FinOps Security & Compliance Architect

The FinOps – Security & Compliance Architect is accountable for the end-to-end security architecture, threat modeling, and compliance posture of the Collector Agent Layer, including agent-based telemetry and internal cloud usage metering implementations.
This role serves as a mandatory Phase 0 security gate, with formal security sign-off required before any agent or collector is permitted to interact with production environments. The architect establishes and governs cryptographic trust models, secure identity and authentication mechanisms, tamper detection controls, and enterprise secrets management integrations to ensure all agent-based data collection is secure, auditable, and compliant with enterprise and regulatory standards.
________________________________________
Key Responsibilities
Threat Modeling & Phase 0 Governance
• Own the Collector Agent Layer Threat Model and serve as a signed Phase 0 blocker for production deployment
• Define trust boundaries, attack surfaces, and threat vectors for agent-based architectures
• Ensure threat models are reviewed, approved, version-controlled, and retained prior to any production access
• Establish and enforce security acceptance criteria required before agents are authorized to operate
________________________________________
Secure Identity, Authentication & Trust
• Design and govern mTLS PKI architecture, including:
o Certificate issuance
o Rotation and revocation
o Trust chain management
• Define and enforce Kafka authentication and authorization controls using SASL/SCRAM or enterprise-approved equivalents
• Ensure least-privilege identity binding between agents, brokers, and downstream systems
________________________________________
Data Integrity & Tamper Protection
• Architect HMAC-based integrity and tamper detection controls to ensure message authenticity and non-repudiation across the agent pipeline
• Define validation, replay protection, and integrity verification patterns for collected telemetry and events
• Partner with platform teams to embed integrity enforcement into agent runtime and transport layers
________________________________________
Secrets Management & Vault Integration
• Design secure integration patterns with Bank-approved Vault services for secrets, certificates, and cryptographic keys
• Enforce strict separation between build-time, deploy-time, and runtime secrets
• Define access controls, rotation policies, and audit requirements for all sensitive agent materials
________________________________________
Compliance, Risk & Audit Readiness
• Ensure collector and agent designs meet internal security standards, regulatory expectations, and audit requirements
• Produce security artifacts including:
o Threat models
o Architecture diagrams
o Control mappings
• Act as the security authority for agent-based exceptions, risk acceptances, and remediation plans
________________________________________
Architecture Collaboration & Enablement
• Partner with platform, data, infrastructure, and FinOps architects to embed security-by-design principles
• Provide authoritative guidance during architecture reviews, design forums, and security assessments
• Mentor engineering teams on secure agent design patterns and control implementation
________________________________________
Architecture & Leadership Capabilities
• Demonstrated ability to operate as a Phase 0 gatekeeper with authority to block unsafe or non-compliant designs
• Strong communication skills to influence senior engineers, architects, and risk partners
• Ability to balance security rigor with platform scalability and delivery velocity
________________________________________
Preferred Certification
• FinOps Certified Practitioner or FinOps Certified Professional

We are a company committed to creating diverse and inclusive environments where people can bring their full, authentic selves to work every day. We are an equal opportunity/affirmative action employer that believes everyone matters. Qualified candidates will receive consideration for employment regardless of their race, color, ethnicity, religion, sex (including pregnancy), sexual orientation, gender identity and expression, marital status, national origin, ancestry, genetic factors, age, disability, protected veteran status, military or uniformed service member status, or any other status or characteristic protected by applicable laws, regulations, and ordinances. If you need assistance and/or a reasonable accommodation due to a disability during the application or recruiting process, please send a request to HR@insightglobal.com.To learn more about how we collect, keep, and process your private information, please review Insight Global's Workforce Privacy Policy: https://insightglobal.com/workforce-privacy-policy/.

• 7+ years of experience in security architecture and threat modeling for distributed and agent-based systems
• Deep expertise in PKI, X.509 certificates, mutual TLS (mTLS), and cryptographic trust models
• Hands-on experience securing Kafka, including SASL/SCRAM authentication and authorization
• Proven experience designing HMAC-based message integrity and tamper detection mechanisms
• Enterprise-scale experience integrating with Vault or centralized secrets management platforms
• Strong understanding of least privilege access, Zero Trust principles, and defense-in-depth
• Demonstrated ability to operate as a formal security control owner and signatory
• Experience producing security artifacts for risk, compliance, and audit stakeholders
• FinOps Certified Practitioner or FinOps Certified Professional (preferred)

Benefit packages for this role will start on the 1st day of employment and include medical, dental, and vision insurance, as well as HSA, FSA, and DCFSA account options, and 401k retirement account access with employer matching. Employees in this role are also entitled to paid sick leave and/or other paid time off as provided by applicable law.