IT Info Security Specialist/Sr

Position Summary

Working independently or as part of a team, contributes to the planning, implementation, and management of the Information Security program to safeguard ERIE’s digital assets. Implements and maintains security systems and procedures to govern, identify, protect, detect, respond to, and recover from cybersecurity risks, threats, vulnerabilities, and incidents. Completes and may lead assignments of moderate complexity within the Information Security portfolio with minimal guidance. Performs duties in one or more of the following Information Security disciplines, including but not limited to: Application Security (AppSec); Cloud Security (CloudSec); Governance, Risk Management & Compliance (GRC); Identity & Access Management (IAM); Security Operations (SecOps), or Vulnerability Management.

What You Will Do:

As an IT Info Security Specialist you will:

• Serve as a member of a security and technology team responsible for administering and maintaining identities, access, and entitlements across IAM platforms.
• Support the implementation and enforcement of identity controls, ensuring alignment with organizational policies, standards, and governance frameworks.
• Collaborate with security leadership, technical teams, and business stakeholders to design and implement access models aligned with the organization's risk posture (e.g., least privilege, RBAC/ABAC).
• Administer and support IAM technologies including SSO, directory services, MFA, certificate services, privileged access management (PAM).
• Investigate, troubleshoot, and resolve identity and access-related issues across internal users, external partners, and contractor populations.

Preferred Skills and Experience:

• 3-5+ years' experience in cybersecurity and with IAM practitioner experience.
• Administration and familiarity with directory services, Entra ID, SSO, MFA and RBAC.
• Ability to conduct certifications/recertification campaigns and produce compliance reports for management.
• Ideally, familiar with one or more regulatory requirements and laws such as, but not limited to: PCI DSS, FFIEC, the Sarbanes-Oxley Act, HIPAA, GDPR and GLBA. Additionally, experience in one or more: ISO 27001, NIST, CIS.
• Preferable experience with one or more scripting languages:
  • Python, PowerShell and Bash
• Familiarity with SCIM, SAML, OAuth, OIDC and other identity federation protocols and standards.
• Experience with identity lifecycle management processes and workflows, access provisioning/deprovisioning and user account management across multiple systems.
• Strong written and oral communication skills across varying levels of the organization.

What Makes You Stand Out:

• Deep experience with enterprise IAM platforms (SailPoint IIQ, CyberArk,PING,AD workflows)
• Strong automation mindset (reducing manual provisioning)
• Security & Risk Mindset
• Understands IAM as a primary attack surface, not just operations
• Proactively identifies excessive access and toxic combinations
• Uses data (logs, metrics, KPIs) to improve identity posture

Duties and Responsibilities

• Installs, configures, administers, and analyzes information security technologies, controls, and practices that maintain the confidentiality, integrity, and availability of ERIE's information systems and data assets.
• Continuously detects, logs, monitors, alerts, and reports on information security controls, exceptions, vulnerabilities, threats, risks, and incidents. Executes actions to protect assets and detect vulnerabilities or threats. Executes actions to respond to and recover from vulnerabilities or threats.
• Develops and manages relationships with diverse groups of stakeholders at multiple levels. Partners and aligns with cross-functional risk assurance, IT, and business teams across the enterprise to implement, align, and ensure compliance with security measures.
• Establishes and ensures that security measures are in line with industry standards, best practices, and regulations. Measures and improves the operating rhythm of Information Security as well as the risk posture of ERIE. Advances Information Security controls through maturity assessments, continuous process and automation improvements, appropriate policies/standards/procedures, and capability development.
• Develops and presents reports, metrics, dashboards, and evidence to stakeholders across the enterprise up to and including leadership and corporate officers. Provides support to end-users on security-related issues. Effectively communicates to and influences stakeholders through oral and written communications. 
• Provides discipline-specific knowledge in support of security awareness and outreach to ensure that information security best practices are understood and followed enterprise wide.
• Remains current on industry best practices, standards, frameworks, regulations, and emerging security threats through research, training, and participation in industry associations. Makes recommendations for improving the company's security posture. Shares recommendations, knowledge, and relevant content to inform, mentor, or trains others.
   

The first seven duties listed are the functions identified as essential to the job. Essential functions are those job duties that must be performed for the job to be accomplished.

This position description in no way states or implies that these are the only duties to be performed by the incumbent. Employees are required to follow any other job-related instruction and to perform any other duties as requested by their supervisor, or as become clear.
 

Capabilities

Qualifications

Minimum Education and Experience Requirements

• Bachelor’s degree in relevant field <e.g., IT, MIS, Cyber Security, Risk Management> and 2 years of related experience; or
• Associate degree in relevant field and 4 years of related experience; or
• High School diploma or equivalent and 6 years of related experience, required. 
• Completion of a relevant IT-career preparation program approved by ERIE’s Human Resources and IT Talent Optimization Departments if unrelated degree and/or less experience.
• Relevant certifications and/or military training/service may be considered for equivalent education/experience.

Additional Experience

• Foundational knowledge and skill associated with at least one Information Security discipline and in at least one IT domain (analysis, engineering, system administration), required.  
• Experience with IT delivery or operational methodologies (agile delivery, SDLC, ITIL), preferred.
• Critical thinking skills and analytical mindset required.
• Persuasive communication and interpersonal skills, and ability to convey technical concepts to non-technical stakeholders, required. 
• Ability to participate in on-call rotations and work outside of regular business hours to support cyber event and incident handling may be required.

Physical Requirements