PAHO Consultant - Information Security Architect and Engineer(ITS)

OBJECTIVE OF THE OFFICE/DEPARTMENT This is a requisition for employment at the Pan American Health Organization (PAHO)/Regional Office of the World Health Organization (WHO) Contractual Agreement: Non-Staff - International PAHO Consultant Job Posting: June 1, 2026 Closing Date: June 8, 2026, 11:59 PM Eastern Time Primary Location: Off Site Organization: ITS Information Technology Services Schedule: Full time PURPOSE OF CONSULTANCY Information Security Consultant - Security Architect and Engineer PAHO is searching for an independent consultant to work at the Department of Information Technology Services (ITS), who will be responsible for the implementation of the following deliverables and activities within PAHO’s Information Security Program: 1. Background The Pan American Health Organization (PAHO), as the specialized international health agency for the Americas and Regional Office for the Americas of the World Health Organization, relies on secure, resilient, and trusted digital services to support its technical cooperation, administrative operations, and regional public health mandate. The Department of Information Technology Services (ITS), through the Information Security Program, is strengthening PAHO’s cybersecurity architecture and engineering capabilities to address the evolving risks associated with cloud services, mobile access, SaaS platforms, data protection, artificial intelligence-enabled solutions, and internet-facing applications. In this context, PAHO requires specialized consultancy support to enhance security architecture and technical controls across key areas, including application and AI security assessments, Cloud Security Posture Management (CSPM), Zero Trust Architecture, secure configuration standards, data and AI protection, Mobile Device Management (MDM), Web Application Firewall (WAF) and API security, and incident response enablement. 2. Purpose of the Consultancy The purpose of this consultancy is to provide specialized Security Architecture and Engineering support to PAHO’s Information Security Program by designing, reviewing, and enabling technical security controls across cloud, application, data, AI-enabled, endpoint, and mobile environments. The consultant will support the assessment of applications, platforms, and AI-enabled services; contribute to the improvement of PAHO’s cloud, data and AI security posture; define and maintain secure configuration standards and security baselines; support the secure use of mobile devices through Microsoft Intune; and develop architectural recommendations, playbooks, and technical guidance to strengthen incident response enablement and security visibility. DESCRIPTION OF DUTIES: 3. Duties and Responsibilities Under the supervision of the Information Security Advisor (CISO), the consultant will perform the following activities: A. Application Security and AI Security ITS Accreditation Process: Support the ITS Accreditation Process by assessing applications, systems, and AI-driven solutions to identify security and privacy risks, and by providing technical security recommendations to ensure required controls and organizational standards are met. Findings Management and Risk Mitigation: Document security assessment findings and coordinate follow-up actions with application owners, technical focal points, and/or custodians to support the mitigation of identified risks and maintain a robust and resilient security architecture. Application, COTS, and AI-enabled Services Assessments: Perform security assessments of COTS applications, platforms, APIs, and AI-enabled services prior to onboarding, ensuring alignment with organizational security requirements, data protection standards, and approved AI usage guidelines. API Security and Secure Integrations: Assess API exposure, authentication mechanisms, authorization controls, data flows, and integration patterns for applications, AI-enabled services, and third-party platforms to reduce risks associated with insecure interfaces or excessive access. B. Cloud Security Posture Management, AI Security Posture, and Zero Trust Cloud & AI Security Posture Management (CSPM / AISPM): Design and enhance security controls and visibility across PAHO cloud ecosystem, including AI-enabled services, leveraging the Microsoft Defender security stack, Entra ID Protection, and Web Application Firewall (WAF) solutions. Cloud Control Enhancement and Remediation Support: Collaborate with responsible technical teams to support the remediation of identified cloud security gaps and architectural weaknesses, ensuring timely risk mitigation, and contributing to a resilient cloud and AI security posture that addresses both traditional and AI-driven threats. Zero Trust Architecture (ZTA): Design and support the implementation of Zero Trust architectures based on “never trust, always verify” principles, prioritizing advanced Identity and Access Management (IAM), conditional access, network micro-segmentation, workload verification, and secure access to cloud and AI-enabled services. Extend Zero Trust controls to machine and non-human identities, such as service principals, managed identities, workload identities, API keys, automation accounts, AI-to-AI communications, and automated data pipelines, ensuring least-privilege access, strong authentication, encryption, and appropriate monitoring. C. Data and AI Security Architecture & Protection Data Discovery and AI Exposure: Support the design and architectural enablement of data discovery and mapping initiatives to maintain visibility over the Organization’s data landscape across cloud platforms, SaaS applications, and collaboration environments. Collaborate with data owners and custodians to identify sensitive and regulated data, shadow data, and potential AI-related data exposure risks. Advanced Data Security Posture Management: Support the architecture, configuration, and control design for DSPM solutions to improve visibility into data exposure risks, over-permissioned access, insecure data locations, and unintended data exposure through AI-enabled services. Provide technical recommendations to harden data pipelines feeding AI models or Retrieval-Augmented Generation (RAG) systems, ensuring least-privilege access, strong identity controls, and protection against unauthorized data access. Data Classification and Generative AI Guardrails: Support the configuration of data classification, labeling, and retention mechanisms aligned with organizational requirements. Provide technical guidance for Data Loss Prevention (DLP) and Generative AI guardrails to reduce the risk of sensitive data leakage through AI prompts, model interactions, or training processes. Data and AI Security Lifecycle Enablement: Collaborate with data owners, custodians, and related stakeholders to provide architectural recommendations supporting a secure data lifecycle, from ingestion to disposal, including data masking, anonymization, and tokenization where appropriate. D. Secure Configuration, Emerging Controls, and Device Security Security Baselines and Secure Configuration Standards: Define, maintain, and update security baselines and secure configuration standards for cloud workloads, servers, identity platforms, endpoints, mobile devices, APIs, and application-facing infrastructure, ensuring alignment with recognized good practices, including CIS Benchmarks, NIST CSF principles, Microsoft security baselines, and organizational security requirements. Provide technical guidance to infrastructure, cloud, application, and operations teams to support implementation and validation of secure configurations. Secure Infrastructure Practices and Emerging Controls: Support the continuous improvement of secure infrastructure practices by assessing architectural changes, cloud platform updates, emerging threats, and AI-enabled service adoption. Recommend enhancements to security controls, hardening practices, configuration patterns, and technical safeguards to maintain a resilient and secure technology environment. Mobile Device Management and Endpoint Security: Support the ongoing technical maintenance, improvement, and controlled expansion of Mobile Device Management (MDM) using Microsoft Intune, including Bring Your Own Device (BYOD) scenarios. Support the maintenance and improvement of mobile and endpoint security policies, compliance rules, configuration profiles, and conditional access integration to reduce exposure, minimize attack surface, and ensure secure access to organizational applications, cloud services, and data. E. Incident Management Enablement and Security Visibility Incident Response Enablement and Automation: Support incident and alert management capabilities by designing and developing incident response playbooks and automation workflows within Microsoft Defender XDR / Microsoft Defender suite, Microsoft Sentinel, and Varonis, with the objective of improving response efficiency, consistency, and overall resiliency. Identity-Driven and Cloud-Aware Threat Detection: Strengthen security detection and protection mechanisms by leveraging identity signals, conditional access policies, and built-in security templates from the Microsoft Defender security suite. Support the architectural integration of Microsoft Defender for Identity and Microsoft Defender for Cloud Apps to enhance threat detection, cloud application visibility, session monitoring, and anomaly detection. Security Logging Architecture and Optimization: Support the analysis and architectural design of security log ingestion, correlation, and retention models to ensure comprehensive visibility of security events across cloud, identity, application, and infrastructure layers. Provide recommendations to optimize log coverage, scalability, and cost-effectiveness while supporting incident response and investigation requirements. In addition to the above, to perform other related duties as assigned. 4. Required Qualifications 4.1. Education Advanced university degree in Computer Science, Cybersecurity, Engineering, or other related disciplines from an accredited institution. A master’s degree in Cybersecurity, Information Systems or Risk Management will be an asset. Desirable: Specialized training in cloud security, Zero Trust Architecture, data protection, and/or AI security. 4.2. Experience At least thirteen years of relevant professional experience combined in information security, security operations, cloud and IT operations, and/or related areas Proven experience designing, assessing, and supporting the implementation of security controls in multi-cloud and enterprise environments. Experience supporting Cloud Security Posture Management (CSPM), secure configuration standards and Zero Trust initiatives. Experience applying cybersecurity frameworks such as NIST CSF 2.0, CIS Controls, ISO/IEC 27001, and data protection frameworks to support security architecture, control design, secure configuration, and technical risk assessment activities. Experience with Microsoft Azure security services and the Microsoft security ecosystem, including Microsoft Sentinel, Defender, Entra ID, Intune, and related security capabilities. Experience performing technical security assessments of applications, APIs, cloud services, SaaS platforms, and AI-enabled solutions. Experience supporting incident enablement, including playbooks, automation workflows, logging strategies, and/or security visibility improvements in enterprise security environments. Working knowledge of scripting, query, and automation languages such as PowerShell, Python, KQL, JavaScript, and/or shell scripting, as well as database technologies such as SQL Server, PostgreSQL, or MySQL. 4.3.

Skills and Competencies

Ability to work collaboratively with cross-functional teams, including SMEs, developers, IT system administrators, application owners, data owners, and business stakeholders. Ability to clearly communicate technical risks, architecture recommendations, and security requirements to both technical and non-technical stakeholders. Strong analytical, problem-solving, documentation, and coordination skills. Ability to translate security findings into actionable technical recommendations and implementation guidance. 4.4. Desirable Certifications CISSP, CCSP, CISM, or equivalent. Microsoft Certified: Azure Security Engineer Associate. GIAC, CompTIA Security+, or equivalent cybersecurity certifications. Certifications or training related to cloud security, data protection, AI security, or Zero Trust Architecture. 4.5. Language: Very good knowledge of English and Spanish Salary: Band C – Daily Rate $369 - $449 Duration: 31 December 2026, extension subject to performance and availability of funds. ADDITIONAL INFORMATION This vacancy notice may be used to identify candidates for other similar consultancies at the same level. Successful candidates will be placed on the roster and subsequently may be selected for consultancy assignments falling in this area of work or for similar requirements/tasks/deliverables. Inclusion in the Roster does not guarantee selection for a consultant contract. There is no commitment on either side. Only candidates under serious consideration will be contacted. All applicants are required to complete an on-line profile to be considered for this consultancy. For assessment of your application, please ensure that your profile in the PAHO Career page is updated; all experience records are entered with elaboration on tasks performed at the time. Kindly note that CV/PHFs inserted via LinkedIn are no accessible. A written test may be used as a form of screening. If your candidature is retained for interview, you will be required to provide, in advance, a scanned copy of the degree(s)/diploma(s)/certificate(s) required for this position. PAHO/WHO only considers higher educational qualifications obtained from an institution accredited/recognized in the World Higher Education Database (WHED), a list updated by the International Association of Universities (IAU)/United Nations Educational, Scientific and Cultural Organization (UNESCO). The list can be accessed through the link: http://www.whed.net/. PAHO will also use the databases of the Council for Higher Education Accreditation http://www.chea.org/search/default.asp and College Navigator, found on the website of the National Centre for Educational Statistics, https://nces.ed.gov/collegenavigator to support the validation process. Some professional certificates may not appear in the WHED and will require individual review. Any appointment/extension of appointment is subject to PAHO/WHO Regulations, and e-Manual. For information on PAHO please visit: http://www.paho.org PAHO/WHO is committed to providing a respectful and supportive workplace for all personnel . PAHO is an ethical organization that maintains high standards of integrity and accountability. People joining PAHO are required to maintain these standards both in their professional work and personal activities. PAHO also promotes a work environment that is free from harassment, sexual harassment, discrimination, and other types of abusive behavior. PAHO conducts background checks and will not hire anyone who has a substantiated history of abusive conduct. PAHO personnel interact frequently with people in the communities we serve. To protect these people, PAHO has zero tolerance for sexual exploitation and abuse. People who commit serious wrongdoings will be terminated and may also face criminal prosecution. PAHO/WHO has a smoke-free environment and does not recruit smokers or users of any form of tobacco. Applications from women and from nationals of non and underrepresented Member States are particularly encouraged. Consultants shall perform the work as independent contractors in a personal capacity, and not as a representative of any entity or authority. The execution of the work under a consultant contract does not create an employer/employee relationship between PAHO and the Consultant. PAHO/WHO shall have no responsibility whatsoever for any taxes, duties, social security contributions or other contributions payable by the Consultant. The Consultant shall be solely responsible for withholding and paying any taxes, duties, social security contributions and any other contributions which are applicable to the Consultant in each location/jurisdiction in which the work hereunder is performed, and the Consultant shall not be entitled to any reimbursement thereof by PAHO/WHO. Apply To This Job