Application Engineering Technical Lead - II

Global Risk and Security (GR&S) at Vanguard enables business strategy, protects client and Vanguard interests (e.g., assets and data), and stewards a strong risk culture. Our teams leverage enterprise-wide insights, deep expertise, and trusted advice so that across Vanguard leaders and crew drive faster, stronger, risk-informed decisions.

Within GR&S, the Enterprise Security and Fraud (ES&F) sub-division is responsible for the global protection of Vanguard crew, property, data, and client assets. We are the trusted advisors that protect the pride of Vanguard with state-of-the-art security and fraud capabilities. We are a world-class destination of highly engaged, passionate, and diverse talent expected to continuously learn and develop in an ever-changing security landscape.

Our crew are our greatest resource – by joining our team you will build collaborative long-term relationships and enjoy a suite of benefits that includes comprehensive health and wellness care, work-life balance, and an investment in your future at its core.

Privileged Access Management (CyberArk) — Technical Lead

Role Summary

We’re seeking a hands‑on Technical Lead to own and evolve our CyberArk‑based Privileged Access Management platform. You will provide day‑to‑day technical leadership, architect and deliver platform enhancements, drive automation (PowerShell first), and integrate PAM with AWS (EC2, Windows, Linux) workloads and CI/CD pipelines (GitHub). You’ll be the escalation point for complex incidents, mentor engineers, and ensure controls meet security, audit, and uptime expectations.

Key Responsibilities

Technical Leadership & Delivery

• Serve as the technical owner for the CyberArk PAM platform (e.g., PVWA, PSM, CPM, CCP, REST APIs), setting technical direction, prioritizing work, and guiding a small squad of PAM engineers.

• Translate risk, compliance, and audit requirements into secure, reliable designs, standards, and runbooks; review and approve platform changes.

Platform Engineering & Automation

• Design, implement, and optimize platform policies, platforms, safes, rotations, and reconciliation; automate repeatable tasks using PowerShell (preferred) and Python (nice to have).

• Build and maintain GitHub‑based CI/CD (Actions/workflows) to version, test, and deploy CyberArk configuration-as‑code and custom utilities; enforce branching and code‑review standards.

Cloud & OS Integrations

• Integrate PAM with AWS (with emphasis on EC2, Windows and Linux hosts): onboard privileged accounts and secrets, and  harden session flows (PSM/PSMP).

• Champion JIT privileged access patterns for cloud and on‑prem, minimizing standing privilege while preserving operational velocity.

Operations, Reliability & Troubleshooting

• Own incident response and problem management for PAM: lead major incident bridges, perform root cause analysis, and implement corrective/preventive actions.

• Define and track SLAs(e.g., vault availability, checkout/rotation success, PSM session health, onboarding cycle time); build dashboards and actionable alerts.

Security & Compliance

• Ensure adherence to internal SOPs and user procedures for PAM operation and access hygiene,

• Partner with Audit, Risk, and Security Engineering to evidence controls, complete assessments, and pass audits without exceptions.

Stakeholder Management & Mentoring

• Collaborate with platform, app, and infrastructure owners to onboard use cases, plan releases, and communicate changes.

• Coach and upskill engineers in PAM concepts, secure automation, and operational excellence.

Required Qualifications

• 7+ years TL experience, including 3+ years leading technical delivery or a platform engineering squad.

• Expert troubleshooting across Windows and Linux, including credential flows, session brokering, networking, DNS/Kerberos/LDAP, and endpoint agents.

• PowerShell development: modules, robust error handling, logging/telemetry, parallelization, and secure secret handling.

• GitHub: Actions/workflows, environment protection rules, reusable workflows, code reviews, and artifact/version management.

• AWS: Practical experience with EC2 and OS‑level onboarding (Windows & Linux), SSM/Run Command/Session Manager, tagging/auto‑onboarding patterns, VPC/security group fundamentals.

• Strong understanding of CyberArk components (PVWA, CPM, PSM, EPM/Endpoint Privilege Management), policy design, platform plug‑ins, and API usage.

• Proven ability to write clear runbooks/SOPs, influence architecture decisions, and lead incident bridges.

Preferred Qualifications

• Python for REST/API integrations, data shaping, and service utilities.

• Experience with secrets management for apps/automation (e.g., Secrets Manager/API‑based retrieval).

• IaC exposure (CloudFormation or Terraform) for PAM‑adjacent infrastructure.

• Familiarity with logging/observability stacks (CloudWatch, Splunk) and SIEM integrations for PAM events.

Special Factors

Sponsorship

About Vanguard

At Vanguard, we don't just have a mission—we're on a mission.

To work for the long-term financial wellbeing of our clients. To lead through product and services that transform our clients' lives. To learn and develop our skills as individuals and as a team. From Malvern to Melbourne, our mission drives us forward and inspires us to be our best.

How We Work

Vanguard has implemented a hybrid working model for the majority of our crew members, designed to capture the benefits of enhanced flexibility while enabling in-person learning, collaboration, and connection. We believe our mission-driven and highly collaborative culture is a critical enabler to support long-term client outcomes and enrich the employee experience.