Network Security Engineer with Forescout experience - 100% onsite

Position Overview
We are seeking an experienced Network Security Engineer for a contract-to-hire engagement with one of New York City's leading healthcare organizations. This is a hands-on, senior-level role responsible for the design, deployment, and ongoing operational excellence of our network access control and security infrastructure. The contract is expected to convert to a permanent full-time position for the right candidate. The ideal candidate brings deep technical expertise in Forescout and thrives in a complex, compliance-driven healthcare environment where uptime and patient data protection are paramount.

Key Responsibilities
Design, deploy, and manage Forescout-based Network Access Control (NAC) infrastructure across enterprise and clinical environments
Develop and enforce device visibility, classification, and policy enforcement for managed, unmanaged, and IoT/medical devices
Author and maintain comprehensive technical documentation, standard operating procedures (SOPs), runbooks, and network security policies
Conduct architecture reviews and lead network security improvement initiatives in alignment with HIPAA, HITECH, and NIST frameworks
Collaborate with infrastructure, clinical engineering, and IT teams to ensure secure network segmentation and least-privilege access
Monitor network security events, investigate anomalies, and drive remediation efforts in coordination with the SOC team
Manage and maintain next-generation firewall infrastructure (Palo Alto Networks preferred), including rule lifecycle management and threat prevention policy tuning
Support and administer F5 application delivery and security services including LTM/GTM, APM, and ASM/AWAF
Lead vendor engagements, coordinate with managed service partners, and serve as internal SME for network security technologies
Participate in on-call rotation and provide escalation support for critical network security incidents

Required Qualifications
5+ years of hands-on experience in network security engineering in enterprise environments
Deep expertise in Forescout Platform (formerly CounterACT), including:
eyeSight, eyeControl, and eyeSegment modules
Policy authoring, device classification, and enforcement actions
Integration with Active Directory, SIEM, and ticketing platforms
Deployment in large-scale, multi-site environments
Active Forescout certification (FCSS Forescout Certified Security Specialist, or equivalent) required
Demonstrated ability to independently design and deliver full lifecycle NAC deployments from architecture through implementation and documentation
Strong documentation skills: ability to produce clear, detailed SOPs, network diagrams, and policy documentation for both technical and non-technical audiences
Solid understanding of network fundamentals: VLANs, 802.1X, RADIUS, DHCP, DNS, routing, and switching
Experience working in regulated industries with exposure to HIPAA, HITECH, or similar compliance requirements
Bachelor's degree in Computer Science, Information Security, or equivalent practical experience

Preferred Qualifications (Nice to Have)
Palo Alto Networks expertise:
Hands-on experience with PAN-OS, Panorama, and NGFW policy management
Familiarity with Prisma Access, GlobalProtect, and Cortex XSOAR a plus
Palo Alto Networks Certified Network Security Engineer (PCNSE) preferred
F5 expertise:
Administration of BIG-IP LTM, GTM, APM, and ASM/Advanced WAF
Experience with iRules, SSL offload, and application security policies
F5 Certified BIG-IP Administrator (F5-CA) or Solution Expert (F5-CSE) preferred
Experience with healthcare IoT and medical device security
Familiarity with Zero Trust architecture principles and microsegmentation strategies
Exposure to SIEM platforms (Splunk, Microsoft Sentinel) and SOAR integrations
Additional industry certifications: CISSP, CCNP Security, CEH, or equivalent