Sr IT Security Analyst(Sr. PAM Engineer) at MattelInc

The Senior PAM Engineer will play a key role in securing Mattel’s most sensitive accounts and systems by implementing, managing, and supporting privileged access solutions. This role will focus on designing, operating, and troubleshooting PAM platforms and integrations, ensuring privileged identities are properly managed, monitored, and protected across on-premises, cloud, and hybrid environments.  As a senior engineer, this position serves as an escalation point for complex PAM issues, privileged account lifecycle management, secrets management, and access control enforcement. The Sr. PAM Engineer will work closely with IAM Architects, IAM Engineers, and ITDR Analysts to strengthen privileged account security, ensure compliance with regulatory requirements, and contribute to operational resilience through automation, monitoring, and risk remediation.    Objectives of this Role  • Implement, support, and enhance PAM solutions including CyberArk, Okta OPA, BeyondTrust, Delinea, Admin By Request and Cerby for privileged account and secrets management.  • Administer and monitor Windows/Linux server privilege management and endpoint privilege management (Windows/macOS).  • Provide escalation support for complex PAM integrations, API connections, and secrets management issues.  • Ensure privileged accounts follow lifecycle management, rotation, and access control best practices.  • Support incident management, disaster recovery planning, and risk remediation specific to privileged accounts.  • Collaborate with IAM Engineers and ITDR Analysts on threat detection, incident response, and privileged access misuse investigations.  • Maintain compliance with SOX, PCI, and audit requirements, including User Access Reviews (UARs) and reporting.  • Develop and maintain runbooks, playbooks, workflows, and technical documentation for PAM operations.  • Develop, and maintain monitoring dashboards with tools such as Grafana, Splunk, and Sumo Logic for PAM metrics and alerts.  • Drive automation of privileged access tasks (e.g. PowerShell, VBScript, Python, REST APIs, Ansible, or Terraform).  • Mentor other engineers and promote PAM best practices across the enterprise.  • Additional duties may be assigned as necessary to meet the ongoing needs of the organization.  • Work hours may vary, and the position may require availability during off-business hours as dictated by project needs, system changes, or security events.    Skills and Qualifications    Required:  • 5+ years of strong hands-on experience in Privileged Access Management or identity security tools (e.g. CyberArk, Okta OPA, BeyondTrust, Delinea, and Cerby for PAM and secrets management).  • Hands-on expertise in secure password rotation, credential vaulting, and secrets management for privileged accounts across Windows/Linux servers and Windows/macOS endpoints.  • Proven experience designing and enforcing least privilege access, Just-in-Time (JIT) provisioning, and role-based access control (RBAC) models within enterprise PAM solutions.  • Hands-on experience with Active Directory/LDAP, Entra ID (Azure AD), and cloud PAM integrations (e.g. AWS, GCP and Azure).  • Experience supporting incident response, disaster recovery, and risk remediation in PAM environments.  • Knowledge of compliance requirements (SOX, PCI) and experience supporting User Access Reviews (UARs) and audit reporting.  • Proficiency with monitoring and analytics platforms (e.g. Grafana, Sumo Logic, CrowdStrike ITP etc.).  • Excellent communication and collaboration skills with the ability to support cross-functional security initiatives.  • Experience developing operational dashboards, metrics, and compliance reporting.  • Advanced Microsoft Excel, including pivot tables, formulas, and data analysis.  • Certification in CyberArk or comparable PAM technologies, with demonstrated ability to design, implement, and maintain secure privileged access environments.  • Participate in after-hours rotations or on-call duties to support critical incident response as needed.    Preferred:  • Bachelor’s degree in technology or applicable experience.  • CISSP, CISMP certification, or other security certifications.  • Familiarity with endpoint detection and response (EDR) integrations for PAM (e.g., CrowdStrike ITP).  • Background in scripting and automation with PowerShell, Python, and REST APIs.  • Strong troubleshooting skills across Windows/Linux platforms, middleware, load balancers, SSL certs, and cloud components.  • Familiarity with authentication and federation protocols (SAML, OAuth, OIDC, SCIM).  • Experience with automation and infrastructure tools (Ansible, Terraform, CI/CD pipelines).