Network Security Engineer

Role Overview

Location: Plano TX

We are seeking a highly skilled Network Security Engineer with deep expertise in Security Service Edge (SSE) and Secure Access Service Edge (SASE) to lead the design, deployment, and lifecycle management of cloud-delivered security services. This role is critical in implementing Zero Trust Network Access (ZTNA), securing hybrid BFSI infrastructure, and integrating identity-aware, policy-driven controls across distributed environments.

Primary Technical Skills

SSE/SASE Platforms: Advanced configuration and policy orchestration on Palo Alto Prisma Access, Fortinet Universal ZTNA, and Zscaler ZIA/ZPA, Broadcom and Bluecoat.

Cloud-Delivered Security Functions: Deep understanding of SWG, CASB, ZTNA, DNS security, FWaaS, and SSL/TLS inspection.

Identity-Aware Access Control: Integration with SAML/OAuth2/OpenID Connect, device posture enforcement, and risk-based access policies.

Policy Lifecycle Management: Design and tuning of access control policies, URL filtering, application control, and data protection rules.

Post-Deployment Optimization: Continuous tuning using telemetry, policy hit/miss analysis, latency metrics, and user experience feedback.

Advanced Threat Protection: Integration with sandboxing engines, cloud-delivered threat intelligence, and real-time traffic analysis.

High Availability & Resilience: Design of redundant tunnels, failover strategies, and multi-tenant segmentation in SSE environments.

Traffic Steering & Breakout Policies: Implementation of local internet breakout (LIB), selective tunneling, and QoS-aware routing.

Certificate Management: Handling PKI integration, certificate pinning, and SSL decryption policies across user and app flows.

User Experience Assurance: Use of digital experience monitoring (DEM) tools to baseline and optimize end-user performance.

Secondary Technical Skills

SD-WAN & VPN Integration: Deep familiarity with overlay routing, dynamic path selection, IKEv2/IPSec/GRE tunnels, and BGP/OSPF redistribution.

Cloud Security Architecture: Design of hub-and-spoke, transit VPC, and cloud-native firewalling across AWS, Azure, and GCP.

Automation & APIs: Development of Python/Ansible/Terraform scripts for policy automation, bulk onboarding, and compliance checks.

SIEM & SOAR Integration: Event forwarding, custom log parsing, UEBA correlation, and automated response playbooks in Splunk, QRadar, or Sentinel.

Endpoint & EDR Integration: Policy coordination with CrowdStrike, Microsoft Defender, or SentinelOne for device trust enforcement.

DNS & DLP Integration: Enforcement of DNS-layer security and data exfiltration controls using inline DLP and cloud-native inspection.

Multi-Factor & Conditional Access: Integration with Azure Conditional Access, Okta Adaptive MFA, and device compliance policies.

Network Segmentation: Implementation of microsegmentation using identity-based policies and application-aware zoning.

Cloud Logging & Audit Trails: Centralized logging via CloudWatch, Azure Monitor, or GCP Logging, mapped to compliance controls.

Security Baseline Enforcement: Use of CIS Benchmarks, NIST 800-53, and custom hardening scripts for posture validation.

Required Experience

8 12 years in enterprise network and security engineering, with 3+ years in SSE/SASE design and operations.

Proven experience in Zero Trust architecture, identity-aware segmentation, and cloud-delivered security enforcement.

Strong exposure to regulated verticals (preferably BFSI), with emphasis on data protection, audit readiness, and risk mitigation.

Hands-on with multi-vendor SSE ecosystems, including policy migration, interoperability testing, and performance benchmarking.

Experience in incident response, forensics, and policy rollback in production SSE environments.

Preferred Qualifications

Experience with hybrid cloud security models and multi-cloud segmentation strategies.

Familiarity with EDR/XDR, sandboxing, and threat intelligence platforms (TIPs).

Understanding of compliance frameworks: ISO 27001, NIST 800-53, RBI, GDPR, and PCI-DSS.

Exposure to DevSecOps pipelines, CI/CD security gates, and IaC security scanning.

Knowledge of SASE convergence models, including WAN edge, cloud edge, and identity edge integration.

Nice to Have:

Zscaler Certified Cloud Professional (ZCCP-IA/ZCCP-PA)

AWS/Azure Security Specialty

CISSP or CCSP