Director security architecture engineering

About The Job

The ACLU seeks applicants for the full-time position of Director of Security Architecture & Engineering in the Information Security Department of the ACLU’s National office in New York, NY. This is a hybrid role that has in-office requirements of two (2) days per week or eight (8) days per month.

This leadership position reports directly to the Chief Information Security Officer (CISO) and is responsible for driving enterprise security architecture and engineering strategy across the ACLU’s national and affiliate environments.

The Director serves as the principal architect for reducing organizational attack surface, minimizing the risk of lateral movement, and embedding enforceable, risk-aligned security design standards into the ACLU’s environment. This role will lead enterprise-wide efforts to operationalize Secure by Design, strengthen identity architecture and segmentation, and ensure the consistent enforcement of core security controls.

The Director will translate policy and risk into technical designs, baseline controls, and sustainable engineering practices—working in close partnership with Technology and IT teams, platform teams, affiliates, and key National stakeholders, including Legal, National Political Advocacy (NPAD), and Development.

The Director will lead a highly collaborative and technically skilled team of three direct reports, each of whom manages a core domain of the security architecture program.

What You'll Do

Reporting to the Chief Information Security Officer (CISO) , the Director of Security Architecture & Engineering will play a strategic and operational leadership role in advancing the ACLU’s security posture. This includes translating high-level security policy into actionable design guidance, embedding security requirements into enterprise architecture, and holding cross-functional teams accountable for consistent implementation.

YOUR DAY TO DAY

• Lead the development and execution of the ACLU’s Secure by Design and Secure by Default strategy; translate policy and risk priorities into reference architectures, technical baselines, and automated guardrails.
• Establish and chair the Control Design Review Board (CDRB) to govern architectural decisions involving identity boundaries, network segmentation, data egress, privileged access, third-party integrations, and other critical control points.
• Define, publish, and maintain enterprise reference architectures covering cloud services (Microsoft 365, AWS), identity zones, network segmentation tiers, privileged access models, SaaS security, and service-to-service authentication standards.
• Drive the secure implementation of ZTNA/SASE, configuration drift detection, phishing protection, and secure baseline management across cloud, endpoint, and infrastructure systems.
• Oversee the development and enforcement of modern identity and access management models.
• Design and implement an enterprise segmentation strategy, incorporating both macro- and micro-segmentation approaches to reduce lateral movement risk and isolate sensitive business processes and data environments.
• Oversee the organization’s Attack Surface Management (ASM) capabilities by formalizing asset inventory, exposure tracking, remediation prioritization, and SLA adherence across all relevant environments.
• Advance the ACLU’s Insider Threat and Data Protection programs.
• Provide executive-level decision-making on risk tradeoffs, technical exceptions, and compensating control design, ensuring a clear path to resolution with expiration timelines and audit visibility.
• Partner with the GRC to align technical controls with policy, regulatory requirements, vendor standards, and internal audit frameworks.
  
  

FUTURE ACLU'ERS WILL

• Be committed to advancing the mission of the ACLU
• Center and embed the principles of equity, inclusion and belonging in their work by demonstrating commitment to diversity with an approach that respects and values multiple perspectives
• Be committed to work collaboratively and respectfully toward resolving obstacles and conflicts
  
  

What You'll Bring

• Extensive experience in progressive cybersecurity, with equivocal expertise in a technical architecture, engineering leadership, or hands-on security infrastructure role.
• Deep expertise in security architecture across hybrid enterprise environments, including identity and access management, network segmentation, endpoint security, cloud/SaaS hardening, and exposure management.
• Demonstrated success designing and delivering secure architecture programs, including Secure by Design frameworks, threat-informed reference architectures, and platform security initiatives.
• Familiarity with modern authentication and access control frameworks, including Entra ID (Azure AD), Microsoft 365, phishing-resistant MFA (e.g., FIDO2, number matching), PIM/JIT, device trust, and conditional access.
• Experience building and leading high-performing security teams, with a proven ability to mentor talent, drive accountability, and manage cross-functional delivery.
• Strong communication and stakeholder management skills, with the ability to effectively translate technical risk for both technical and non-technical audiences.
• A demonstrated commitment to mission-driven work and an understanding of the role of security in protecting civil liberties, legal advocacy, and digital rights.
• Hands-on experience maturing core cybersecurity domains such as attack surface management, segmentation enforcement, secure integration design, and insider threat mitigation.
• Technical experience with Microsoft 365 security configuration, Microsoft Purview data protection features (DLP, sensitivity labels), AWS service hardening, and secure data platform integration.
• Familiarity with the legal and advocacy sector’s unique operational needs, including privilege boundaries, sensitive communications workflows, and affiliate organizational structures.
• Certifications such as CISSP, CCSP, GIAC (GCSA, GMON, GCPN), or cloud-specific security certifications (e.g., AWS Security Specialty, Azure Security Engineer Associate) are welcome but not required.
  
  

Compensation

The ACLU is committed to equity, transparency, and clarity in pay. Consistent with our compensation philosophy, there is a set salary for each role based on geographic work location. The annual salary for this position is $220,285 ( Level-C2), reflecting the salary of a position based in New York, NY. Salaries are subject to a regional pay adjustment if authorization is granted to work outside of the location listed in this posting.

For details on our pay structure, please visit:

WHY THE ACLU

For over 100 years, the ACLU has worked to defend and preserve the individual rights and liberties guaranteed by the Constitution and laws of the United States. Whether it’s ending mass incarceration, achieving full equality for the LGBTQ+ community, establishing new privacy protections for our digital age, or preserving the right to vote or the right to have an abortion, the ACLU takes up the toughest civil liberties cases and issues to defend all people.

We know that great people make a great organization. We value our people and know that what we offer is essential not just their work, but to their overall well-being.

At the ACLU, we offer a broad range of benefits, which include:

• Time away to focus on the things that matter with a generous paid time-off policy
• Focus on your well-being with comprehensive healthcare benefits (including medical, dental and vision coverage, parental leave, gender affirming care & fertility treatment)
• Plan for your retirement with 401k plan and employer match
• We support employee growth and development through annual professional development funds, internal professional development programs and workshops
  
  

OUR COMMITMENT TO ACCESSIBILITY, EQUITY, DIVERSITY & INCLUSION

Accessibility, equity, diversity and inclusion are core values of the ACLU and central to our work to advance liberty, equality, and justice for all. For us diversity, equity, accessibility, and inclusion are not just check-the-box activities, but a chance for us to make long-term meaningful change.  We are a community committed to learning and growth, humility and grace, transparency and accountability. We believe in a collective responsibility to create a culture of belonging for all people within our organization – one that respects and embraces difference; treats everyone equitably; and empowers our colleagues to do the best work possible. We are as committed to anti-oppression, anti-ableism, and anti-racism internally as we are externally. Because whether we’re in the courts or in the office, we believe ‘We the People’ means all of us.

With this commitment in mind, we strongly encourage applications from all qualified individuals without regard to race, color, religion, gender, sexual orientation, gender identity or expression, age, national origin, marital status, citizenship, disability, veteran status and record of arrest or conviction, or any other characteristic protected by applicable law.

The ACLU is committed to providing reasonable accommodation to individuals with disabilities. If you are a qualified individual with a disability and need assistance applying online, please email [email protected] . If you are selected for an interview, you will receive additional information regarding how to request an accommodation for the interview process.

The Department of Education has determined that employment in this position at the ACLU does not qualify for the Public Service Loan Forgiveness Program.