Wppmedia
Wppmedia2h ago
New

Senior Security Engineer

United KingdomUnited Kingdom·Londonsenior
EngineeringSecurity Engineer
1 views0 saves0 applied

Quick Summary

Key Responsibilities

OAuth app controls, context-aware access, DLP, secure default sharing. Entra ID: conditional access baselines,

Requirements Summary

Google Workspace Admin, Entra ID tenant and CA policies, AWS IAM Identity Center permission sets and SSO. SSO a

Technical Tools
EngineeringSecurity Engineer

WPP is the trusted growth partner for the world’s leading brands. With exceptional talent, trusted data and intelligence, and world-class partnerships – all united by our pioneering agentic marketing platform, WPP Open – we help clients navigate change, capture opportunity, and deliver transformational growth. 

WPP Media is WPP's AI-driven media operating unit, bringing together media, data, and partnerships to deliver creative personalisation at scale. Connected through WPP Open and powered by Open Intelligence, clients see exactly where, how, and why their media investment is working.

For more information, visit wppmedia.com.

DTA is WPP’s global data products and technology company. We’re on a mission to transform marketing by building the fastest, most connected data platform that bridges marketing strategy to scaled activation.

We work with agencies and clients to transform the value of data by bringing together technology, data and analytics capabilities. We deliver this through the Open Media Studio, an AI-enabled media and data platform for the next era of advertising.

We’re endlessly curious. Our team of thinkers, builders, creators and problem solvers are over 1,000 strong, across 20 markets around the world.  

We are hiring a Senior Security Engineer based in London to join our Cloud Architecture team, focused on security configuration and identity security across client and internal platforms.

This role leads the design and implementation of secure-by-default patterns for identity, access, and configuration in Microsoft Entra ID (Azure AD), Okta, Microsoft 365, Google Workspace, and AWS IAM Identity Center, with strong API/SCIM and ServiceNow integration.

You will report to the Head of Cloud Architecture and work closely with Platform Engineering, EUC/Workplace, Security Operations, Data Engineering, and Client Delivery teams.

The mission is to improve control coverage, reduce risk and enable frictionless, compliant access for users, applications, and services. You will translate requirements into practical controls and automation, ensuring our platforms meet policy, compliance, and performance goals, including effective monitoring and response through SIEM/SOAR.

  • Identity security architecture across Entra ID (Azure AD), Okta, Microsoft 365, Google Workspace, and AWS IAM Identity Center.
  • Hardening of identity platforms and SaaS configurations: Google Workspace Admin, Entra ID tenant and CA policies, AWS IAM Identity Center permission sets and SSO.
  • SSO and MFA design and rollout (SAML/OIDC, passwordless, conditional access, device/trust signals).
  • Lifecycle and JML automation using SCIM and HRIS integrations with ServiceNow (and/or Workday).
  • Federation, directory services, and migration (Entra Connect/Azure AD Connect; ADFS decommissioning).
  • Privileged access management and just-in-time elevation (Entra PIM, Okta admin roles, AWS IAM Identity Center assignments).
  • Policy-as-code and configuration baselines for identity/security controls; drift detection and remediation.
  • Identity telemetry, detections, and response via SIEM/SOAR, emphasizing Microsoft Sentinel.
  • External/B2B identity governance, partner access, guest lifecycle, and app consent governance.
  • Alignment to ISO 27001, SOC 2, NIST CSF, CIS Benchmarks, and GDPR.

Requirements

~4 min read
  • Threat-aware builder who designs for misuse cases and closes gaps with strong defaults.
  • Automates with code and low/no-code workflows (PowerShell, Python, Okta Workflows, ServiceNow).
  • Pragmatic about risk; balances security, usability and delivery timelines.
  • Clear communicator who can brief stakeholders and write concise standards/runbooks.
  • Consultative mindset with experience guiding design authorities and cross-functional teams.
  • Measures outcomes (e.g., MFA adoption, SSO coverage, JML SLA adherence) and iterates.
  • Comfortable with complex enterprise environments and multi-tenant identity models.
  • Inclusive collaborator who seeks diverse perspectives and documents decisions.

Responsibilities

  • Design and implement identity and access controls across Entra ID, Okta, M365, Google Workspace, and AWS IAM Identity Center to raise control coverage and reduce account compromise risk.
  • Define and enforce conditional access, MFA, and passwordless strategies to achieve target adoption rates (e.g., 100% for employees, >95% for contractors/partners).
  • Google Workspace: OAuth app controls, context-aware access, DLP, secure default sharing.
  • Entra ID: conditional access baselines, tenant restrictions, enterprise app consent policies, token protections.
  • AWS IAM Identity Center: permission set design, assignment governance, session duration, access portal controls, SCIM provisioning hygiene.
  • Build automation using SCIM, platform APIs, and ServiceNow workflows to meet JML SLAs (e.g., provision within hours; deprovision within minutes of HR termination).
  • Establish policy-as-code guardrails and configuration baselines; integrate checks into CI/CD and change pipelines to prevent drift.
  • Migrate legacy federation (e.g., ADFS) to modern SSO; consolidate directories and domains to reduce complexity and standing privilege.
  • Harden admin boundaries, IAM roles, secrets, and privileged access with JIT elevation; track reductions in permanent admin accounts and unused privileged roles.
  • Integrate identity logs (Entra ID, Okta, M365, AWS CloudTrail/Identity Center) into Microsoft Sentinel; build analytics rules and SOAR playbooks to improve alert quality and reduce MTTR.
  • Develop identity-focused detections and response playbooks (impossible travel, MFA fatigue, anomalous OAuth consent, risky AWS access patterns) and continuously tune to reduce false positives.
  • Run and improve vulnerability/risk management for identity-linked exposures (weak policies, stale accounts, risky app consent, over-permissive permission sets) with prioritization, remediation partnerships, and SLAs.
  • Lead or support incident response for identity-related events; drive post-incident learning, control improvements, and documentation updates.
  • Partner with engineering and EUC teams to embed secure-by-default patterns, simplify developer/user experiences, and reduce helpdesk burden.
  • Map controls to ISO 27001, NIST CSF, SOC 2, CIS Benchmarks, GDPR, and SIEM/SOAR operational requirements; support audits with evidence and runbooks.
  • Write clear standards, architecture documents, integration guides, and operational runbooks; present designs at design authority and stakeholder forums.
  • Measure and report risk reduction (e.g., dormant account reduction %, privileged role minimization, policy coverage) and track progress against agreed KPIs and roadmaps.

Requirements

  • Well versed in identity/access security engineering or architecture within enterprise environments.
  • Hands-on expertise hardening Microsoft Entra ID (Azure AD), Google Workspace Admin, and AWS IAM Identity Center configurations, plus Okta, Microsoft 365, and Active Directory/Entra Connect.
  • Proven delivery of SSO/MFA/conditional access programs; experience with passwordless and strong authentication methods.
  • Strong experience with SCIM and API-based integrations for JML automation; ServiceNow access workflows, approvals, and attestation.
  • Privileged access management (Entra PIM/Okta) and admin boundary hardening; permission set governance in AWS IAM Identity Center.
  • Experience decommissioning legacy federation (e.g., ADFS) and consolidating identity platforms.
  • Scripting/coding for automation and configuration (PowerShell and/or Python; Okta Workflows).
  • Threat modeling and architecture review focused on identity misuse, consent abuse, token/session risks, and cloud account takeover.
  • SIEM/SOAR integration experience, ideally with Microsoft Sentinel (data connectors incl. Entra, M365, Okta, AWS CloudTrail), analytics rules, playbooks, and incident workflows.
  • Effective collaboration with platform/EUC/security ops/data engineering; clear written and verbal communication.

Nice-to-have

  • Broader Azure and AWS security architecture experience (Defender for Cloud Apps, AWS Organizations/Control Tower, SCPs).
  • Secrets management (Azure Key Vault, HashiCorp Vault) and app-to-app auth patterns.
  • Integration of identity telemetry with broader SIEM/SOAR ecosystems; purple-team/attack path reduction for identity.
  • Compliance program experience (ISO 27001, SOC 2, NIST CSF, GDPR) and audit support.
  • Consulting or client-facing delivery experience in complex, multi-tenant contexts.
  • Relevant certifications (e.g., Okta Certified Professional, Microsoft/Azure security, AWS Security Specialty, CISSP, CCSP, BCS/TOGAF).

What We Offer

~2 min read

Our passion for shaping the next era of media is powered by our commitment to Be Extraordinary, investing in our employees to inspire transformational creativity. We also Lead Optimistically, firmly believing in and Championing Growth and Development for every individual. This commitment allows WPP Media employees to leverage the extensive global WPP Media & WPP networks to pursue their passions, build vital professional connections, and learn at the cutting edge of marketing and advertising. 

We Create an Open environment built on trust and respect, where everyone feels they belong and has opportunities to progress. This inclusive culture is fostered through a variety of employee resource groups and frequent in-office events showcasing team wins, sharing thought leadership, and celebrating holidays and milestone events. Our comprehensive benefits package reflects this commitment, including competitive medical, group retirement plans, vision, and dental insurance, significant paid time off, preferential partner discounts, and employee mental health awareness days. 

WPP Media is an equal opportunity employer and considers applicants for all positions without discrimination or regard to characteristics. We believe the best work happens when we're together, fostering creativity, collaboration, and connection in this open and supportive environment. That's why we’ve adopted a hybrid approach, with teams in the office around four days a week. If you require accommodations or flexibility, please discuss this with the hiring team during the interview process. 

Please note this is a UK based role and requires individuals to have the right to work in this location

Please read our Privacy Notice (https://www.wppmedia.com/pages/privacy-policy) for more information on how we process the information you provide.

 

While we appreciate all applications received, only those candidates selected for an interview will be contacted. 

 

#LI-Promoted

Please read our Privacy Notice for more information on how we process the information you provide. 

Location & Eligibility

Where is the job
London, United Kingdom
On-site at the office
Who can apply
GB

Listing Details

Posted
July 6, 2026
First seen
July 6, 2026
Last seen
July 6, 2026

Posting Health

Days active
0
Repost count
0
Trust Level
60%
Scored at
July 6, 2026

Signal breakdown

freshnesssource trustcontent trustemployer trust
Wppmedia
Wppmedia
greenhouse

Global media investment and marketing solutions company, formerly GroupM, owned by WPP plc

Employees
10,000+
Founded
2003
View company profile
Newsletter

Stay ahead of the market

Get the latest job openings, salary trends, and hiring insights delivered to your inbox every week.

A
B
C
D
Join 12,000+ marketers

No spam. Unsubscribe at any time.

WppmediaSenior Security Engineer