ECCO Select is a talent acquisition and consulting company specializing in people, process and technology solutions. We provide the talent behind the technology enabling our clients to achieve their goals. For more information about ECCO Select, visit us at www.eccoselect.com.
Position Title: Principal Cybersecurity Architect – Identity, IAM & Zero Trust
Location Information
Remote
Position Responsibilities:
As the Principal Cybersecurity Architect specializing in Identity, Access Management (IAM), and Zero Trust, you will serve as a senior individual contributor responsible for shaping and governing the enterprise-wide security architecture. You will guide major architectural decisions on how people, machines, and workloads authenticate, authorize, and access resources across a complex technology landscape.
Key responsibilities include:
- Partnering with IT, infrastructure, and business teams to integrate security into all technology decision-making processes.
- Mentoring and guiding security engineers on architectural standards and decision-making.
- Leading the design and evolution of Zero Trust architectures, including ZTNA, MFA, and PAM, across identity, device trust, network access, and application security, with principles grounded in NIST SP 800-207 and BeyondCorp.
- Defining, maintaining, and communicating reference architectures, security design patterns, and guardrails for engineering and infrastructure teams.
- Conducting threat modeling and security architecture reviews for all major technology projects and platform changes.
- Evaluating and selecting security tooling (such as SASE, SSE, ZTNA, NDR, and EDR) aligned with the organization’s security strategy.
- Performing gap assessments and driving continuous improvement of Zero Trust maturity across the enterprise.
- Owning the IAM architecture for the enterprise, spanning workforce identity, B2B federations, machine identities, and cloud entitlements.
- Designing robust identity lifecycle management processes (provisioning, access reviews, deprovisioning) that enforce least privilege by default.
- Architecting standards for federation and Single Sign-On (SSO) protocols (SAML 2.0, OIDC, OAuth 2.0) and integrating them with third-party SaaS, partner, and customer applications.
- Defining authentication assurance levels by resource sensitivity, implementing MFA aligned to NIST AAL2/AAL3, and creating a roadmap for phishing-resistant MFA (FIDO2/WebAuthn) for privileged access.
- Leading the architecture of Privileged Access Management (PAM) solutions, including credential vaulting, just-in-time privilege, session recording, and endpoint privilege management, in collaboration with Security Operations.
- Governing cloud entitlements on platforms such as AWS, Azure, and GCP using a CIEM framework and enforcing least privilege access.
- Establishing and maintaining non-human identity strategies (service accounts, keys, application credentials), eliminating hard-coded credentials, and enforcing dynamic secrets management.
- Driving identity governance processes including access certification, segregation of duties (SoD), and role-based access control (RBAC) model design.
- Working closely with HR, IT, and business application owners to automate and ensure auditable joiner/mover/leaver processes.
- Defining security architecture standards, policies, and exception management processes.
- Serving as an escalation point for complex identity and access design decisions and mentoring security engineering teams.
- Producing architectural artifacts—such as threat models, data flow diagrams, and trust zone maps—for both technical and executive audiences.
- Contributing to the broader security roadmap, annual planning, and translating risk priorities into strategic architectural investments.
Essential Skills, Experience
- At least 8 years of experience in information security, with a minimum of 4 years in an architecture or senior engineering capacity.
- Deep, hands-on expertise in Zero Trust security frameworks (NIST SP 800-207, BeyondCorp) and identity-centric security architectures.
- Expertise in threat modeling methodologies (such as STRIDE, PASTA, or MITRE ATT&CK), with the ability to apply them to identity and authorization attack surfaces.
- Practical, hands-on experience administering and architecting enterprise IAM platforms (Microsoft Entra ID, Okta, Ping Identity, or similar).
- Proficient in federation and SSO protocols including SAML 2.0, OIDC, OAuth 2.0, and SCIM.
- Experience with PAM solutions (CyberArk, BeyondTrust, Delinea) and modern secrets management platforms (HashiCorp Vault, AWS Secrets Manager, Azure Key Vault).
- Experience with Cloud Infrastructure Entitlements Management (CIEM) tools and governance of cloud IAM on at least two leading cloud providers (AWS, Azure, GCP).
- Knowledge and hands-on experience designing and governing identity lifecycle management and Identity Governance & Administration (IGA) processes (SailPoint, Saviynt, or similar is a plus).
- Strong understanding and experience designing processes for access governance, access reviews, RBAC model design, and SoD controls.
- Excellent verbal and written communication skills, with the ability to translate sophisticated technical concepts into clear and actionable guidance for technical teams, business stakeholders, and executives.
- Demonstrated ability to use diplomacy and influence to drive consensus and decision-making across diverse technical and business teams.
Qualifications:
- Bachelor’s degree in Computer Science, Information Security, or a related field preferred; advanced degree is a plus.
- Professional certifications such as CISSP, SABSA, TOGAF, Microsoft SC-100, Okta Certified Architect, or similar are highly desirable.
ECCO Select is committed to hiring and retaining a diverse workforce. Our policy is to provide equal opportunity to all people without regard to race, color, religion, national origin, ancestry, marital status, veteran status, age, disability, pregnancy, genetic information, citizenship status, sex, sexual orientation, gender identity or any other legally protected category. Veterans of our United States Uniformed Services are specifically encouraged to apply for ECCO Select opportunities.
Equal Employment Opportunity is The Law
This Organization Participates in E-Verify

