Information Security Consultant - SaaS Security

SaaS Security - Information Security Consultant

Full-Time, Hybrid – New York, NY

The Opportunity

As a SaaS Security consultant and member of Enterprise Cyber Security, you will be responsible for securing the organization’s SaaS ecosystem. Your primary objective will be to assess, implement, and monitor security controls across SaaS platforms such as Microsoft 365, Atlassian, Salesforce, Workday, ServiceNow, and others. You will act as a trusted security advisor to business, IT, legal, privacy, and procurement teams, ensuring SaaS solutions meet organizational security, privacy, compliance, and risk management requirements. The consultant leads SaaS security reviews, defines security requirements, evaluates vendor controls, and supports ongoing risk monitoring throughout the SaaS lifecycle from intake and onboarding through renewal and decommissioning.

The Team

Our Application Security team is dedicated to ensuring the security of MassMutual applications through rigorous assessments and proactive measures. While we collaborate closely with security architects, DevOps engineers, and software developers, our core team focuses on securing applications by identifying, risk assessing, prioritizing, reporting, remediation guidance, and continuously monitoring applications for vulnerabilities, implementing security best practices, and assisting teams in remediating vulnerabilities. Our team brings various backgrounds and experiences spanning from software engineering to red teaming, valuing continuous learning, innovation, and collaboration.

The Impact:

Key Responsibilities

• Provide security advisory and risk analysis for SaaS usage within the enterprise, focusing on how SaaS applications are configured, accessed, and used post‑onboarding.
• Coordinate with cyber domain owners (Third-Party Security, IAM, Data Protection, Cloud, Privacy, IT Operations, SOC, etc.) to collaboratively define, document, and maintain SaaS security baselines and minimum control expectations.
• Partner with the Third‑Party Onboarding team by consuming their assessment outputs, and focus on usage‑level, configuration‑level, and lifecycle security considerations beyond initial vendor due diligence.
• Translate enterprise security, privacy, and regulatory requirements into clear SaaS security standards, guidance, and acceptance criteria for application owners.
• Review SaaS architectures, integrations, and data flows to identify security and data protection risks and provide documented recommendations to stakeholders.
• Review, assess, and secure SaaS applications based on security best practices and benchmarks (e.g., CSA, CIS, NIST), including participation in SaaS vendor security reviews.
• Monitor and identify misconfigurations, excessive permissions, or shadow IT SaaS usage using SSPM tools and drive remediation with application owners.
• Coordinate remediation planning and security exception management for SaaS‑related risks, ensuring alignment across business owners and control owners.
• Support ongoing SaaS security assurance activities, including periodic posture reviews, reassessments, and control attestations in collaboration with relevant teams.
• Provide consultative support during SaaS‑related security incidents or changes, including impact assessment and stakeholder coordination.
• Report SaaS security posture, trends, and systemic risks to security leadership and governance forums to support informed decision‑making.

The Minimum Qualifications

• Bachelor’s degree in Information Security, Computer Science, Risk Management, or a related field (or equivalent professional experience).
• 5+ years of experience in Information Security, Cloud Security, SaaS Security, or Cyber Risk Management roles (this can be a combination of academic, research-based, or professional environment).

Ideal Qualifications

• 8+ years of experience in Information Security, SaaS Security, Cloud Security, GRC, or Cyber Risk Management within a large or complex organization.
• Deep expertise in SaaS security governance models, including defining security baselines, standards, and risk tiering in federated environments.
• Proven experience operating as a security consultant or advisor, influencing decisions across business, IT, legal, privacy, and compliance stakeholders without direct authority.
• Strong understanding of enterprise SaaS ecosystems, including common platforms (e.g., M365, Salesforce, ServiceNow, Workday, Atlassian) and typical risk patterns in their usage and integrations.
• Advanced knowledge of identity and access governance for SaaS, including role design, entitlement risk, least‑privilege models, and lifecycle access considerations (advisory focus only).
• Demonstrated ability to translate regulatory and privacy requirements (e.g., GDPR, CCPA/CPRA, industry regulations) into practical SaaS security guidance and control expectations.
• Experience partnering effectively with Third‑Party Risk teams, consuming vendor onboarding outputs and extending security oversight into post‑onboarding SaaS usage and lifecycle risk.
• Demonstrated experience assessing SaaS security risk and advising on secure usage, configuration expectations, and lifecycle governance.
• Strong working knowledge of SaaS architectures and shared responsibility models, including identity, data protection, logging, and integrations.
• Experience reviewing vendor security documentation (e.g., SOC 2 Type II, ISO 27001, SIG/CAIQ, pen test summaries) and translating findings into risk‑based recommendations.
• Hands‑on experience coordinating security requirements across multiple domain owners (IAM, Cloud, Privacy, Legal, IT, GRC) in a federated operating model.
• Solid understanding of identity and access management concepts relevant to SaaS (SSO, MFA, RBAC, provisioning models), with an advisory not operational focus.
• Knowledge of common security and compliance frameworks, such as NIST CSF/800‑53, ISO 27001/27002, Cloud Security Alliance (CSA) SaaS Security Capability Framework (SSCF), Cloud Controls Matrix (CCM), and SOC 2 Trust Services Criteria.
• Strong written and verbal communication skills, with the ability to document security expectations, risk summaries, and governance decisions clearly for both technical and non‑technical stakeholders.
• Proven ability to influence without authority, balance security risk with business needs, and drive alignment across cross‑functional teams.
• Strong documentation and communication skills, with a track record of producing clear security standards, risk narratives, executive‑ready summaries, and governance artifacts.
• Experience supporting audits and regulatory inquiries, ensuring SaaS security decisions and exceptions are defensible and well‑documented.
• Strong understanding of the Cloud Security Alliance (CSA) SaaS Security Capability Framework (SSCF), Cloud Controls Matrix (CCM), and SaaS-specific guidance.
• Professional security certifications such as CISSP, CISM, CCSP, CRISC, or ISO 27001 Lead Implementer/Auditor (preferred).
• Familiarity with SaaS security tooling (SSPM, CASB, GRC platforms) from a requirements definition, oversight, or reporting perspective, not tool administration.
• Ability to balance security rigor with business enablement, enabling SaaS adoption while maintaining risk transparency and control consistency.

Core Values

• Accountability: Earn confidence and trust by demonstrating ownership, commitment follow-through in achieving results.
• Agility: Manage priorities effectively and adapt quickly to achieve goals.
• Communication: Inform and influence others clearly, timely, and appropriately.
• Courage: Are not afraid to speak up when it matters, ask tough questions, make decisions and/or admit when help is needed.
• Development: Exhibit curiosity and pursue learning opportunities.
• Inclusion: Drive collaborative solutions and results by seeking and valuing diverse backgrounds, experiences and perspectives.
• Leading Others: Create an environment where the team is inspired, engaged and motivated. For anyone in a leadership role (informal or formal).
• Resilience: Adapt and thrive in complex, uncertain and changing situations.
• Self-Awareness: Demonstrate ability to identify, assess and manage the interpersonal dynamics of self and others in a variety of situations.

#LI-RK1

MassMutual is an equal employment opportunity employer. We welcome all persons to apply.

If you need an accommodation to complete the application process, please contact us and share the specifics of the assistance you need.

California residents: For detailed information about your rights under the California Consumer Privacy Act (CCPA), please visit our California Consumer Privacy Act Disclosures page.