Sr. Security Engineer, Corporate Information Security

About Betterment

Betterment is a leading, technology-driven financial services company that offers investing, savings and retirement solutions for retail investors and investment advisors as well as financial wellness solutions, including a 401(k) for small and medium-sized businesses. Our team is passionate about our mission, to empower people to build wealth with confidence and ease. We're headquartered in NYC and offer hybrid NY-based positions (four days/week in-office, with no required office days during the summer and winter holidays).

About the Role

Betterment is hiring a Sr. Security Engineer, Corporate Information Security to be a principal member of the Workforce Security team. We're responsible for managing identity and logical access across the company, owning change management for the systems employees and contractors rely on every day, and operating the technologies that secure them: Okta, Google Workspace, Slack, Atlassian, Glean, Jamf, and the SaaS portfolio that surrounds them. As we extend centralized management to a small Windows and Linux footprint, you'll help shape how we do that securely from day one.

This is a hands-on senior IC role focused on designing, implementing, and continuously improving identity architecture, privileged access controls, endpoint hardening standards, and our overall workforce security posture. You'll embed secure access patterns across SaaS, managed browser, mobile, and workstation environments partnering closely with other Security teams, IT, Legal, Compliance, and the business units we serve.

In parallel, you'll partner with our AI Governance & enablement team to evaluate, enable, and secure the use of AI tools (ChatGPT, Claude, Glean Assistant, and the agentic tooling that's coming next) establishing practical guardrails that let employees move quickly without compromising data or systems.

This role is based out of our NYC office. Below we've reflected the base salary range for this position. Actual salaries may vary depending on factors including but not limited to location, experience, and performance. The range listed is just one component of Betterment’s total compensation package for employees. 

• New York City: $165,000-185,000

This job may also be eligible for variable compensation in the form of a company incentive bonus. 

A Day in the Life

Your weeks blend strategic architecture, hands-on implementation, and operational support:

• Identity & Access Architecture: Define and evolve the workforce IAM roadmap. Architect identity patterns across Okta and our SaaS estate SSO at scale, RBAC that holds up under growth, and lifecycle automation that reaches every downstream system from HRIS through joiner/mover/leaver. Build a sustainable Identity Governance & Administration (IGA) practice, including User Access Review campaigns that produce real evidence rather than rubber stamps.
• Security Design: Lead initiatives across authentication, authorization, federation, and privileged access. Design time-bound, just-in-time, and break-glass patterns (PIM-equivalent) for high-risk roles so standing privilege trends toward zero. Govern non-human identities, service accounts, API tokens, OAuth integrations, and the AI agents that increasingly act on users' behalf. Embed Zero Trust and least-privilege principles into every workforce system you touch.
• Securing & Monitoring Corporate Communications: Manage the security of corporate communication platforms, including email and Slack, through tools such as Abnormal Security and Proofpoint. Responsibilities include DLP enforcement to protect PII and conducting email investigations for spam, phishing and other threats. 
• Endpoint, Mobile & Browser Security: Define and enforce hardening standards aligned with CIS benchmarks. Own configuration baselines for macOS, Windows, and Linux Desktops, with mobile and managed browser controls layered on top. Architect enterprise browser security, extension governance, session protection, and DLP at the browser layer.
• Vulnerability & Posture Management: Lead the workforce vulnerability management program for endpoints and corporate SaaS. Design remediation SLAs by severity and asset class, run remediation campaigns that actually close findings, and partner with IT Systems to surface and fix identity and configuration misconfigurations. Operate SaaS posture tooling (e.g., Wiz, Vanta,  Drata, or peers) as the connective tissue across our SaaS estate.
• AI Tool Security: Establish and enforce a secure architecture for AI tool usage, data handling boundaries, connector security, identity-aware access controls, and detection for misuse with a bias toward enabling the business safely rather than gating it.
• Governance & Operations: Run UAR campaigns end-to-end, drive remediation of audit findings (SOC 2, ISO 27001), and partner with our MDR MSP and internal teams to mature identity-related detection and incident response. Augment and assist with cross-functional GRC capabilities

What We're Looking For:

• Experience: 6+ years in security engineering with deep experience in IAM and corporate security, ideally with time in a regulated environment.
• IAM depth: Strong command of authentication and authorization protocols (SAML, OIDC, OAuth, SCIM, LDAP), enterprise IAM platforms (Okta and Entra ID), RBAC design, and lifecycle automation. Comfortable with Identity Center / SSO patterns at scale and PIM-equivalent / break-glass models for privileged access.
• Endpoint, mobile & browser: Familiarity with endpoint management and EDR; an opinion on operationalizing CIS benchmarks across macOS and Windows without crushing the user experience; comfort extending security to mobile and managed browser surfaces.
• Vulnerability &am