Sr. Security Engineer (Hybrid in Irvington, NY)
EILEEN FISHER, INC. · Irvington, NY · 1 wk ago
Information TechnologyFull-time
Summary of Duties and Responsibilities
- Own end-to-end PCI-DSS compliance across all retail point-of-sale, e-commerce, and payment processing environments
- Lead annual PCI assessments, QSA engagements, and remediation tracking to ensure continuous compliance
- Maintain and enforce the cardholder data environment (CDE) scope, segmentation, and documentation
- Coordinate PCI evidence collection, SAQ/ROC preparation, and audit readiness across all relevant systems
- Develop, implement, and continuously improve IT security policies, standards, and procedures aligned with business strategy and frameworks (NIST CSF, CIS Controls, ISO 27001)
- Lead the annual enterprise risk assessment process, tracking findings and driving remediation to closure
- Establish and report on security KPIs and metrics to IT leadership and the executive team
- Own the security technology roadmap and prioritize investments in tools, controls, and capabilities
- Serve as the primary owner of the organization’s WAF provider relationship—managing configuration, tuning, rule sets, and escalations to protect e-commerce and customer-facing platforms
- Monitor and respond to WAF alerts, DDoS events, bot activity, and web application threats
- Secure payment gateways, APIs, and customer data flows in alignment with PCI-DSS and OWASP best practices
- Partner with the e-commerce and development teams to embed security into the SDLC and deployment workflows
- Oversee endpoint protection across all employee devices, including corporate laptops, retail POS terminals, and mobile devices
- Manage email security, IAM, SSO/MFA (Okta, Azure AD), and privileged access controls
- Design and deliver security awareness training to protect employees from phishing, social engineering, and insider threats
- Enforce policies for secure remote work, BYOD, and store-level IT environments
- Direct day-to-day security operations including network monitoring, SIEM management, IDS/IPS, vulnerability scanning, and patch management
- Supervise incident response activities from detection through post-incident review and lessons learned
- Manage certificate lifecycle, sensitive data handling, and encryption standards (TLS/SSL, PKI, key management)
- Conduct and coordinate penetration testing and vulnerability management programs, tracking remediation to resolution
- Own security controls across cloud environments (AWS, Azure) including IAM, security groups, logging, and compliance tooling
- Collaborate with IT infrastructure teams to harden systems, enforce least-privilege, and maintain secure baselines
- Ensure secure configurations for SaaS applications, APIs, and third-party integrations
Required Experience
- 7+ years of progressive IT security experience, with at least 3 years in a senior or lead security role
- Demonstrated end-to-end ownership of PCI-DSS compliance—including QSA engagement, CDE scoping, SAQ/ROC preparation, and continuous compliance across retail POS and e-commerce channels
- Hands-on experience managing WAF platforms (e.g., Cloudflare, Imperva, Akamai, AWS WAF) including rule tuning, alert response, and vendor relationship management
- Experience securing e-commerce environments: payment gateways, APIs, and customer data in alignment with PCI-DSS and OWASP Top 10
- Proven experience building and managing IT governance programs—policies, risk assessments, KPIs, and security roadmaps
- Ability to manage security across a distributed workforce including retail stores, corporate offices, and remote employees
- Experience with cloud security across AWS and/or Azure (IAM, security groups, logging, Microsoft Defender, Azure Defender)
- Strong knowledge of identity and access management (IAM), SSO/MFA (Okta, Azure AD/Entra ID), and privileged access controls
- Experience with SIEM platforms, IDS/IPS, endpoint detection & response (EDR), and vulnerability management tools
- Strong understanding of encryption, TLS/SSL, PKI, and key management
- Scripting/automation skills in Python, Bash, or PowerShell
- Excellent communication skills with the ability to present security risk to executive and non-technical audiences
- Industry certifications preferred: CISSP, CISM, PCI-ISA/QSA, or equivalent