Job Description

HMH is a learning technology company committed to delivering connected solutions that engage learners, empower educators and improve student outcomes. As a leading provider of K-12 core curriculum, supplemental and intervention solutions, and professional learning services, HMH partners with educators and school districts to uncover solutions that unlock students' potential and extend teachers' capabilities.

HMH serves more than 50 million students and 4 million educators in 150 countries. HMH Technology India Pvt. Ltd. is our technology and innovation arm in India focused on developing novel products and solutions using cutting-edge technology to better serve our clients globally. HMH aims to help employees grow as people, and not just as professionals.

We are seeking a Senior Cloud Security Engineer to lead and manage the security of our cloud infrastructure. The role involves designing and implementing advanced security solutions, identifying vulnerabilities, and ensuring the protection of cloud-based applications and data. The ideal candidate will have deep expertise in cloud security, compliance, and automation, as well as a passion for safeguarding critical business assets. This role manages the security of our cloud infrastructure. The role involves designing and implementing advanced security solutions, identifying vulnerabilities, and ensuring the protection of cloud-based applications and data. The ideal candidate will have deep expertise in cloud security, compliance, and automation, as well as a passion for safeguarding critical business assets. You will plan, implement and track key initiatives focused on product / application security strategy, metrics, compliance, policy, developer awareness, training and stakeholder engagement. You should be confident in communicating security directives to all levels of the organization, including team members, leadership, and executives, as needed. You will collaborate closely with cross-functional teams, including Engineering, Product Management, DevOps, Legal, Risk, and Compliance etc. to enhance product and application security controls and drive meaningful improvements for the team and its members.



Duties & Responsibilities include:

Design and implement cloud security architectures to protect applications, data, and infrastructure hosted in cloud environments (AWS, Azure, GCP, etc.).

Secure cloud platforms such as AWS, Azure, or GCP, including services like IAM, VPC, S3, and KMS.

Develop and enforce cloud security policies, standards, and guidelines.

Create and maintain secure golden images for VM and containerized environments to ensure standardized, vulnerability-free deployments

Configure and maintain Identity and Access Management (IAM) policies, roles, and permissions for least privilege access.

Implement encryption strategies for data at rest, in transit, and during processing.

Monitor cloud environments for security incidents and vulnerabilities using tools like ORCA, SIEM, CSPM (Cloud Security Posture Management), and CWPP (Cloud Workload Protection Platforms).

Ensure compliance with regulatory frameworks such as GDPR, HIPAA, SOC 2, and PCI DSS as they pertain to cloud environments.

Create and monitor cloud security metrics to evaluate the effectiveness of application security programs overseeing the entire lifecycle of security alerts from detection to incident response.

Work closely with the Product and Architecture teams to review designs and ensure robust cloud security.

Lead application security remediation efforts and mitigation initiatives, aligning with developer community priorities.

Investigate and respond to security incidents, collaborating with incident response teams to mitigate and resolve threats effectively.

Create scripts and automation tools using languages like Python, Java, PowerShell, and Bash to improve security workflows and optimize vulnerability management processes.

Plan, implement, and track key initiatives to strengthen application security across all stages of the software development lifecycle (SDLC).

Advocate within the organization to ensure the security of data, systems, applications, and networks, adhering to security best practices.

Provide IT system support for security-related tasks as needed, focusing on specific security areas.

Work autonomously and effectively to meet deadlines.

Address regulatory requirements and implement technical aspects of compliance standards such as SOC2, ISO27001, GDPR, and SOX, ensuring full compliance with relevant regulations.



Qualifications Over 5 years of experience in cloud security, cloud infrastructure management, AWS shared services components or a related field, with extensive hands-on expertise in cloud platforms such as AWS, Azure, and GCP. Good understanding of cloud platforms, security, and tools (e.g., PaaS, IasS, SaaS) and support Good experience and understanding of security infrastructures in traditional data centers. Proven track record of designing and implementing security controls in cloud-native environments. Strong proficiency in scripting and automation with Python, PowerShell, or Terraform etc. Experience with additional programming languages such as Java, C/C++, or Perl is a plus. In-depth understanding of Identity and Access Management (IAM) in cloud environments.

Strong understanding of encryption and authentication technologies used in cloud environments. Strong understanding and familiarity with Kubernetes and microservice architecture is needed. Familiarity with DevSecOps practices and tools such as Jenkins, GitHub Actions, and Snyk, Orca, Sonar Cube etc. A deep understanding of encryption and authentication technologies is essential to ensure the security of applications. 2+ years of application architecture or development experience having familiarity and understanding of web application development framework [React, NodeJS, Angular, Spring, MVC etc.] Good understanding of web application development framework (Spring/J2EE) and the MVC (Model-View-Controller) design pattern for building robust, scalable applications using Angular/React for creating dynamic, single-page applications (SPAs). Prior experience in Design, develop, and debug secure software for externally facing corporate web sites within Web Content Management framework is nice to have. Over 3 years of hands-on experience with vulnerability assessment tools such as SAST, DAST, IAST, RASP, and WAF, including tools like Snyk, Orca, Rapid7, CrowdStrike, Imperva WAF, Mitiga, Akamai Bot Manager etc. Working knowledge of identifying and validating security vulnerabilities in applications, understanding common web application attack vectors, assessing associated risks, and developing effective mitigation plans. Proven experience in leading application security remediation efforts, driving mitigation initiatives that align with the priorities of the developer community. Experience working in a collaborative, agile development environment and effectively contributing as a team player is a must Strong communication skills (both oral and written), along with excellent interpersonal, organizational, and presentation abilities. Capable of translating complex data into executive-level graphical reports and dashboards. Good Experience with SIEM SEIM and Log Management tools such as Datadog, Splunk, LogRhythm, New Relic, Kibana and others is a plus. Understanding of A comprehensive framework for managing cybersecurity risk eg. CIS, NIST or ISO 27001, ISO 27701, COBIT, GDPR etc.



HMH Technology Private Limited is an Equal Opportunity Employer and considers applicants for all positions without regard to race, colour, religion or belief, sex, age, national origin, citizenship status, marital status, military/veteran status, genetic information, sexual orientation, gender identity, physical or mental disability or any other characteristic protected by applicable laws. We are committed to creating a dynamic work environment that values diversity and inclusion, respect and integrity, customer focus, and innovation.