United States, Kansas, Security Architect jobs

Responsibilities

• The successful candidate will work with GPS engagement teams, supporting functions, and EY’s Client Technology and Global Information Security organizations to develop and maintain a security and compliance program across all environments, platforms and applications used or desired for use by GPS. Responsibilities include:
• Strategy, Governance and Risk Management
• Development and execution of a multi‑year cybersecurity strategy and investment roadmap aligned to business objectives and federal contract requirements.
• Development, management and maintenance of the GPS IT security risk management policy and/or procedural documentation mapped to NIST SP 800-37 (RMF), NIST SP 800‑53, NIST SP 800‑171, NIST SP 800‑161 (C‑SCRM), and NIST SP 800‑218 (SSDF)
• Ownership of the enterprise risk assessment (ERA), business impact analysis (BIA), and security metrics; present posture and material risk to the COO on a recurring cadence.

Defense Industrial Base Compliance (Classified & Unclassified)

• Manage GPS compliance with DFARS 252.204-7012, 252.204-7020, and 252.204-7021. This includes:
  • Leading DFARS/CMMC readiness and ongoing compliance.
  • Serving as the Affirming Official (AO) and maintaining an accurate SPRS self‑assessment score with defensible Plans of Action and Milestones (POAMs).
  • Achieving and maintaining CMMC certification at level 2.
  • Overseeing management and maintenance of POAMs.
• Ensure systems operated for the government are designed properly and assessed against the appropriate requirements such as FedRAMP, Cloud Computing Security Requirements Guide, IRS 1075, and MARS-E.
• Ensure safeguarding and incident reporting obligations for CUI (e.g., DFARS 252.204‑7012 72‑hour reporting) are met; coordinate with DC3/DIBNet and affected customers when necessary.
• Oversee NISPOM compliance for classified systems; partner with FSO to achieve and maintain Authorizations to Operate (ATOs).
• Ensure proper handling of export‑controlled data (ITAR/EAR).
• Prepare for and lead Program through contractually required assessments and customer audits; keep evidence, policies, configurations, and logs audit‑ready.
• Respond to government inspections or audits in coordination with EY Information Security and Risk Management.

Secure Cloud, Identity & Enterprise Platforms

• Own security architecture and controls for Azure Government (Azure Gov) and Microsoft 365 GCC High tenants, including Conditional Access, PIM/PAM, encryption, logging/retention, and data governance for CUI.
• Implement Zero Trust principles across identity, endpoints, networks, and workloads; drive continuous verification and least‑privilege.
• Deploy and operate EDR/XDR, SIEM/SOAR, DLP, CASB/SSE/SASE, MDM, key management/HSM, and vulnerability/configuration management at scale.
• Oversee user authorization process and ongoing attestation of user authorization and access.
• Assist to resolve GPS practitioners’ access or other issues with Enclave environments.
• Ongoing development, coordination and sustainment of Information Security Continuous Monitoring (ISCM) Program across all applications within the environment.

DevSecOps & Secure SDLC

• Establish a software security program aligned to NIST SSDF (SP 800‑218) and EO 14028 expectations; integrate security into SDLC across GitHub and Azure DevOps.
• Govern AppSec tooling and policy: SAST (e.g., Checkmarx), DAST (e.g., Qualys/AppScan), SCA/OSS (e.g., Mend), IaC/container/K8s scanning, and Wiz/Wiz Code; enforce build‑time gates and remediation SLAs.
• Require SBOM generation, artifact signing/provenance (e.g., SLSA targets), and secrets management across all repositories and pipelines.

Detection, Response & Resilience

• Develop, manage and maintain GPS incident response program.
• Lead SOC and CSIRT functions: 24×7 monitoring, threat intelligence, purple/red‑team exercises, and executive tabletop drills.
• Maintain and test the Incident Response Plan and Cyber Crisis Playbook, including regulatory/customer communications and forensics preservation.

Effective Business Integration

• Ensure development of fit-for-purpose solutions that support the business activities.
• Manage integration of Firm applications into the GPS Enclave environment.
• Understand and facilitate communication of EY’s IT disaster recovery and business continuity plans to GPS clients, potential clients and engagement teams (including engagement team responsibilities).
• Augment existing Client Security Assurance reviews of data protection requirements contained in RFPs/RFQs to adequately respond, and assist in development of GPS client security and data protection (confidentiality) plans.
• Monitor regulatory or other developments in INFOSEC principles, regulatory requirements and leading practices.

Leadership, Team and Budget

• Role model a leadership style that brings infrastructure, application and cybersecurity professionals together to collaborate constructively on the design, implementation and operation of controls.
• Build and mentor a high‑performing organization spanning Policy/GRC, AppSec/DevSecOps, Security Engineering/Architecture, SOC/IR, and Third‑Party & Supply‑Chain Risk.
• Own the cybersecurity budget and vendor portfolio; rationalize tools and services for value, performance, and compliance.
• Participate in purchasing and enhancement of third-party tools for GPS.
• Augment and potentially streamline existing Vendor Supplier Risk Assurance Program during evaluation of subcontractor compliance with applicable cybersecurity and data protection clauses.
• Drive a security‑first culture: ongoing training, phishing simulations, secure coding education, and leadership engagement including data protection and awareness and role-based training programs.
• Coordinate and respond to annual (or more frequent) independent risk assessments and cyber security reviews.

Qualifications:

• 12+ years of progressive cybersecurity leadership, including 5+ years at the enterprise or business‑unit executive level.
• 5+ years FISMA related experience
• Bachelor’s degree in IT-related field or bachelor’s degree in non-IT related field with a total of 10 years of information security experience
• Master’s degree preferred
• Ability to obtain and maintain Top Secret clearance
• US citizenship required
• Must have government sector experience
• Thorough knowledge and understanding of:

• • FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems
  • DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting
  • NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
  • NIST SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations
  • GSAM 552.239-70, Information Technology Security Plan and Security Authorization, 552.239-71, Security Requirements for Unclassified Information Technology Resources and similar clauses in agency FAR supplements
  • FISMA
• Specialized knowledge and experience with the implementation of the NIST Special Publication (SP) 800 family of publications, particularly those associated with the Risk Management Framework
• Proven experience in the Defense Industrial Base with DFARS/CMMC and NIST SP 800‑171 implementation and audits (including POA&M and SPRS management).
• Experience with FEDRAMP compliance authorization and monitoring
• Deep expertise securing Azure Government and Microsoft 365 GCC High environments
• Experience working with other Government cloud communities, including AWS
• Experience working with classified environments, achieving/maintaining ATOs, overseeing classified systems under NISPOM and DoD RMF, and working understanding of SCIF operations
• Knowledge and experience with vulnerability scanning execution, assessment, and analysis
• Knowledge and experience of networks, including LAN and WAN
• Knowledge and experience with application security, database security, and network security
• Experience with evaluating system, network, or infrastructure security controls against requirements such as FISMA, FIPS, and NIST guidelines
• Hands‑on leadership of DevSecOps and software security programs covering GitHub/Azure DevOps/Jenkins with SAST/DAST/SCA, IaC/container security, SBOMs, and supply‑chain controls.
• Demonstrated analytical, problem-solving, organizational, interpersonal and communication skills required.
• The ability to collaborate effectively with diverse stakeholders, including client-facing, legal, finance and contracting teams, executives, engineers, customers and assessors on a wide variety of tasks, as needed.
• Ability to foster professionalism and demonstrate integrity and confidentiality in all actions.
• Ability to demonstrate flexibility when required, sense urgency, organize and prioritize work, and achieve against tight deadlines.
• The ability to interpret and communicate regulatory requirements related to cybersecurity and data protection.
• Possession of excellent written/verbal communications skills.
• Possession of excellent analytical skills, including strict attention to detail.
• Ability to assess and weigh current and evolving security threats in an operational environment
• Possession of Information Systems Security Professional certification (CISSP)
• Certifications such as CISSP, CISM, CCISO, CCSP, CRISC, CISA, PMP, and relevant GIAC credentials preferred

Your key responsibilities

• Strategic direction: produce and document technology strategy primarily for the Domain Lead's security technology domain
  
• Thought leadership: provide security and business thought leadership at an enterprise level
  
• Process mapping and design: lead the mapping and design of business capabilities to current and future-state business processes technology solutions, and associated data architectures & models, ensuring alignment with GRC & IRM objectives
  
• Analytical assessment: conduct thorough analyses of existing processes to identify inefficiencies, challenges, and opportunities, providing actionable recommendations
  
• Stakeholder collaboration: drive engagement with key stakeholders across the organization to facilitate discussions, gather requirements, and ensure business needs are met in business architectures and implementations
  
• Risk integration: integrate risk management principles into business processes, ensuring that risk considerations are embedded in decision-making and operational practices
  
• Governance framework development: establish and maintain governance frameworks that define process ownership, accountability, and compliance requirements
  
• Change management support: design processes that facilitate user adoption and provide input for training and communication strategies
  
• Data management oversight: ensure that business processes are supported by accurate and relevant data, collaborating with IT and data management teams to integrate necessary systems
  
• Documentation standards: develop and enforce documentation standards, templates, and modeling conventions to ensure consistency and clarity in process representation
  
• Performance metrics definition: define and implement key performance indicators (KPIs) and metrics to measure process performance, maturity, and effectiveness, using data to drive continuous improvement
  
• Cross-functional leadership: lead cross-functional teams to ensure end-to-end business capability and process alignment, fostering collaboration and integration across various business units and functions
  
• Team Development: lead data and security architects through coaching, mentoring, and course correction
  

Skills and attributes for success

• Experience initiating new ideas and leading architectural activities
  
• Process mapping and design: ability to create detailed process maps and design future-state processes that align with organizational objectives
  
• Analytical thinking: strong analytical skills to identify inefficiencies, challenges, and opportunities for improvement within existing processes
  
• Stakeholder engagement: excellent communication and interpersonal skills to collaborate with various stakeholders, including business leaders, analysts, and technology teams
  
• Risk management knowledge: understanding of risk management principles and frameworks to effectively integrate risk considerations into business processes
  
• Governance framework development: experience in establishing governance frameworks and process ownership to ensure accountability and compliance
  
• Change management: skills in change management to support the adoption of new processes and ensure smooth transitions within the organization
  
• Data integration and management: knowledge of data architectures, data science, and data integration techniques & systems to ensure that processes are supported by accurate and relevant data
  
• Documentation and standards: proficiency in developing documentation standards, templates, and modeling conventions for consistent process representation
  
• Performance measurement: ability to define and implement metrics to measure process performance, maturity, and effectiveness
  
• Cross-functional collaboration: experience working across various business units and functions to ensure end-to-end process alignment and integration
  
• Ability to identify opportunities for cybersecurity transformation or enhancements
  
• 16+ years of experience in the Information Technology field
  
• 8+ years of architecture or technology leadership experience, including enterprise and business architecture
  
• 4+ years of experience working with business process and capability mapping
  
• 4+ years of experience working with data and AI strategy
  
• A Bachelor's degree in Business Administration, Information Systems, or a related field; a Master's degree is a plus
  
• Proven experience in business architecture, process design, and risk management, preferably within a GRC context
  
• Strong leadership skills with the ability to influence and drive change across the organization
  

Ideally, you’ll also have

• Security certifications such as CISSP or CISM
  
• TOGAF and/or SABSA architecture framework
  
• SANS Certifications including GSEC, ECSA, ECSP
  

What we look for

• Passion for making a difference
  
• Strong soft skills, with the ability to understand and integrate cultural diversity and work with cross-cultural and cross-organizational teams
  
• Deep technical acumen and critical thinking skills demonstrating an analytical and systematic approach to problem-solving
  
• Experience working in a global virtual environment
  
• Excellent written and verbal communication skills, including preparation and delivery of presentations
  
• Good judgment, tact, and decision-making ability for delivering practical architectures
  
• Ability to deal with ambiguity and change, exercising appropriate time management to meet objectives
  
• Ability to collaborate with team members and executive stakeholders, as well as work autonomously
  

Senior Commercialization Architect, Associate Director

Supporting the commercialization process, the role builds the frameworks, processes, methods, tools, and governance to facilitate the Go-To-Market (GTM) monetization transformation from input‑based, effort-driven, cost‑plus margin monetization into client value‑driven, output- and outcome‑based models, that appropriately share in all sources of value: efficiency, effectivness and enablement. The role leverages deep knowledge of product‑led growth (PLG) motions for digital/AI-native/tech-native/standardized products such as GBB (Good, Better, Best), free trial, and upsell/cross-sell and sales‑led growth (SLG) motions for services-oriented engagements such ROI calculators and value tables, when combined with historical professional services GTM motions, creates new, innovative, market leading positioning, packaging and monetization that accelerates our firm’s profitable growth ambitions.

Your key responsibilities

• Provide leadership, execution and accountability of the product and service commercialization factory including connecting the product, monetization, pricing and commercial models across Top End Audit, Transformations, Managed Services, and other business models, as needed.
• Create clarity from ambiguity, working with minimal data and available information, uncover leverage point(s) early in the commercialization process to swiftly identify, position, and monetize client value in support of accelerating profitable growth (increased revenue, expanded margins, improved win rates)
• Identify and align the value metric (business impact the client receives by using the product or service), the usage metric (the amount of product or service consumed by the client), and the pricing metric (how the client is invoiced, how the total price is calculated) in a way that meets the criteria of: easily definable, consistently measurable, high client demand, high expectation to pay, and high metric density
• Facilitate service decomposition, breaking down complex, customized, SMR-led services into configurable, modular components with defined, standard deliverables by mapping out steps in the solution value chain (inputs, activities, outputs, and outcomes) enabling monetization model maturity assessment, selection, activation, and adoption across the business
• Define, iterate, and refine the price list for an assigned set of products/services including the monetization model, monetization metric(s), price point(s), structured/sales discounts and incentives, client value tables, associated terms and conditions, and other related items, to increase price realization, reduce discounting/margin leakage, and increasing win rate
• Build trust-based relationships and influence decision making across internal and client stakeholders contributing to positive sum outcomes that unlock/expand client value, improve EY win rates, increase EY revenues and expand EY margins

Skills and attributes for success

• Fluent in all aspects of cost, competitor, client willingness to pay- and client value-driven pricing strategies and how these come together in EY’s primary market pricing games of custom, power, choice and value, considering the consolidation/fragmentation of buyers, competitor offer intensity, and choice architecture to influence client decision making
• Proven track record designing, modelling, shaping and structuring Top-end audit, transformations, and managed services utilizing innovative monetization and commercialization approaches aligned with the client’s value chain
• Robust knowledge of behavioral science such as prospect theory, loss aversion, anchoring and adjustment, cognitive load, framing, and choice architecture (options)
• Able to simplify the complex, establish credibility quickly and swiftly build trust-based influence with senior stakeholders while navigating the availability of limited/ambiguous information
• Collaborate effectively across a matrix organization showcasing pursuit and relationship management skills to deliver a high-quality work product while navigating conflicting interests

To qualify for the role you must have

• 12+ years of experience in professional services pricing/commercials, strategy consulting, corporate development and/or SaaS/Product commercialization
• Expert proficiency in financial modelling, monetization, pricing, accounting, budgeting and associated metrics
• Knowledge of qualitative and quantitative price setting and optimization techniques such as A/B testing, conjoint analysis, Gabor-Granger, Price Elasticity of Demand, Van Westendorp, and price laddering
• University/Bachelors’ degree or equivalent qualification required

Ideally, you’ll also have:

• MBA or master’s degree (or equivalent qualification) in Business or related field preferred
• As the job involves responding to clients' needs and varying time zones, flexible hours are regularly required
• Limited to moderate travel will be required