Privileged Identity Manager (CyberArk & Azure PIM)

Location: NYC or hybrid (open to other hubs)
Employment: Full-time
Team: Security / Identity
Reports to: Director, Identity & Access Management

Role Summary

Own and mature our Privileged Access & Identity controls across on-prem and cloud. You’ll be the hands-on lead for CyberArk (PAM/EPM) and Microsoft Entra ID (Azure AD) PIM, driving least-privilege, just-in-time access, and airtight controls for human and non-human identities.

What You’ll Do

• Platform ownership: Administer and scale CyberArk (Vault, PVWA, CPM, PSM/PSMP/EPM) and Entra ID PIM for JIT/JEA workflows across infrastructure, apps, and SaaS.
• Access design: Define and implement PAM/PIM policies, RBAC/ABAC, privileged session management/recording, break-glass, approval flows, and time-bound elevation.
• Account lifecycle: Automate discovery, onboarding, and rotation of privileged accounts, service accounts, SSH keys, and secrets across Windows/Linux, databases, network devices, and cloud.
• Hardening & monitoring: Integrate PAM/PIM with SIEM/SOAR (alerts, session search, UEBA); tune controls, policies, and detections to reduce risk.
• Cloud & hybrid: Extend controls to Azure, AWS, and on-prem resources; enforce Conditional Access and MFA for elevated roles.
• Compliance & audit: Produce evidence for SOX/ISO27001/SOC2; remediate findings; maintain access certifications and separation of duties.
• Automation: Build runbooks and IaC/automation (PowerShell/Python/REST APIs) for policy deployment, onboarding, and reporting.
• Partnerships: Enable SRE/Infra, Security Ops, and App teams with friction-light privileged workflows and clear documentation.
• Reliability: Own platform health (patching, upgrades, DR/HA); manage incidents and on-call for PAM/PIM.

Required Experience

• 7–10+ years in IAM/Security with 3+ years hands-on administering CyberArk (Vault/PVWA/CPM/PSM) and 2+ years Microsoft Entra ID (Azure AD) PIM at scale.
• Proven design/implementation of JIT/JEA, session management, secrets rotation, and privileged workflow approvals.
• Strong PowerShell and/or Python for automation; experience with REST APIs and CI/CD.
• Windows & Linux admin fundamentals; AD/Entra ID, GPO, Conditional Access, MFA.
• SIEM/SOAR integration for PAM/PIM (e.g., Splunk, Sentinel) and robust auditing/reporting.
• Track record meeting SOX/ISO27001/SOC2 controls.

Nice to Have

• CyberArk certifications (Defender/Sentry/Guardian); Microsoft SC-300/SC-100.
• Experience with EPM (endpoint least-privilege), AAP/Conjur or other secrets managers, Kubernetes/containers, and vaulting for CI/CD.
• Knowledge of AWS IAM, Azure RBAC/Managed Identities, and GCP IAM.
• Infrastructure as Code (Terraform), config mgmt (Ansible).

What Success Looks Like (6–12 Months)

• 100% coverage of in-scope privileged and service accounts in CyberArk; automated rotation.
• JIT elevation via PIM for all admin roles; elimination of standing global admin access.
• Privileged session recording and searchable logs integrated with SIEM; alerting on risky patterns.
• Quarterly access reviews completed with 100% evidence and reduced exceptions.
• Measurable reduction in local admin and excessive permissions across servers/endpoints.

Interview Process

1. Recruiter screen (30m)
2. Technical deep dive (CyberArk/PIM design, whiteboard)
3. Architecture & automation review (scripts/runbooks)
4. Stakeholder panel (Infra/SRE/SecOps)
5. Final with hiring leader