seniority level:
Director
Compensation:
$220,285 per year (Level-C2)
About the Job The ACLU seeks a full‑time Director of Security Architecture & Engineering for its Information Security Department at the National office in New York, NY. This hybrid role requires in‑office presence two days per week or eight days per month.
The Director reports directly to the Chief Information Security Officer (CISO) and is responsible for driving enterprise security architecture and engineering strategy across the ACLU’s national and affiliate environments.
The role leads enterprise‑wide efforts to operationalize Secure by Design, strengthen identity architecture and segmentation, and ensure the consistent enforcement of core security controls.
The Director will translate policy and risk into technical designs, baseline controls, and sustainable engineering practices, working closely with Technology and IT teams, platform teams, affiliates, and key National stakeholders, including Legal, National Political Advocacy (NPAD), and Development.
Lead a highly collaborative team of three direct reports, each managing a core domain of the security architecture program.
Responsibilities
Lead the development and execution of the ACLU’s Secure by Design and Safe by Default strategy; translate policy and risk priorities into reference architectures, technical baselines, and automated guardrails.
Establish and chair the Control Design Review Board (CDRB) to govern architectural decisions involving identity boundaries, network segmentation, data egress, privileged access, third‑party integrations, and other critical control points.
Define, publish, and maintain enterprise reference architectures covering cloud services (Microsoft 365, AWS), identity zones, network segmentation tiers, privileged access models, SaaS security, and service‑to‑service authentication standards.
Drive secure implementation of ZTNA/SASE, configuration drift detection, phishing protection, and secure baseline management across cloud, endpoint, and infrastructure systems.
Oversee the development and enforcement of modern identity and access management models.
Design and implement a segmentation strategy, incorporating macro‑ and micro‑segmentation approaches to reduce lateral movement risk and isolate sensitive business processes and data environments.
Oversee the organization’s Attack Surface Management (ASM) capabilities, formalizing asset inventory, exposure tracking, remediation prioritization, and SLA adherence across all relevant environments.
Advance the ACLU’s Insider Threat and Data Protection programs.
Provide executive‑level decision‑making on risk trade‑offs, technical exceptions, and compensating control design, ensuring clear resolution pathways with expiration timelines and audit visibility.
Partner with GRC to align technical controls with policy, regulatory requirements, vendor standards, and internal audit frameworks.
Qualifications
Extensive experience in progressive cybersecurity, with equivocal expertise in technical architecture, engineering leadership, or hands‑on security infrastructure roles.
Deep expertise in security architecture across hybrid enterprise environments, including identity and access management, network segmentation, endpoint security, cloud/SaaS hardening, and exposure management.
Demonstrated success designing and delivering secure architecture programs, including Secure by Design frameworks, threat‑informed reference architectures, and platform security initiatives.
Familiarity with modern authentication and access control frameworks, including Entra ID (Azure AD), Microsoft 365, phishing‑resistant MFA (e.g., FIDO2, number matching), PIM/JIT, device trust, and conditional access.
Experience building and leading high‑performing security teams with proven mentoring, accountability, and cross‑functional delivery skills.
Strong communication and stakeholder‑management skills, with the ability to translate technical risk to both technical and non‑technical audiences.
A demonstrated commitment to mission‑driven work and an understanding of security’s role in protecting civil liberties and digital rights.
Hands‑on experience maturing core cybersecurity domains such as attack surface management, segmentation enforcement, secure integration design, and insider threat mitigation.
Technical experience with Microsoft 365 security configuration, Microsoft Purview data protection (DLP, sensitivity labels), AWS service hardening, and secure data platform integration.
Familiarity with the legal and advocacy sector’s unique operational needs, including privilege boundaries, sensitive communications workflows, and affiliate organizational structures.
Certifications (CISSP, CCSP, GIAC, AWS Security Specialty, Azure Security Engineer Associate, etc.) are welcome but not required.
Benefits
Generous paid time‑off policy.
Comprehensive healthcare benefits (medical, dental, vision, parental leave, gender‑affirming care & fertility treatment).
401(k) plan with employer match.
Professional development funds and internal training programs.
Competitive salary and equity program.
Accessibility, Equity, Diversity & Inclusion Accessibility, equity, diversity and inclusion are core values of the ACLU and central to our work. We encourage applications from all qualified individuals without regard to race, color, religion, gender, sexual orientation, disability, or any other characteristic protected by law. The ACLU is committed to providing reasonable accommodation to individuals with disabilities. If you need assistance applying online, please email benefits.hrdept@aclu.org.
EEO Statement The ACLU is an equal opportunity employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, national origin, disability, sexual orientation, age, or gender identity. The Department of Education has determined that employment in this position does not qualify for the Public Service Loan Forgiveness Program.
#J-18808-Ljbffr
New York, NY
Employment type:
Full-time
Seniority level:
Director
Compensation:
$220,285 per year (Level-C2)
About the Job The ACLU seeks a full‑time Director of Security Architecture & Engineering for its Information Security Department at the National office in New York, NY. This hybrid role requires in‑office presence two days per week or eight days per month.
The Director reports directly to the Chief Information Security Officer (CISO) and is responsible for driving enterprise security architecture and engineering strategy across the ACLU’s national and affiliate environments.
The role leads enterprise‑wide efforts to operationalize Secure by Design, strengthen identity architecture and segmentation, and ensure the consistent enforcement of core security controls.
The Director will translate policy and risk into technical designs, baseline controls, and sustainable engineering practices, working closely with Technology and IT teams, platform teams, affiliates, and key National stakeholders, including Legal, National Political Advocacy (NPAD), and Development.
Lead a highly collaborative team of three direct reports, each managing a core domain of the security architecture program.
Responsibilities
Lead the development and execution of the ACLU’s Secure by Design and Safe by Default strategy; translate policy and risk priorities into reference architectures, technical baselines, and automated guardrails.
Establish and chair the Control Design Review Board (CDRB) to govern architectural decisions involving identity boundaries, network segmentation, data egress, privileged access, third‑party integrations, and other critical control points.
Define, publish, and maintain enterprise reference architectures covering cloud services (Microsoft 365, AWS), identity zones, network segmentation tiers, privileged access models, SaaS security, and service‑to‑service authentication standards.
Drive secure implementation of ZTNA/SASE, configuration drift detection, phishing protection, and secure baseline management across cloud, endpoint, and infrastructure systems.
Oversee the development and enforcement of modern identity and access management models.
Design and implement a segmentation strategy, incorporating macro‑ and micro‑segmentation approaches to reduce lateral movement risk and isolate sensitive business processes and data environments.
Oversee the organization’s Attack Surface Management (ASM) capabilities, formalizing asset inventory, exposure tracking, remediation prioritization, and SLA adherence across all relevant environments.
Advance the ACLU’s Insider Threat and Data Protection programs.
Provide executive‑level decision‑making on risk trade‑offs, technical exceptions, and compensating control design, ensuring clear resolution pathways with expiration timelines and audit visibility.
Partner with GRC to align technical controls with policy, regulatory requirements, vendor standards, and internal audit frameworks.
Qualifications
Extensive experience in progressive cybersecurity, with equivocal expertise in technical architecture, engineering leadership, or hands‑on security infrastructure roles.
Deep expertise in security architecture across hybrid enterprise environments, including identity and access management, network segmentation, endpoint security, cloud/SaaS hardening, and exposure management.
Demonstrated success designing and delivering secure architecture programs, including Secure by Design frameworks, threat‑informed reference architectures, and platform security initiatives.
Familiarity with modern authentication and access control frameworks, including Entra ID (Azure AD), Microsoft 365, phishing‑resistant MFA (e.g., FIDO2, number matching), PIM/JIT, device trust, and conditional access.
Experience building and leading high‑performing security teams with proven mentoring, accountability, and cross‑functional delivery skills.
Strong communication and stakeholder‑management skills, with the ability to translate technical risk to both technical and non‑technical audiences.
A demonstrated commitment to mission‑driven work and an understanding of security’s role in protecting civil liberties and digital rights.
Hands‑on experience maturing core cybersecurity domains such as attack surface management, segmentation enforcement, secure integration design, and insider threat mitigation.
Technical experience with Microsoft 365 security configuration, Microsoft Purview data protection (DLP, sensitivity labels), AWS service hardening, and secure data platform integration.
Familiarity with the legal and advocacy sector’s unique operational needs, including privilege boundaries, sensitive communications workflows, and affiliate organizational structures.
Certifications (CISSP, CCSP, GIAC, AWS Security Specialty, Azure Security Engineer Associate, etc.) are welcome but not required.
Benefits
Generous paid time‑off policy.
Comprehensive healthcare benefits (medical, dental, vision, parental leave, gender‑affirming care & fertility treatment).
401(k) plan with employer match.
Professional development funds and internal training programs.
Competitive salary and equity program.
Accessibility, Equity, Diversity & Inclusion Accessibility, equity, diversity and inclusion are core values of the ACLU and central to our work. We encourage applications from all qualified individuals without regard to race, color, religion, gender, sexual orientation, disability, or any other characteristic protected by law. The ACLU is committed to providing reasonable accommodation to individuals with disabilities. If you need assistance applying online, please email benefits.hrdept@aclu.org.
EEO Statement The ACLU is an equal opportunity employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, national origin, disability, sexual orientation, age, or gender identity. The Department of Education has determined that employment in this position does not qualify for the Public Service Loan Forgiveness Program.
#J-18808-Ljbffr