WHAT MAKES US A GREAT PLACE TO WORK

We are proud to be consistently recognized as one of the world’s best places to work. We are currently the top ranked consulting firm on Glassdoor’s Best Places to Work list and have earned the #1 overall spot a record seven times. Extraordinary teams are at the heart of our business strategy, but these don’t happen by chance. They require intentional focus on bringing together a broad set of backgrounds, cultures, experiences, perspectives, and skills in a supportive and inclusive work environment. We hire people with exceptional talent and create an environment in which every individual can thrive professionally and personally.

WHO YOU’LL WORK WITH

You’ll join our Technology Solutions Group. This team considers the full spectrum of people, tech, and process to help others at Bain achieve their goals. We aim to understand our partners in the business so well that our proposed architectures, apps, and automations really do improve their work lives. If you’re the sort of person who embraces change, who has an entrepreneurial spirit, and who friends and family still call for tech advice, this might be a great team for you.

WHERE YOU’LL FIT WITHIN THE TEAM

The SaaS security engineer will lead and scale our SaaS security program, with primary ownership of our SSPM platform and related initiatives. The role is technical, and candidates must possess a solid understanding of information security, cloud infrastructure, and SaaS application configuration practices. The role also requires an understanding of business goals/strategy and operational requirements in a fast-paced environment, and the ability to communicate clearly and effectively both business risk impacts and the technical actions required to resolve them.

The SaaS security engineer supports the growing third-party ecosystem, working to reduce misconfiguration risk, improve identity hygiene, and strengthen necessary monitoring and governance recommendations across a variety of cloud-based applications. They are an integrated team member working with product owners, application administrators, system engineers, cybersecurity engineers and systems administrators. At times, the SaaS security engineer acts as a liaison with business stakeholders to understand the strategy and execution outlook. The role is heavily security-focused and ingrained in the third-party application lifecycle to deliver security principles and validation at all times.

WHAT YOU’LL DO

SaaS security engineers have a strong work ethic, perform analytical and critical thinking, and are masterful at meeting change requests on demand. They are expected to work well with business units and possess superior listening and communication skills, in addition to expected technical expertise. SaaS security engineers embody security-first principles, constantly assess the threat landscape and adapt quickly to manage enterprise risk, as well as integration and deployment requirements.

Essential Functions:

• Technical work (40%)
  1. Own and operate the SaaS Security Posture Management (SSPM) platform
  2. Onboard new SaaS applications into SSPM and define security baselines
  3. Design and implement secure configuration standards for enterprise SaaS platforms (M365, Salesforce, ServiceNow, Slack, etc.)
  4. Develop and maintain SaaS security configuration benchmarks
  5. Improve identity and access controls across SaaS applications (RBAC, MFA, SSO enforcement)
  6. Integrate SSPM findings into SIEM/SOAR platforms
  7. Develop detection logic for anomalous SaaS behavior
  8. Build dashboards and reporting to track SaaS posture and risk trends
  9. Automate security checks and remediation workflows via APIs and scripting
  10. Enhance SaaS monitoring and logging coverage
  11. Serve as a point of contact for security-based escalations and remain tightly involved through resolution.
  12. Assist in third party technical reviews and solution advisement, identifying gaps in existing controls and recommending solutions to vendors
  13. Partner with Senior Manager and stakeholders to problem solve
• Support team growth and improvement (30%)
  1. Establish scalable SaaS security review processes for new application onboarding
  2. Contribute to development of SaaS security standards and governance frameworks
  3. Improve joiner/mover/leaver access governance processes
  4. Identify tooling gaps and recommend new security capabilities
  5. Create documentation and playbooks for SaaS security operations
  6. Mentor junior security engineers or IT administrators on SaaS security best practices
  7. Drive continuous improvement initiatives to reduce manual security effort
  8. Track and report on SaaS security KPIs to inform program maturity
• Vulnerability and Misconfiguration handling (20%)
  1. Monitor, triage, and remediate SaaS misconfigurations identified by SSPM, automating and documenting to scale to operations
  2. Identify excessive permissions, risky OAuth grants, and policy drift
  3. Partner with application owners to drive timely remediation of high-risk findings
  4. Perform periodic access reviews and privilege audits
  5. Reduce stale accounts, toxic permission combinations, and overprivileged roles
  6. Support SaaS-related security incidents and root cause analysis
  7. Act as an escalation point for technical teams to get support in resolving vulnerabilities and misconfigurations
  8. Communicate results in a manner understood by technical and non-technical business units based on risk tolerance and threat to the business, and gain support through influential messaging
  9. Maintain strong third-party awareness via database sources, documentation, etc., to understand the weakness, probability and remediation options supplied by vendors as well as workarounds
• Communications and Leadership (10%)
  1. Partner with IT, Engineering, Legal, Procurement, and Risk teams to improve SaaS security posture
  2. Provide clear reporting on SaaS risk exposure and remediation progress
  3. Support SaaS security discussions in vendor risk and audit engagements
  4. Lead security conversations with application owners and executive stakeholders as needed
  5. Advocate for secure-by-default SaaS configurations across the organization

ABOUT YOU

Hybrid: This role follows a hybrid model, requiring in-office presence at least 1 day per week.

Required:

• Undergraduate or similar level of relevant work experience
• 3-7+ years business and/or security experience
• Breadth of analytical, technical and project and time management skills
• Understanding of SaaS security risks and misconfigurations
• Understanding of OAuth and API security
• Understanding of SSO, MFA, RBAC, and common IdPs

Preferred:

• CISSP, GIAC, Security+, or other relevant course work and certifications
• 3-5 years of enterprise SaaS administration experience (M365, Salesforce, Slack, etc.)
• Understanding of IT environments and practices related to one or more of the following disciplines
• Networking
• Infrastructure configuration and resiliency
• System architecture and configuration
• Operating systems
• Application development
• Operational/IoT technology
• Cloud Operations

U.S. Compensation Information

Compensation for this role includes base salary, annual discretionary performance bonus, 401(k) plan with an annual employer contribution based on years of service and Bain’s best in class benefits package (details listed below).

Some local governments in the United States require a good-faith, reasonable salary range to be included in job postings for open roles. The estimated annualized compensation for this role is as follows:

- In Boston, MA, the good-faith, reasonable annualized full-time salary range for this role is between $108,250 – $130,000; placement within this range will vary based on several factors including, but not limited to experience, education, licensure/certifications, training and skill level

- In Chicago, IL, the good-faith, reasonable annualized full-time salary range for this role is between $103,500-$124,250; placement within this range will vary based on several factors including, but not limited to experience, education, licensure/certifications, training and skill level

- Annual discretionary performance bonus

- This role may also be eligible for other elements of discretionary compensation

- 4.5% 401(k) company contribution, which increases after 3 years of service and is 100% vested upon start date

Bain & Company's comprehensive benefits and wellness program is designed to help employees achieve personal independence, protection and stability in the areas most important to you and your family.

- Bain pays 100% individual employee premiums for medical, dental and vision programs, offering one of the most comprehensive medical plans for employees without impacting your paycheck

- Generous paid time off, including parental leave, sick leave and paid holidays

- Fully vested 401(k) company contribution

- Paid Life and Long-Term Disability insurance

- Annual fitness reimbursements

It is unlawful in Massachusetts to require or administer a lie detector test as a condition of employment or continued employment. An employer who violates this law shall be subject to criminal penalties and civil liability.