Sr. Security Engineer (Hybrid in Irvington, NY)
Corporate
**This is a hybrid role with 1-2 days/week in the office in Irvington, NY. We are seeking candidates who will not require sponsorship now or in the future**
We are seeking a Senior IT Security Engineer to serve as the primary owner of information security across EILEEN FISHER’s entire technology landscape. This is a hands-on leadership role responsible for managing all aspects of IT security—from PCI-DSS compliance and IT governance to WAF management, e-commerce protection, and safeguarding the systems and devices used by employees across retail, corporate, and remote environments. The ideal candidate is a seasoned security professional who can operate independently, build and mature a security program, and serve as the go-to expert for all security matters within the organization.
Summary of Duties and Responsibilities:
PCI-DSS & Compliance Ownership
• Own end-to-end PCI-DSS compliance across all retail point-of-sale, e-commerce, and payment processing environments
• Lead annual PCI assessments, QSA engagements, and remediation tracking to ensure continuous compliance
• Maintain and enforce the cardholder data environment (CDE) scope, segmentation, and documentation
• Coordinate PCI evidence collection, SAQ/ROC preparation, and audit readiness across all relevant systems
IT Governance & Security Program Management
• Develop, implement, and continuously improve IT security policies, standards, and procedures aligned with business strategy and frameworks (NIST CSF, CIS Controls, ISO 27001)
• Lead the annual enterprise risk assessment process, tracking findings and driving remediation to closure
• Establish and report on security KPIs and metrics to IT leadership and the executive team
• Own the security technology roadmap and prioritize investments in tools, controls, and capabilities
WAF & E-Commerce Security
• Serve as the primary owner of the organization’s WAF provider relationship—managing configuration, tuning, rule sets, and escalations to protect e-commerce and customer-facing platforms
• Monitor and respond to WAF alerts, DDoS events, bot activity, and web application threats
• Secure payment gateways, APIs, and customer data flows in alignment with PCI-DSS and OWASP best practices
• Partner with the e-commerce and development teams to embed security into the SDLC and deployment workflows
Employee & Endpoint Security
• Oversee endpoint protection across all employee devices, including corporate laptops, retail POS terminals, and mobile devices
• Manage email security, IAM, SSO/MFA (Okta, Azure AD), and privileged access controls
• Design and deliver security awareness training to protect employees from phishing, social engineering, and insider threats
• Enforce policies for secure remote work, BYOD, and store-level IT environments
Security Operations
• Direct day-to-day security operations including network monitoring, SIEM management, IDS/IPS, vulnerability scanning, and patch management
• Supervise incident response activities from detection through post-incident review and lessons learned
• Manage certificate lifecycle, sensitive data handling, and encryption standards (TLS/SSL, PKI, key management)
• Conduct and coordinate penetration testing and vulnerability management programs, tracking remediation to resolution
Cloud & Infrastructure Security
• Own security controls across cloud environments (AWS, Azure) including IAM, security groups, logging, and compliance tooling
• Collaborate with IT infrastructure teams to harden systems, enforce least-privilege, and maintain secure baselines
• Ensure secure configurations for SaaS applications, APIs, and third-party integrations
PERFORMS OTHER RELATED DUTIES AND ASSIGNMENTS AS REQUIRED.
Required Experience
• 7+ years of progressive IT security experience, with at least 3 years in a senior or lead security role
• Demonstrated end-to-end ownership of PCI-DSS compliance—including QSA engagement, CDE scoping, SAQ/ROC preparation, and continuous compliance across retail POS and e-commerce channels
• Hands-on experience managing WAF platforms (e.g., Cloudflare, Imperva, Akamai, AWS WAF) including rule tuning, alert response, and vendor relationship management
• Experience securing e-commerce environments: payment gateways, APIs, and customer data in alignment with PCI-DSS and OWASP Top 10
• Proven experience building and managing IT governance programs—policies, risk assessments, KPIs, and security roadmaps
• Ability to manage security across a distributed workforce including retail stores, corporate offices, and remote employees
• Experience with cloud security across AWS and/or Azure (IAM, security groups, logging, Microsoft Defender, Azure Defender)
• Strong knowledge of identity and access management (IAM), SSO/MFA (Okta, Azure AD/Entra ID), and privileged access controls
• Experience with SIEM platforms, IDS/IPS, endpoint detection & response (EDR), and vulnerability management tools
• Strong understanding of encryption, TLS/SSL, PKI, and key management
• Scripting/automation skills in Python, Bash, or PowerShell
• Excellent communication skills with the ability to present security risk to executive and non-technical audiences
• Industry certifications preferred: CISSP, CISM, PCI-ISA/QSA, or equivalent