Sr Network Security Engineer

It's fun to work in a company where people truly BELIEVE in what they're doing!

We're committed to bringing passion and customer focus to the business.

Public Partnerships LLC (PPL) provides helps people with disabilities, chronic illnesses, or other long-term health conditions stay at home and “self-direct” their care. Known as consumer direction in New York, this long-term care model empowers people to take control of who provides their services and where. PPL was selected to be the Statewide Fiscal Intermediary for the New York Consumer Directed Personal Assistance Program (CDPAP) starting in 2025. We will, along with a diverse alliance of service partners across the state, support the delivery of culturally sensitive and disability competent care to CDPAP participants. We are looking for people who share our passion for helping New Yorkers live happy, healthy, and independent lives to support CDPAP consumers and their personal assistants across a broad spectrum of services and functions. 

Our culture attracts and rewards people who are compassionate, results-oriented, and driven to exceed customer expectations. We desire motivated candidates who are excited to join our fast-paced, consumer-focused environment, and who want to make a difference in helping transform the lives of the people we serve.  

Learn more about PPL and CDPAP at https://pplfirst.com/cdpap 

Job Summary

The Senior Network Security Engineer is a hands-on technical security leader responsible for ensuring that PPL's network environment — including its cloud-primary infrastructure in Microsoft Azure, secondary presence in AWS, Fortinet-protected physical locations, and remote-first workforce — is designed, configured, and operated in alignment with PPL's security requirements, standards, and regulatory obligations. Reporting to the Director of Cybersecurity Operations, this role defines network security requirements, reviews and validates network architecture and controls, performs security assessments and audits, and partners closely with the Infrastructure team's Sr. Network Engineer, who owns administration of PPL's network and network security devices. The role serves as the Information Security team's subject matter expert on network security — driving zero-trust strategy, supporting incident response, evidencing compliance, and protecting the confidentiality and integrity of Medicare and Medicaid protected health information (PHI).

Key Responsibilities

Network Security Strategy, Standards & Architecture Review

• Define and maintain PPL's network security requirements, standards, and baselines for cloud, on-premises, and remote-access environments — including Fortinet firewall configuration baselines, Azure and AWS network security baselines, segmentation standards, and secure remote-access requirements.
• Review and validate network architecture and design changes from a security perspective — providing requirements, recommendations, and sign-off as appropriate before changes are implemented by Infrastructure or Cloud Engineering.
• Drive PPL's zero-trust networking strategy across cloud, physical, and remote-workforce environments — establishing the security model, segmentation principles, and identity-aware access requirements that Infrastructure and Cloud Engineering execute against.
• Evaluate, recommend, and provide security requirements for new network security technologies (SASE/SSE platforms, NDR, DNS security, etc.) that improve visibility, reduce risk, and support automation across the enterprise.
• Define network-layer and zero-trust controls for enterprise AI service traffic — including egress policies, conditional access, and data-leakage protections for approved AI assistants (e.g., Microsoft Copilot, Claude) to enable responsible AI use while protecting PHI and proprietary data.
• Partner closely with the broader Infrastructure team — including the Sr. Network Engineer, systems and cloud engineers, and supporting infrastructure staff — to translate network security requirements into actionable engineering work and maintain consistent controls across Azure, AWS, Fortinet, and remote-access environments.
• Collaborate with DevOps and Cloud Engineering teams to embed network security controls into infrastructure-as-code, CI/CD pipelines, and automated deployment patterns — ensuring network security is enforced consistently and at the speed of delivery.
• Partner with Application Development teams on secure application network design — reviewing API exposure, service-to-service communication, ingress/egress requirements, and third-party integration patterns to ensure new and existing applications align with PPL's network security standards.

Network Threat Detection & Incident Response

• Conduct security reviews and assessments of PPL's network environment — including Fortinet firewall and wireless infrastructure (e.g., FortiGate, FortiAnalyzer), Azure network controls (NSGs, Azure Firewall, Application Gateway/WAF, private endpoints, ExpressRoute/VPN gateways), AWS network controls (security groups, NACLs, AWS Network Firewall, WAF, Transit Gateway, etc.), and ZTNA/VPN platforms.
• Lead periodic firewall rule reviews, segmentation validation, access-path analysis, and review of third-party network connections (vendor VPNs, B2B integrations, partner tunnels) and approved AI service connections to identify overly permissive rules, stale exceptions, and gaps against PPL's security standards; partner with Infrastructure on remediation.
• Validate secure configuration of network and network security devices against industry benchmarks (e.g., CIS, Fortinet hardening guides, cloud provider best practices) and PPL's internal standards — through periodic reviews and continuous posture monitoring where available.
• Coordinate with the vulnerability management program to identify, prioritize, and track remediation of network-related vulnerabilities across Fortinet devices, cloud network services, and supporting infrastructure.
• Lead architecture-level network security review for new initiatives — including new applications, SaaS solutions, and IT purchases with network connectivity or data-flow implications — ensuring alignment with PPL's network security standards.
• Develop and report network security posture metrics to leadership — including firewall rule review coverage, segmentation gaps, network vulnerability remediation, and progress against zero-trust initiatives — to inform program prioritization and demonstrate control effectiveness.

Network Threat Detection & Incident Response

• Serve as the Information Security team's senior escalation point for network-related security incidents — supporting investigation, containment, eradication, and recovery efforts across cloud and on-premises environments.
• Lead network forensics activities, including packet capture analysis, flow analysis (NetFlow, VPC flow logs), and review of firewall, proxy, and DNS logs to reconstruct attacker activity and inform response decisions.
• Utilize the SIEM platform during incident investigation and response — running network-focused queries across firewall, proxy, DNS, and cloud network telemetry to correlate events, identify scope, and reconstruct attacker activity.
• Leverage the enterprise XDR platform to correlate network signal with endpoint, identity, and email data during incidents — enabling cross-domain visibility that informs containment, remediation, and root-cause analysis.
• Lead network-specific threat hunting and adversary behavior analysis aligned to MITRE ATT&CK and current threat intelligence — particularly for techniques involving network reconnaissance, lateral movement, and data exfiltration in cloud and remote-access environments — in partnership with the Security Operations, IT & Cloud Security, AppSec/DevSecOps, and GRC functions across the broader incident response program.
• Direct network-layer containment actions (firewall blocks, segmentation changes, DNS sinkholing, conditional access enforcement, etc.) during active incidents — working through Infrastructure for execution and ensuring changes are documented and reversible.
• Contribute to post-incident reviews, identifying network-related root causes and recommending architectural, configuration, or operational improvements.

Monitoring & Detection Oversight

• Provide security oversight of network monitoring tools and platforms — including NDR, IDS/IPS, DNS security, and the use of firewall, proxy, and TLS-inspection logs — ensuring detections, alerts, and logging meet PPL's security requirements.
• Collaborate with SOC analysts on tuning network-layer detections to reduce false positives, improve signal quality, and align with current threat intelligence.
• Maintain situational awareness of emerging network-based threats, vulnerabilities, and attack vectors (e.g., ransomware command-and-control patterns, DNS tunneling, cloud lateral movement) and translate them into updated requirements, detections, and review priorities.
• Maintain documentation for network security standards, review procedures, runbooks, and assessment findings to support operational consistency and audit readiness.

Risk, Compliance & Governance Support

• Provide network security input into risk assessments, evaluating systems, applications, vendors, and services for network-layer exposure and recommending mitigating or compensating controls.
• Partner with the GRC function to evidence network security controls for NIST 800-53, HIPAA, SOC 2, and CMS audits — including firewall rule review evidence, segmentation documentation, cloud network configuration, and remote-access control artifacts.
• Collaborate with the GRC function on the development, maintenance, and enforcement of network security policies, standards, and procedures across the organization.
• Review and approve WAF and firewall policy changes, AI service access requests, and temporary security exceptions — ensuring requests align with PPL's network security standards and that exceptions are documented, time-bounded, and tracked through to remediation or renewal.

Collaboration, Communication & Awareness

• Partner across Infrastructure, Cloud Engineering, DevOps, Application Development, and the broader Cybersecurity team to translate security requirements into effective controls without disrupting business operations.
• Communicate network security findings, risks, and recommendations to both technical and non-technical audiences, including leadership.
• Contribute to security awareness initiatives, particularly around safe remote work practices, secure remote access, and phishing/social-engineering threats with a network component.
• Provide technical mentorship and direction to junior security and SOC staff on network security concepts, tooling, and investigation techniques.

Required Skills:

• Strong knowledge of information security and network security principles, controls, and best practices across cloud, on-premises, and remote-workforce environments.
• Hands-on experience assessing, configuring, or operating Fortinet firewall environments (FortiGate, FortiAnalyzer, FortiManager) at scale; ability to review configurations, rules, and policies for security compliance.
• Demonstrated knowledge of cloud network security in Microsoft Azure (NSGs, Azure Firewall, Application Gateway/WAF, private endpoints, hub-and-spoke design, ExpressRoute/VPN gateways) and AWS (security groups, NACLs, AWS Network Firewall, WAF, Transit Gateway, PrivateLink).
• Experience defining security requirements and reviewing architectures for ZTNA and secure remote access for distributed and remote-first workforces, including conditional access, identity-aware proxies, and integration with modern identity platforms.
• Demonstrated experience with network segmentation, micro-segmentation, and zero-trust networking principles.
• Proficiency in network protocols, routing, switching, TLS inspection, and packet/flow analysis sufficient to support detection engineering and incident response across cloud and on-premises environments.
• Proven ability to investigate, analyze, and respond to network-based security incidents, including log analysis, alert triage, and forensic review.
• Exposure to artificial intelligence platforms and the network security considerations specific to them — including data egress controls, secure access to AI services, and monitoring of AI-related network traffic.
• Strong understanding of healthcare-relevant regulatory and framework requirements (HIPAA, NIST 800-53, SOC 2, CMS) as they apply to network security controls.
• Ability to communicate network security findings, risks, and recommendations effectively to both technical and non-technical stakeholders.
• Strong organizational skills with the ability to manage multiple workstreams simultaneously.

Qualifications:
Education:

Bachelor’s degree in computer science, Information Systems, Network Engineering, Cybersecurity, or related field. Equivalent professional experience may be considered in lieu of a degree.

Experience:

Minimum of 6–8 years of progressive experience in network engineering and/or network security, with at least 3 years in a dedicated network security role and demonstrated cloud network security experience.

Certifications (Preferred:

One or more of: Fortinet NSE 4 / NSE 5 / NSE 7, Microsoft AZ-700 (Azure Network Engineer Associate), AWS Advanced Networking Specialty or AWS Security Specialty, CISSP, CCNP Security, or GIAC GCIA / GCIH.

Preferred Attributes:

Experience in healthcare, financial services, or other regulated industries; familiarity with maturing security programs in cloud-primary, remote-first organizations; experience with infrastructure-as-code and automation for network security (Terraform, Ansible, scripting).

Working Conditions:    

Office and Remote work.

Up to 10% of travel expected.

Supervisory Responsibility (If applicable):   

No direct reports at this time; expected to provide technical leadership, mentorship, and direction to junior security staff and applicable contractors.

Compensation: $104,000-$117,000

This role is eligible for a base salary within the posted range. Actual compensation will be determined based on a variety of factors, including skills, experience, and geographic location. Compensation may vary for positions based in high cost-of-labor markets.

The above is intended to describe the general contents and requirements of work being performed by people assigned to this classification. It is not intended to be construed as an exhaustive statement of all duties, responsibilities, or skills of personnel so classified 

PPL is an Equal Opportunity Employer dedicated to celebrating diversity and intentionally creating a culture of inclusion. We believe that we work best when our employees feel empowered and accepted, and that starts by honoring each of our unique life experiences. At PPL, all aspects of employment regarding recruitment, hiring, training, promotion, compensation, benefits, transfers, layoffs, return from layoff, company-sponsored training, education, and social and recreational programs are based on merit, business needs, job requirements, and individual qualifications. We do not discriminate on the basis of race, color, religion or belief, national, social, or ethnic origin, sex, gender identity and/or expression, age, physical, mental, or sensory disability, sexual orientation, marital, civil union, or domestic partnership status, past or present military service, citizenship status, family medical history or genetic information, family or parental status, or any other status protected under federal, state, or local law. PPL will not tolerate discrimination or harassment based on any of these characteristics. 

If you like wild growth and working with happy, enthusiastic over-achievers, you'll enjoy your career with us!