Business Title Application Engineering Technical Lead - II

Global Risk and Security (GR&S) at Vanguard enables business strategy, protects client and Vanguard interests (e.g., assets and data), and stewards a strong risk culture. Our teams leverage enterprise-wide insights, deep expertise, and trusted advice so that across Vanguard leaders and crew drive faster, stronger, risk-informed decisions.

Within GR&S, the Enterprise Security and Fraud (ES&F) sub-division is responsible for the global protection of Vanguard crew, property, data, and client assets. We are the trusted advisors that protect the pride of Vanguard with state-of-the-art security and fraud capabilities. We are a world-class destination of highly engaged, passionate, and diverse talent expected to continuously learn and develop in an ever-changing security landscape.

Our crew are our greatest resource - by joining our team you will build collaborative long-term relationships and enjoy a suite of benefits that includes comprehensive health and wellness care, work-life balance, and an investment in your future at its core.

Privileged Access Management (CyberArk) - Technical Lead

Role Summary

We're seeking a hands-on Technical Lead to own and evolve our CyberArk-based Privileged Access Management platform. You will provide day-to-day technical leadership, architect and deliver platform enhancements, drive automation (PowerShell first), and integrate PAM with AWS (EC2, Windows, Linux) workloads and CI/CD pipelines (GitHub). You'll be the escalation point for complex incidents, mentor engineers, and ensure controls meet security, audit, and uptime expectations.

Key Responsibilities

Technical Leadership & Delivery

• Serve as the technical owner for the CyberArk PAM platform (e.g., PVWA, PSM, CPM, CCP, REST APIs), setting technical direction, prioritizing work, and guiding a small squad of PAM engineers.
• Translate risk, compliance, and audit requirements into secure, reliable designs, standards, and runbooks; review and approve platform changes.

• Design, implement, and optimize platform policies, platforms, safes, rotations, and reconciliation; automate repeatable tasks using PowerShell (preferred) and Python (nice to have).
• Build and maintain GitHub-based CI/CD (Actions/workflows) to version, test, and deploy CyberArk configuration-as-code and custom utilities; enforce branching and code-review standards.

• Integrate PAM with AWS (with emphasis on EC2, Windows and Linux hosts): onboard privileged accounts and secrets, and harden session flows (PSM/PSMP).
• Champion JIT privileged access patterns for cloud and on-prem, minimizing standing privilege while preserving operational velocity.

• Own incident response and problem management for PAM: lead major incident bridges, perform root cause analysis, and implement corrective/preventive actions.
• Define and track SLAs(e.g., vault availability, checkout/rotation success, PSM session health, onboarding cycle time); build dashboards and actionable alerts.

• Ensure adherence to internal SOPs and user procedures for PAM operation and access hygiene,
• Partner with Audit, Risk, and Security Engineering to evidence controls, complete assessments, and pass audits without exceptions.

• Collaborate with platform, app, and infrastructure owners to onboard use cases, plan releases, and communicate changes.
• Coach and upskill engineers in PAM concepts, secure automation, and operational excellence.

• 7+ years TL experience, including 3+ years leading technical delivery or a platform engineering squad.
• Expert troubleshooting across Windows and Linux, including credential flows, session brokering, networking, DNS/Kerberos/LDAP, and endpoint agents.
• PowerShell development: modules, robust error handling, logging/telemetry, parallelization, and secure secret handling.
• GitHub: Actions/workflows, environment protection rules, reusable workflows, code reviews, and artifact/version management.
• AWS: Practical experience with EC2 and OS-level onboarding (Windows & Linux), SSM/Run Command/Session Manager, tagging/auto-onboarding patterns, VPC/security group fundamentals.
• Strong understanding of CyberArk components (PVWA, CPM, PSM, EPM/Endpoint Privilege Management), policy design, platform plug-ins, and API usage.
• Proven ability to write clear runbooks/SOPs, influence architecture decisions, and lead incident bridges.

• Python for REST/API integrations, data shaping, and service utilities.
• Experience with secrets management for apps/automation (e.g., Secrets Manager/API-based retrieval).
• IaC exposure (CloudFormation or Terraform) for PAM-adjacent infrastructure.
• Familiarity with logging/observability stacks (CloudWatch, Splunk) and SIEM integrations for PAM events.