Principal Security Architect

Description

Location:
Memphis, TN

Weekly

Schedule:

Monday
- Friday: 9am-5pm

• Manages solution design from conception, through ARB, to delivery
• Primarily responsible for producing architect ure documentation for security applications as assigned and as projects and programs of work dictate
• Maintains First Horizon’s Security Architect ure Pattern Inventory (across identity, data, application, network, and cloud) as a member of the Core Enterprise Architect ure Team
• Leads security design workshops and POC efforts for new ( security ) capabilities
• Aligns Information Security Technology strategy and planning with First Horizon’s business goals and objectives
• Promotes the use of a shared infrastructure and application roadmap to reduce costs and improve how assets are secured
• Builds and maintains technical trusted advisor relationships with influential technical decision makers within Technology
• Works with engineers to ensure that technical solutions as delivered align with Information Security Standards and Policies
• Works with Portfolio technology leaders to include IT Risk and Security Exception initiatives in portfolio roadmap
• Manage Encryption Standards: key management, tokenization for payments, DLP/classification/handling; architect PCI DSS segmentation boundaries and compensating controls.
• Manage Network/Zero Trust Standards: microsegmentation across Azure and colocation; secure branch/office connectivity; define workload identity and continuous verification patterns; enforce least privilege.
• Detection/telemetry:
  Publish Splunk logging schema, retention, and correlation strategies; onboard logs from Azure, Colo, API Gateways, IAM, Cyber Ark, MFaaS, and core platforms; drive ATT&CK‑aligned detections and forensic readiness.
• Secure SDLC and supply chain:
  Operationalize threat modeling; collaboratively define CI/CD control overlays with Dev Ops; establish artifact signing/SBOM standards; ensure secrets handling and container/Kubernetes baselines where applicable.
• Governance and risk:
  Maintain control overlays mapped to FFIEC/GLBA/PCI/NIST; lead design reviews; manage exceptions with remediation timelines; produce audit-ready decision records in partnership with the CISO team.
• Payments and third-party/SaaS:
  Define intake and security requirements for MFaaS, Salesforce, Service Now, FIS/Fiserv/Bottomline integrations—identity, logging, data handling, and PCI scoping.
• Physical security integration:
  Align building access, video, and visitor systems with identity and logging patterns; coordinate incident playbooks with Corporate/Physical Security .
• Enablement and influence:
  Mentor senior architect s and engineering associates; lead communities of practice; communicate strategy, benefits, and trade-offs to executives and delivery teams.

• Bachelor's degree in Computer Science, Management Information Systems, or related field
• (12+) years of Information Security experience
• (7+) years of Security Architect ure
• Experience in regulated financial services
• Experience with Azure security architect ure across multi-tenant/region and hybrid environments; strong Zero Trust and network segmentation expertise
• Regulatory fluency: FFIEC, GLBA, PCI DSS; practical NIST CSF/800-53 mapping; MITRE ATT&CK‑aligned detection design.
• Experience with technical documentation like interaction diagrams, process diagrams, network topologies and other architect ural content
• Experience with Agile/SAFe methodologies
• Experience with Enterprise Architect ure Governance: ARB/design councils, exception handling, and audit narratives; ability to set and harmonize enterprise standards.

• Strongly preferred: CISSP or CompTIA Security +
• Preferred: CCSP; CISM or CRISC; SANS GCSA or GCLD; PCI Professional (PCIP) or equivalent GIAC enterprise defense/IR certifications

• Ability to adapt to new technologies and learn quickly
• Enterprise architect ural leadership across identity, cloud, application, data, and network security .
• IAM for associates (Entra , Active Directory) and clients (Transmit Security , Forge Rock/Ping, or Okta); OAuth/OIDC; phishing-resistant MFA/passkeys; PAM integration and…