Lead Cyber Security Engineer (Onsite)

Job Details:
Job Description

The SAP Security & Platform Security Engineer is an experienced SAP and Workday security professional with deep expertise in SAP GRC, Workday security configuration, Emergency Access/Firefighter processes, and cross application Segregation of Duties and privileged access controls. This role is responsible for architecting secure integrations for SAP's Joule AI capabilities and promoting Responsible AI and privacy by design principles. The engineer partners closely with IT, HRIS, Audit, Compliance, and business stakeholders to align SAP and Workday security with the enterprise Privileged Access Management (PAM) program, ensuring secure, compliant, and efficient access across the organization.

Essential Duties and Responsibilities

Lead the redesign and governance of SAP Emergency Access Management (Firefighter), including policy development, workflow design, automated logging and auditing, and stakeholder training.

Architect secure end-to-end SAP security for Business AI/Joule, integrating IAS/IPS, SCIM/IPS provisioning, Global User ID strategy, OIDC authentication, and user bound principal propagation.

Implement core AI security controls aligned with Responsible AI principles; including authentication, authorization, encryption, masking, content filtering, and RAG processes.

Establish a unified cross application Segregation of Duties (SoD) framework across SAP, Workday, and other enterprise systems, defining risks, rulesets, and mitigating controls.

Lead SoD and access risk remediation efforts by refining user access, adjusting roles, and coordinating with audit and compliance teams to meet SOX, GDPR, and regulatory requirements.

Integrate SAP and Workday privileged access requirements into the enterprise PAM framework and define standardized workflows for request, approval, usage, and revocation of elevated access.

Lead Workday security architecture, including security groups, domain policies, role hierarchies, permission models, and consistent least privilege design.

Oversee enterprise access governance, including periodic access reviews, JML processes, and certification cycles to prevent entitlement creep.

Act as the primary liaison across IT Security, HRIS, Audit, Compliance, and business stakeholders to ensure alignment of SAP and Workday security with PAM, SoD, and enterprise IAM strategies.

Conduct audits, risk assessments, and remediation planning while delivering clear reporting, training, and communication to stakeholders.
Outcomes

A modern, policy driven SAP Emergency Access program that ensures controlled, traceable, and audit ready emergency access while reducing misuse and backlog.

Secure, identity consistent AI enablement for Joule, ensuring AI actions operate strictly within user authorized privileges and comply with Responsible AI requirements.

A unified SoD framework that provides enterprise-wide visibility into access risks, minimizes cross process conflicts, and improves audit readiness.

Reduced privileged access risk through standardized PAM workflows, centralized oversight, and integrated logging across SAP and Workday.

A resilient Workday security architecture with well-structured roles, controlled permissions, and documentation aligned with audit and compliance expectations.

A strengthened compliance posture with faster remediation, fewer audit findings, and alignment with SOX, GDPR, and enterprise security standards.

Improved lifecycle access governance that prevents entitlement creep and ensures least privilege access across all business areas.

More effective cross functional collaboration, resulting in consistent controls, clear ownership, and greater confidence from leadership and audit stakeholders.

Qualifications

SAP Security & GRC Expertise: 5-10+ years designing SAP roles and authorizations, managing GRC Access Control, and leading Firefighter, SoD analysis, and access risk remediation in S/4HANA and Fiori.

Workday Security Experience: 3-5+ years configuring Workday's role-based security model, including domain policies, security groups, hierarchies, granular permissions, and SoD controls.

Privileged Access & Identity Management: Experience designing and operating PAM/EAM workflows, enforcing least privilege access, and supporting audit, monitoring, and compliance processes.

Cross Application SoD & Governance: Ability to define and manage SoD rulesets across SAP and Workday using platforms such as SAP IAG for unified risk visibility and mitigation.

AI & SAP Security Architecture: Understanding of SAP Business AI/Joule, IAS/IPS, SCIM provisioning, OIDC authentication, principal propagation, and AI security controls aligned with Responsible AI principles.

Education & Certifications: Bachelor's degree in Computer Science, Information Systems, Cybersecurity, or a related field; certifications such as CISSP, CISM, CISA, SAP Security/GRC, or Workday Security preferred.

Leadership & Communication: Strong ability to lead cross functional security initiatives and communicate complex IAM and AI security concepts to technical teams, business partners, auditors, and senior leadership.

Special Skills

SAP security design and GRC expertise

SoD analysis and cross application ruleset creation

SAP S/4HANA, Ariba, Concur, Fieldglass authorization knowledge

Workday security configuration and permission modeling

Workday hierarchies, security groups, and SoD controls

Privileged access management (PAM/EAM) operations

Emergency access workflows, logging, and auditing

SIEM and GRC platform integration

Identity federation (OIDC, SAML, OAuth 2.0)

SCIM/IPS based identity synchronization

AI security (encryption, masking, content filtering)

Responsible AI governance

JML governance and access certification

Risk mitigation and compensating controls

IAM roadmap and program planning

Soft Skills

Cross functional leadership

Clear communication of complex security concepts

Strong collaboration with HR, IT, audit, and compliance teams

Analytical problem solving

Change management and process adoption

Leadership for large security initiatives

Team mentoring and capability development

Security awareness advocacy

** Not eligible for visa sponsorship now or in the future **

Relocation Assistance Eligible:
No

Work Shift:
1ST SHIFT (United States of America)

Certain roles at Tyson require background checks. If you are offered a position that requires a background check you will be provided additional documentation to complete once an offer has been extended.

Hourly Applicants ONLY -You must complete the task after submitting your application to provide additional information to be considered for employment.

The successful candidate(s) must be willing and able to perform the physical requirements of the job with or without a reasonable accommodation.

Tyson is an Equal Opportunity Employer. All qualified applicants will be considered without regard to race, national origin, color, religion, age, genetics, sex, sexual orientation, gender identity, disability or veteran status.

We provide our team members and their families with paid time off; 401(k) plans; affordable health, life, dental, vision and prescription drug benefits; and more.

If you would like to learn more about your data privacy rights and how you may use that information, please read our Job Applicant Privacy Notice here

Unsolicited Assistance: Tyson Foods and its subsidiaries do not accept unsolicited support from external recruitment vendors for open positions within the United States. Any resumes or candidate profiles submitted by recruitment vendors or headhunters to any employee or applicant tracking system at Tyson Foods or its subsidiaries, without a valid written request and search agreement approved by HR, will be considered the property of Tyson Foods. No fees will be paid if the candidate is hired due to an unsolicited referral.