What are the responsibilities and job description for the Senior Security Engineer (Identity & Access Management) position at State of Wisconsin Investment Board?
Sophisticated Work. In a Great City. Making a Difference.
The State of Wisconsin Investment Board (SWIB) manages more than $178 billion in assets, including those of the fully-funded Wisconsin Retirement System (WRS). SWIB operates at a level more often seen in top-tier global asset managers than in typical public pension funds. SWIB is a home for top talent. Approximately 61 percent of SWIB’s investment professionals are Chartered Financial Analyst (CFA) charterholders.
The City of Madison, the state capitol and home of Wisconsin’s flagship university, makes regular appearances on lists of best places to live, eat, and play. SWIB offers a modern workspace, hybrid work options, and competitive compensation and benefits.
Serving over 703,000 WRS beneficiaries, SWIB is driven by a clear mission: securing the financial future of those who serve Wisconsin. When you work at SWIB, you know your work matters.
Job Description
Position Overview:
As a Senior Security Engineer (Identity & Access Management), you will lead the design, implementation, and continuous evolution of our identity security program across a hybrid and cloud-first environment. This role operates at the intersection of security engineering, identity architecture, and governance.
As a senior member of a high-performing security team, you will own and advance SWIB’s identity control plane, ensuring secure, scalable, and business-aligned access to critical systems and data. This role operates in a transformation environment, evolving legacy access models into a modern, automated IAM architecture aligned with Zero Trust principles. You will design solutions, influence stakeholders, and deliver measurable security outcomes.
Key Responsibilities
Identity Architecture & Engineering
Pursuant to our Hybrid Remote Work Policy, all staff have the flexibility to work remotely, but are required to have a weekly presence in our offices, the frequency of which is dependent on their distance from office. Staff are not required to reside locally; however, we offer relocation reimbursement to the Dane County area per our policy.
All SWIB employees are subject to SWIB’s Ethics Policy and Personal Trade Approvals Policy. These policies include restrictions on outside business activities and employment and have limits on personal trading. You may request copies of these policies from SWIB’s talent acquisition team and any questions can be answered by SWIB’s compliance team.
The State of Wisconsin Investment Board (SWIB) manages more than $178 billion in assets, including those of the fully-funded Wisconsin Retirement System (WRS). SWIB operates at a level more often seen in top-tier global asset managers than in typical public pension funds. SWIB is a home for top talent. Approximately 61 percent of SWIB’s investment professionals are Chartered Financial Analyst (CFA) charterholders.
The City of Madison, the state capitol and home of Wisconsin’s flagship university, makes regular appearances on lists of best places to live, eat, and play. SWIB offers a modern workspace, hybrid work options, and competitive compensation and benefits.
Serving over 703,000 WRS beneficiaries, SWIB is driven by a clear mission: securing the financial future of those who serve Wisconsin. When you work at SWIB, you know your work matters.
Job Description
Position Overview:
As a Senior Security Engineer (Identity & Access Management), you will lead the design, implementation, and continuous evolution of our identity security program across a hybrid and cloud-first environment. This role operates at the intersection of security engineering, identity architecture, and governance.
As a senior member of a high-performing security team, you will own and advance SWIB’s identity control plane, ensuring secure, scalable, and business-aligned access to critical systems and data. This role operates in a transformation environment, evolving legacy access models into a modern, automated IAM architecture aligned with Zero Trust principles. You will design solutions, influence stakeholders, and deliver measurable security outcomes.
Key Responsibilities
Identity Architecture & Engineering
- Lead the design and evolution of SWIB’s IAM architecture across SaaS, cloud (Azure & AWS), and on-prem environments.
- Own and enhance identity lifecycle processes (Joiner, Mover, Leaver) integrated with HR systems.
- Design and implement scalable access models leveraging RBAC and ABAC principles.
- Build and maintain secure identity integrations using SAML, OAuth, OpenID Connect, and modern API-based patterns.
- Own the evolution and scaling of SWIB’s IGA platform (e.g., SailPoint IdentityNow) as part of a broader identity architecture.
- Lead access provisioning, deprovisioning, and certification processes with a focus on automation and risk reduction.
- Partner with business stakeholders to define and enforce access governance policies.
- Continuously improve identity workflows to enhance efficiency and reduce manual intervention.
- Extend identity governance to unstructured data by leading data access reviews, activity monitoring, and data classification initiatives.
- Design and enforce controls for privileged access management (PAM) and endpoint privilege management (EPM).
- Reduce standing privileges and support implementation of just-in-time (JIT) access models.
- Identify and mitigate privilege escalation paths and excessive access risks.
- Support the advancement of SWIB’s Zero Trust strategy, with identity as the primary control plane.
- Design and implement Conditional Access policies and strong authentication mechanisms.
- Support incident investigations involving identity and access.
- Develop metrics and reporting to provide data-driven insights into identity risk posture.
- Develop and maintain automation using PowerShell, Python, or similar scripting languages.
- Integrate IAM capabilities with enterprise systems using REST APIs and JSON-based workflows.
- Drive automation-first IAM design, minimizing manual processes and operational overhead.
- Partner with application owners, infrastructure team, HR, and business stakeholders to align access controls with business needs.
- Prioritize and sequence IAM initiatives based on risk, impact, and organizational capacity.
- 7 years of experience in information security, with a strong focus on Identity & Access Management.
- Hands-on experience implementing and scaling IGA platforms (e.g., SailPoint IdentityNow or equivalent).
- Strong working knowledge of:
- Microsoft Entra ID and hybrid identity environments.
- Authentication and federation protocols (SAML, OAuth, OpenID Connect).
- Conditional Access, MFA, and identity security controls.
- Experience designing and deploying RBAC/ABAC access models at an enterprise scale.
- Proficiency in scripting or automation (e.g., PowerShell, Python).
- Experience integrating systems using APIs, JSON, and modern automation patterns.
- You can independently drive complex IAM initiatives end-to-end, from design through implementation.
- You take ownership of systems and outcomes, not just assigned tasks.
- You can design, build, and improve, not just administer.
- You are comfortable operating in a lean team with broad responsibility.
- You communicate clearly with both technical and non-technical stakeholders.
- Competitive total cash compensation, based on AON (formerly McLagan) industry benchmarks
- Comprehensive benefits package
- Educational and training opportunities
- Tuition reimbursement
- Challenging work in a professional environment
- Hybrid work environment
Pursuant to our Hybrid Remote Work Policy, all staff have the flexibility to work remotely, but are required to have a weekly presence in our offices, the frequency of which is dependent on their distance from office. Staff are not required to reside locally; however, we offer relocation reimbursement to the Dane County area per our policy.
All SWIB employees are subject to SWIB’s Ethics Policy and Personal Trade Approvals Policy. These policies include restrictions on outside business activities and employment and have limits on personal trading. You may request copies of these policies from SWIB’s talent acquisition team and any questions can be answered by SWIB’s compliance team.