Endpoint Cloud Security Engineer

Pay range: USD $155,000.00 - $185,000.00 / Year

Your opportunity

At Schwab, you're empowered to make an impact on your career. Here, innovative thought meets creative problem solving, helping us "challenge the status quo" and transform the finance industry together.

We believe in the importance of in-office collaboration and fully intend for the selected candidate for this role to work on site in the specified location(s).

We are seeking a highly skilled, advisory-focused Senior Endpoint Security Engineer with deep expertise in cloud workload security. In this role, you will serve as a subject matter expert, providing guidance, reviews, and approvals for endpoint detection and response (EDR) and cloud workload security across AWS and GCP. This is not a hands-on implementation role; instead, you will influence design, evaluate risk, ensure standards compliance, and represent security interests in engineering and architecture conversations.

What you'll be responsible for:

Cloud Endpoint Security Governance & Advisory

• Provide expert guidance on EDR strategy, standards, and policy expectations for AWS and GCP workloads.
• Review and advise on EDR policy changes proposed by engineering teams to ensure alignment with Schwab's security controls and regulatory requirements.
• Interpret detection, prevention, and tuning requests and provide recommendations grounded in cloud workload behavior and threat models.

• Define expectations for cloud unit-level EDR deployment and telemetry coverage across AWS and GCP compute platforms (EC2, GCE, containers, serverless).
• Review engineering teams' implementation plans and identify gaps, risks, or deviations from required controls.
• Influence platform teams to incorporate endpoint protections into compute and container service baselines.

• Lead security risk assessments for cloud workloads, architectural changes, and new services.
• Evaluate risk findings for completeness, severity, and alignment with enterprise standards.
• Provide risk-based recommendations and escalate residual risk where appropriate.

• Conduct architecture and design reviews for AWS and GCP workloads.
• Validate adherence to security principles, including identity and access models, segmentation, encryption, secrets management, runtime security, and logging.
• Provide advisory approval or required changes for workloads moving through governance processes.

• Review platform-level architectures for services such as EKS, GKE, ECS, Cloud Run, Lambda, and GCE.
• Recommend improvements to platform controls including image governance, pipeline security, workload identity, configuration hygiene, and runtime telemetry.
• Serve as a trusted advisor to platform owners for roadmap planning and major design initiatives.

• Represent the Security Engineering perspective in cloud governance, DevSecOps forums, architecture review boards, and engineering collaboration groups.
• Advocate for secure architecture decisions while balancing operational requirements and business goals.
• Communicate complex security considerations to technical and non-technical stakeholders with clarity and influence.

• Bachelor's degree in computer science or a related field.
• 7+ years of progressive cybersecurity engineering experience.
• Minimum 3 years of experience advising or engineering endpoint security controls in public cloud environments (AWS or GCP required).
• At least 3 years of technical experience with AWS, Azure, or GCP cloud services.
• Experience with cloud-native security tools such as Wiz, Prisma, or Zscaler.
• Proficiency in at least one automation or scripting language (Python, Bash, PowerShell, Golang).
• Familiarity with DevSecOps practices, CI/CD tooling, and infrastructure-as-code concepts (Terraform, Ansible, Salt, etc.).
• Strong understanding of cloud architecture patterns, workload risk drivers, and security control design.
• Experience supporting or advising on security in a highly regulated industry, ideally financial services.
• Experience with mission-critical, 24x7 environments.

• Relevant cybersecurity certifications such as CISSP, CCSP, CCSK, or cloud provider security certifications.
• Understanding of cloud provider services across compute, storage, database, AI/ML, and middleware.
• Demonstrated ability to stay current with emerging threats, vulnerabilities, and cloud security technologies.
• Excellent communication skills with the ability to articulate complex technical concepts to engineers and leadership.

• 401(k) with company match and Employee stock purchase plan
• Paid time for vacation, volunteering, and 28-day sabbatical after every 5 years of service for eligible positions
• Paid parental leave and family building benefits
• Tuition reimbursement
• Health, dental, and vision insurance