Information Security Engineer
Generate a McCoy IQ challenge in 30 seconds.
See how candidates think and approach the work this role demands, before the phone screen. We'll build a video challenge from this posting, and you can edit or share it before it goes live.
Key details
Job Description
About Ropes & Gray
Ropes & Gray is a preeminent global law firm. The firm has been ranked in the top three on The American Lawyer's prestigious A-List for eight consecutive years and #1 on Law.com's UK A-List twice in the past three years - rankings that honor the "best of the best" law firms. The firm has approximately 2,500 lawyers and professionals serving clients in major centers of business, finance, technology, and government in Boston, Chicago, Dublin, Hong Kong, London, Los Angeles, Milan, New York, Paris, San Francisco, Seoul, Shanghai, Silicon Valley, Singapore, Tokyo and Washington, D.C.The firm has consistently been recognized for its leading practices in many areas, including asset management, private equity, M&A, finance, real estate, tax, antitrust, life sciences, health care, intellectual property, litigation & enforcement, privacy & cybersecurity, and business restructuring. Ropes & Gray is an equal opportunity employer.
Overview
Under the direction of the Senior Manager of Information Security Engineering and Architecture, the Information Security Engineer implements, manages, and maintains the firm's information security infrastructure, empowers the firm's secure adoption of AI technologies, and responds to and investigates information security incidents to closure or escalation. The Information Security Engineer is a highly experienced, hands-on technologist with a professional foundation in network engineering, systems engineering, software development, cloud infrastructure engineering, or a related IT discipline, serving as the technical lead and subject matter expert for the implementation, administration, and maintenance for assigned information security technologies deployed by the firm. This role spans the full breadth of the firm’s technology landscape, including on-premises systems, cloud-native and hybrid architectures across IaaS, SaaS, and PaaS platforms, generative AI and agentic systems, and enterprise application environments, all consistent with industry best practices, applicable standards, and regulatory requirements.
The scope of this position is firm wide and requires a thorough understanding of all IT systems the firm uses and how those systems are secured — encompassing on-premises infrastructure, multi-cloud platforms (IaaS), AI and machine learning systems, enterprise applications, and the network infrastructure that connects them.
The Information Security Engineer advises the Information Security Team on emerging vulnerabilities and newly introduced risks to firm systems — including risks introduced by the adoption of generative AI, agentic AI architectures, and the continued expansion of cloud services — and takes a proactive approach in continually assessing the security of firm systems throughout their lifecycle, providing recommendations for enhancing security and adapting to new threats and vulnerabilities.
Responsibilities
ESSENTIAL FUNCTIONS:
Excellent customer service skills and sense of urgency when resolving issues
Strong knowledge of information security principles and practices
Hands-on experience supporting hardware, software, and security architecture
Serve as the subject matter expert (SME) for information security platforms, when assigned as the primary engineer; on-going threat analysis and research
Play a significant role in responding to and containing information security related incidents
Conduct regular technical risk assessments of firm systems and infrastructure
Oversee and directly participate in the installation, configuration, and management of information security technologies
Utilize Cloud Security Posture Management (CSPM) and Cloud-Native Application Protection Platform (CNAPP) tools to continuously identify and remediate misconfigurations, compliance drift, and over-privileged access across IaaS, PaaS, and SaaS environments, including container orchestration platforms, serverless architectures, and CI/CD pipeline integrations
Assess and mitigate security risks introduced by generative AI adoption — including prompt injection attacks, context manipulation, agentic workflow abuse, and Model Context Protocol (MCP) server vulnerabilities — and assist in the development and enforcement of organizational AI usage policies.
Maintain current working knowledge of generative AI concepts and architecture — including large language models (LLMs), prompt engineering, context engineering, AI skills and function-calling, agentic AI frameworks, and Model Context Protocol (MCP) servers — in order to effectively evaluate, design security controls for, and advise stakeholders on AI-integrated systems and workflows
Maintain expertise in the OWASP Top 10, OWASP Top-10 GenAI, CWE/CVE frameworks, and emerging application-layer attack techniques; API security testing, and web application firewall (WAF) policy management
Network security experience — including next-generation firewalls (NGFW), intrusion detection and prevention systems (IDS/IPS), network segmentation and microsegmentation, network traffic analysis (NTA), DNS security, IPSec VPN, and secure access service edge (SASE) architectures — to protect firm technology infrastructure
Assist in the development and knowledge transfer to Information Security team members, Information Services groups, and business support teams
Promote a culture of information security across all business units
Performs ticketed work-related duties
Flexibility to work escalated issues and/or apply production changes off-hours where needed
Participate in On-Call rotation for after-hours/weekend support
Periodic travel may be required
Qualifications
EDUCATION, EXPERIENCE AND SKILLS REQUIRED:
Self-directed and driven, with a proven ability to prioritize and execute independently in fast-paced environments.
Bachelor of Science in Computer Science, Information Technology, Cybersecurity, or a related technical discipline; equivalent hands-on technical experience demonstrating the same depth of competency will be considered in lieu of a degree
Minimum 3 years of experience in dedicated information security roles, with a demonstrated track record of engineering, deploying, and operating enterprise-scale security controls and leading response to sophisticated incidents
5 or more years of prior hands-on IT experience in a foundational technical discipline, such as network engineering, systems administration, software or application development, cloud infrastructure engineering, or DevOps/platform engineering
Working knowledge of generative AI technologies and their associated security considerations, including LLM architecture, prompt engineering and context engineering concepts, AI skills and function-calling, agentic AI frameworks, and Model Context Protocol (MCP) server security; demonstrated ability to identify and mitigate AI-introduced risks is highly desirable
Strong working knowledge of information security software and services, including EDR/XDR, zero trust network access (ZTNA), web security/proxy, application control, security service edge (SSE), DNS security, identity and access management (IAM/PAM), DLP, CASB, and SIEM platforms
Strong working knowledge of Crowdstrike Next-Gen SIEM is desirable
Strong knowledge of cloud security principles and architecture across all major delivery models: IaaS (AWS, Azure, GCP), SaaS (M365, NetDocs, iManage, Workday, etc.), and PaaS (container and Kubernetes security, serverless function hardening, and CI/CD pipeline security); M365 Defender and Microsoft Purview expertise is highly desirable; hands-on experience with CSPM and CNAPP tooling preferred
Strong working knowledge of TCP/IP and network architecture
Desired: Hands-on experience with network security technologies including next-generation firewalls (NGFW), IDS/IPS, network access control (NAC), network traffic analysis (NTA), microsegmentation, and SASE/SD-WAN architectures
Desired: Hands-on application security experience including operation of SAST, DAST, and SCA tooling, API security testing and assessment, web application firewall (WAF) administration, secure SDLC program participation, and familiarity with DevSecOps practices
Professional security certifications are desired but not required: CISSP, CCSP, CEH, OSCP, AWS Security Specialty, or GIAC certifications (GCIH, GPEN, GWEB, GWAPT, GCFE); active pursuit of relevant credentials is encouraged and supported by the firm
Strong written and oral communication skills
Organized, responsive and thorough problem solver
Ability to manage multiple concurrent activities and effectively prioritize time and effort, in a high-pressure environment
Ability to adapt quickly to changing priorities
Maintains strict confidentiality regarding sensitive firm information, personnel matters, and internal affairs, and exercises sound discretion at all times.
A committed team player who fosters strong working relationships, embraces the diverse expertise of colleagues, and contributes to a culture of trust, inclusion, and shared purpose.
Compensation and Total Rewards Package
Ropes & Gray is proud to offer a comprehensive Total Rewards package to our business support team members. The firm also offers comprehensive health and well-being benefits, personal and professional development, career growth opportunities and a collegial and supportive culture. The anticipated pay range for this role is listed below and represents our good faith and reasonable estimate of the starting salary range at the time of posting. In addition, this role is eligible for a discretionary bonus based on performance. The actual offered rate for this position will be determined based on job-related, non-discriminatory factors, including qualifications and experience, geographic location, education, external market data and consideration of internal equity.
Boston: $117,200 - $178,700
New York: $127,900 - $195,000
Working Conditions
Flexibility to work escalated issues off-hours and apply production changes where needed.
Periodic travel may be required.
The list of duties and responsibilities is not intended to be all-inclusive and may be expanded to include other duties or responsibilities that management may deem necessary from time to time.
Audit details(provenance, verification trail, raw fields)
Core fields
ropes-gray:9200Provenance
https://www.ropesgrayrecruiting.com/en/us?office=902596c6-3c3e-4dc4-829d-64a6d4128bc9%2cfcb0cdf1-b2f4-4c8c-bf34-a4038d0c7ad4%2c90b8272b-1452-4c1d-9810-83c40312cd9a%2cbe36ae6f-a0f1-412b-8d02-aad9ff591a71%2ca26c6308-915c-4d25-9a34-12883e20f305%2ce3324eae-3b28-4da1-8cb0-1fc3549b8bfe%2c0cee6835-f930-40e6-b359-0fc873e569e4%2c7c6d62a9-3a81-43a7-8166-702febc2ee16Verification trail
This posting hasn't been probed by our closure verifier yet. Stream C runs on a rolling schedule against postings approaching the close-decision threshold.
LLM enrichment
See how we measure for definitions, or our corrections log for known issues. Found something wrong? Flag a correction.
