Senior Security Engineer (Microsoft Security Architecture)

It's fun to work in a company where people truly BELIEVE in what they're doing!

A Senior Security Engineer is a senior tech expert who protects a company's

entire digital world. While a network engineer just focuses on networks, a

security engineer protects everything. They secure software, cloud storage,

computers, and company data from hackers

WHAT YOU WILL DO:

. Platform Architecture, Verification and Standards

• Own Tiger Brands' Microsoft security architecture across M365, Azure, and hybrid environments as the internal SME and decision authority.
• Define security design patterns based on Zero Trust principles and identity-first security models.
• Produce and maintain architecture documentation, security standards, configuration baselines, and design patterns across the Microsoft Defender Suite, Entra ID, Purview, Defender for Cloud Apps, and M365 collaboration platforms.
• Translate security requirements and risk decisions into clear, implementable technical specifications for the operations team.
• Validate all Microsoft security platform implementations against approved designs and baselines - covering Conditional Access policies, Defender configurations, Purview labels and DLP rules, and Entra ID governance settings.
• Identify deviations, misconfigurations, and gaps in implemented configurations and issue formal remediation requirements.
• Own continuous configuration drift detection - define and maintain mechanisms to identify when validated configurations deviate from approved baselines post-deployment. Drift findings must be logged, risk-assessed, and tracked to remediation.
• Define security control resilience and fallback requirements - specify what happens in the event of a platform outage or service degradation for each critical control owned by this role.
• Maintain a validation and drift register covering completed checks, findings, drift events, fallback status, and sign-off records.

2. Email Security Architecture and Controls

• Own the end-to-end email security architecture leveraging Microsoft Defender for Office 365.
• Define and maintain standards for anti-phishing and anti-spoofing policies, Safe Links and Safe Attachments, email authentication (SPF, DKIM, DMARC) across all Tiger Brands sending domains, and quarantine and mail flow rules.
• Validate that email security configurations are correctly implemented and producing expected enforcement outcomes.
• Design and define the Attack Simulation Training programme standard - specifying simulation scenarios, target populations, phishing templates, and training assignment logic to drive measurable improvement in workforce phishing resilience.

3. Microsoft Identity Security Architecture and Standards

• Define the Microsoft identity security architecture - specifying the design, policy structure, and configuration requirements for Conditional Access, MFA, PIM, and identity governance that the IAM engineering function implements against. This role sets the standard; the IAM engineer delivers against it.
• Validate Microsoft identity security implementations - confirm that Conditional Access policies, MFA enforcement, PIM configurations, and identity governance settings meet the defined security standard. Issue formal remediation requirements where implementations fall short.
• Own non-human identity governance - define and enforce security standards for service principals, managed identities, and app registrations across Azure and Entra ID, covering naming and ownership standards, permission scoping, secret and certificate lifecycle management, and access review requirements and frequency.
• Define Privileged Access Workstation (PAW) security standards and validate that privileged access activities are conducted in accordance with the PAW standard.
• Own the passwordless authentication architecture standard - define Tiger Brands' technical requirements and phased adoption roadmap for Windows Hello for Business and FIDO2 security keys. Implementation is delivered by the IAM engineering function against this standard.
• Define External Identities security standards for B2B guest access, supplier and partner collaboration, and contractor identity management, and validate that implementations meet the defined standard.
• Own Microsoft identity security posture - define the target security state, track posture against that target, and produce remediation requirements for the IAM engineering function to action.

4. Endpoint, Cloud and Application Security

• Define endpoint security standards for Defender for Endpoint and Intune/Endpoint Manager - covering EDR policy configuration, device compliance requirements, and hardening baselines - and validate that deployed configurations meet the standard.
• Own Azure cloud security posture requirements - defining Defender for Cloud policy initiatives, regulatory compliance standards, and workload protection expectations. Validate configurations against CIS Benchmarks and set Secure Score targets, validating progress as a continuous objective.
• Own Tiger Brands' cloud application security posture using Microsoft Defender for Cloud Apps as the primary CASB platform - defining shadow IT discovery standards and specifying conditional access app control and session control policies.
• Validate that CASB and cloud security configurations are correctly implemented and enforcing as expected.

5. Data Protection and Collaboration Security

• Define the data classification framework, sensitivity labelling taxonomy, and information protection policy requirements for Microsoft Purview.
• Specify DLP policy requirements across M365 workloads aligned to POPIA obligations and business risk appetite, and validate that implemented policies enforce correctly.
• Define and validate Insider Risk Management policy configurations, alert thresholds, and investigation workflows.
• Own the security architecture for Tiger Brands' M365 collaboration environment - Teams, SharePoint, and OneDrive - as high-risk data handling and sharing surfaces.
• Define and maintain standards for external sharing configuration, Teams guest access policies, sensitivity label enforcement, OneDrive sync restrictions, and Teams app governance.
• Validate that collaboration security configurations are correctly implemented and aligned to Tiger Brands' data governance and POPIA obligations.
• Produce and maintain technical compliance evidence for internal audit, external regulatory reviews, and governance reporting.

6. Security Telemetry and Automation

• Define telemetry and log collection standards for all Microsoft security platforms - specifying what data must be collected and forwarded to Tiger Brands' managed SOC SIEM for monitoring and detection.
• Validate that Defender suite platforms are configured to generate complete, accurate telemetry that meets the managed SOC's ingestion requirements, and that log forwarding is implemented without gaps.
• Act as the Microsoft platform SME in engagements with the managed SOC on matters of log source quality, data gaps, and platform-side configuration requirements.
• Design PowerShell automation and Logic Apps for configuration management, compliance reporting, and platform automation workflows, and review and validate automation built by the operations team before production deployment.

7. Platform Stewardship and Governance

• Produce and maintain deployment runbooks, configuration guides, and technical SOPs that enable the operations team to implement Microsoft security platform changes accurately and consistently.
• Validate the operations team's technical capability to execute against defined standards - identify gaps and define training or upskilling requirements. Ensure no single individual holds undocumented platform knowledge.
• Advise Tiger Brands on Microsoft security licensing strategy - including optimization of existing entitlements (E3/E5, Defender plan tiers, Purview licensing) and recommendations for capability uplift where gaps exist.
• Actively track the Microsoft security product roadmap, maintain a forward-looking view of how it affects Tiger Brands' security architecture, and lead the evaluation of new capabilities (including Microsoft Copilot for Security) prior to adoption.
• Define and enforce security requirements for all third-party and MSP integrations into Tiger Brands' Microsoft environment - including GDAP, service accounts, and Microsoft Graph API access. Maintain active integrations register.
• Exercise formal change gate authority - no changes to Microsoft security platform configurations, policies, or architectures may proceed without this role's technical review and sign-off. Changes that do not meet the defined standard must be formally rejected with documented rationale.
• Own the security baseline exception process - all exceptions must be risk-assessed, business-justified, owned by an accountable party, and subject to a defined review date.
• Produce regular Microsoft security posture reports to the Cybersecurity Engineering Lead and governance forums, covering Secure Score trends, drift findings, open exceptions, validation status, and upcoming roadmap decisions.
• Act as escalation point and trusted advisor for infrastructure, cloud, applications, risk, and governance teams on all Microsoft security matters.

WHAT YOU WILL BRING TO THE TABLE:

Education

Bachelor's degree in Information Technology, Computer Science, Information Security, or equivalent practical experience.

Experience

• 8+ years of hands-on, production experience with the Microsoft security stack - this is a hard requirement, not a guideline.
• The incumbent must have personally built and operated Microsoft security platforms at enterprise scale. This is what makes their architectural specifications credible, their validation judgements authoritative, and their licensing advisory reliable.
• Demonstrated depth across the Defender suite, Entra ID, and Purview in complex enterprise environments.
• Proven experience designing Microsoft security architecture in regulated industries.
• Enterprise-scale hybrid identity experience - on-premises AD, Entra ID, and Entra Connect.
• Hands-on experience with email security architecture - SPF, DKIM, DMARC, and Defender for Office 365.
• Experience governing external identity, B2B collaboration, and non-human identity at enterprise scale.
• Exposure to POPIA, ISO 27001, or NIST CSF compliance requirements advantageous.
• FMCG, manufacturing, or IT/OT hybrid environments advantageous.

Certifications

Required:

• SC-100 – Cybersecurity Architect Expert
• SC-300 – Identity & Access Administrator
• SC-400 – Information Protection Administrator
• AZ-500 – Azure Security Engineer Associate

Advantageous:

• AZ-305 – Azure Solutions Architect
• CISSP

What This Role Is Not

• This is not a deployment or operations role. The incumbent defines the standard, specifies the implementation, and validates the outcome, while deployment execution and day-to-day operations remain with the Service Delivery function. From time to time, the incumbent may provide specialist Microsoft security support to Service Delivery for complex issues or temporary resource gaps, but this does not change the primary accountability of the role. Equally, this is not a once-off design exercise. Tiger Brands is investing in sustained internal capability that will continuously raise the security bar, expand Microsoft security platform coverage, advance the architecture as the Microsoft roadmap evolves, and develop the team around it over the long term.

#LI-KM3

In accordance with the employment equity plan of Tiger Brands and its employment equity goals and targets, preference may be given, but is not limited, to candidates from under-represented designated groups.