Global Risk and Security (GR&S) at Vanguard enables business strategy, protects client and Vanguard interests (e.g., assets and data), and stewards a strong risk culture. Our teams leverage enterprise-wide insights, deep expertise, and trusted advice so that across Vanguard leaders and crew drive faster, stronger, risk-informed decisions.
Within GR&S, the
Enterprise Security and Fraud (ES&F) sub-division is responsible for the global protection of Vanguard crew, property, data, and client assets. We are the trusted advisors that protect the pride of Vanguard with state-of-the-art security and fraud capabilities. We are a world-class destination of highly engaged, passionate, and diverse talent expected to continuously learn and develop in an ever-changing security landscape.
Our crew are our greatest resource - by joining our team you will build collaborative long-term relationships and enjoy a suite of benefits that includes comprehensive health and wellness care, work-life balance, and an investment in your future at its core.
Privileged Access Management (CyberArk) - Technical Lead Role Summary We're seeking a hands-on Technical Lead to own and evolve our
CyberArk-based Privileged Access Management platform. You will provide day-to-day technical leadership, architect and deliver platform enhancements, drive automation (PowerShell first), and integrate PAM with
AWS (EC2, Windows, Linux) workloads and CI/CD pipelines (
GitHub ). You'll be the escalation point for complex incidents, mentor engineers, and ensure controls meet security, audit, and uptime expectations.
Key Responsibilities Technical Leadership & Delivery - Serve as the technical owner for the CyberArk PAM platform (e.g., PVWA, PSM, CPM, CCP, REST APIs), setting technical direction, prioritizing work, and guiding a small squad of PAM engineers.
- Translate risk, compliance, and audit requirements into secure, reliable designs, standards, and runbooks; review and approve platform changes.
Platform Engineering & Automation - Design, implement, and optimize platform policies, platforms, safes, rotations, and reconciliation; automate repeatable tasks using PowerShell (preferred) and Python (nice to have).
- Build and maintain GitHub-based CI/CD (Actions/workflows) to version, test, and deploy CyberArk configuration-as-code and custom utilities; enforce branching and code-review standards.
Cloud & OS Integrations - Integrate PAM with AWS (with emphasis on EC2, Windows and Linux hosts): onboard privileged accounts and secrets, and harden session flows (PSM/PSMP).
- Champion JIT privileged access patterns for cloud and on-prem, minimizing standing privilege while preserving operational velocity.
Operations, Reliability & Troubleshooting - Own incident response and problem management for PAM: lead major incident bridges, perform root cause analysis, and implement corrective/preventive actions.
- Define and track SLAs(e.g., vault availability, checkout/rotation success, PSM session health, onboarding cycle time); build dashboards and actionable alerts.
Security & Compliance - Ensure adherence to internal SOPs and user procedures for PAM operation and access hygiene,
- Partner with Audit, Risk, and Security Engineering to evidence controls, complete assessments, and pass audits without exceptions.
Stakeholder Management & Mentoring - Collaborate with platform, app, and infrastructure owners to onboard use cases, plan releases, and communicate changes.
- Coach and upskill engineers in PAM concepts, secure automation, and operational excellence.
Required Qualifications - 7+ years TL experience, including 3+ years leading technical delivery or a platform engineering squad.
- Expert troubleshooting across Windows and Linux, including credential flows, session brokering, networking, DNS/Kerberos/LDAP, and endpoint agents.
- PowerShell development: modules, robust error handling, logging/telemetry, parallelization, and secure secret handling.
- GitHub: Actions/workflows, environment protection rules, reusable workflows, code reviews, and artifact/version management.
- AWS: Practical experience with EC2 and OS-level onboarding (Windows & Linux), SSM/Run Command/Session Manager, tagging/auto-onboarding patterns, VPC/security group fundamentals.
- Strong understanding of CyberArk components (PVWA, CPM, PSM, EPM/Endpoint Privilege Management), policy design, platform plug-ins, and API usage.
- Proven ability to write clear runbooks/SOPs, influence architecture decisions, and lead incident bridges.
Preferred Qualifications - Python for REST/API integrations, data shaping, and service utilities.
- Experience with secrets management for apps/automation (e.g., Secrets Manager/API-based retrieval).
- IaC exposure (CloudFormation or Terraform) for PAM-adjacent infrastructure.
- Familiarity with logging/observability stacks (CloudWatch, Splunk) and SIEM integrations for PAM events.
Special Factors Sponsorship Vanguard is not offering visa sponsorship for this position.
About Vanguard At Vanguard, we don't just have a mission-we're on a mission.
To work for the long-term financial wellbeing of our clients. To lead through product and services that transform our clients' lives. To learn and develop our skills as individuals and as a team. From Malvern to Melbourne, our mission drives us forward and inspires us to be our best.
How We Work Vanguard has implemented a hybrid working model for the majority of our crew members, designed to capture the benefits of enhanced flexibility while enabling in-person learning, collaboration, and connection. We believe our mission-driven and highly collaborative culture is a critical enabler to support long-term client outcomes and enrich the employee experience.
Never miss an opportunity! Create an alert based on the job you applied for.
