Senior Technical Consultant – Cisco Security

We’re seeking a client-facing Senior Technical Consultant with deep, hands-on expertise in Cisco Identity Services Engine (ISE) and Cisco Firepower Threat Defense/Firepower Management Center (FTD/FMC). You will design, implement, migrate, and optimize secure network access and perimeter/segmentation controls for enterprise customers. This role blends technical leadership, delivery ownership, and trusted-advisor consulting—across discovery, architecture, build, testing, knowledge transfer, and post-deployment support

What You’ll Do (Key Responsibilities):
• Client Delivery & Consulting

• Lead end-to-end delivery of Cisco ISE and Firepower projects: discovery, High-level Design (HLD), Low-level Design (LLD), build, cutover, validation, documentation, and knowledge transfer.
• Facilitate workshops to gather requirements, assess current state, and map outcomes to best practices and security frameworks (e.g., Zero Trust, NIST).
• Create SOW inputs (scope, assumptions, milestones) and delivery artifacts (migration plans, rollback plans, test plans, runbooks).

Cisco ISE (Core Focus)

• Architect and deploy ISE in standalone and distributed personas (PAN/MnT/PSN), including HA and scale considerations.
• Design 802.1X and MAB policies for wired/wireless, RADIUS/TACACS+ services, device profiling, posture assessment, and Guest/BYOD onboarding flows.
• Build authorization policies using security group tags (SGT/TrustSec), dACLs, and dynamic VLANs; integrate with Active Directory/LDAP, PKI, Duo, and AnyConnect posture modules.
• Implement pxGrid integrations with ecosystem tools (e.g., SIEM, EDR, NAC partners) and guide segmentation strategies.

Cisco Firepower – FTD/FMC (Core Focus)

• Design and implement FTD (physical and virtual appliances) managed by FMC (HA, clustering, multi-context where applicable).
• Build Access Control Policies, SSL decryption, Intrusion Policies, Malware, Security Intelligence, URL Filtering, and NAT; tune policies for efficacy/performance.
• Understanding of IPsec (remote-access and site-to-site) IKEv1/IKEv2 and SSLVPN Secure Client/AnyConnect
• Migrate from legacy ASA to FTD with structured policy rationalization and cutover/runbook planning.
• Integrate FMC with external tools (e.g., ISE/pxGrid SGT, SIEM) and enable flow telemetry/Health/Correlation where appropriate.

Networking & Ecosystem (Plus)

• Collaborate across switching/routing (OSPF/BGP, EVPN/VXLAN), Cisco WLC/Catalyst wireless for 802.1X/WPA2‑Enterprise/PSK transitions, and SD‑WAN/VPN contexts.
• Tie-in with other Cisco security solutions (e.g., AnyConnect/Secure Client, Duo, Secure Endpoint (AMP), Umbrella, SecureX). Experience with other vendors’ firewalls/NAC is a bonus.

Quality, Documentation & Enablement

• Produce high-quality HLD/LLD, as-built documents, security policy maps, and operational runbooks.
• Conduct formal knowledge transfer (KT) and admin training; mentor junior consultants and collaborate with PMs on timeline/risk management.
• Contribute to internal accelerators (validated designs, automation snippets, migration checklists).

Post‑Delivery & Continuous Improvement

• Provide hypercare, root cause analysis, and optimization recommendations.
• Identify follow-on opportunities and feed delivery insights into presales, solution architecture, and packaged offerings.

What You’ll Bring (Qualifications):
• 7+ years in network/security engineering with 3–5+ years delivering Cisco ISE and Cisco FTD/FMC in enterprise environments.
• Proven delivery of multi‑site ISE and FTD projects (design through cutover), including HA, scale, and production operations.
• Hands-on with:
• ISE: 802.1X/MAB, RADIUS, TACACS+,Guest/BYOD, posture, profiling, SGT/TrustSec, dACLs, AD/LDAP, certificates/PKI, pxGrid, AnyConnect posture.
• FTD/FMC: access control, SSL decryption, intrusion policies (Snort 3), NAT, VPNs, HA/clustering, policy tuning, logging/SIEM integration.
• Solid L2/L3 networking fundamentals (VLANs, STP, routing protocols, VRF, QoS fundamentals); Wi-Fi 802.1X concepts.
• Strong consulting skills: discovery, requirements mapping, documentation, risk management, customer communication, and executive level updates.
• Experience with change management (ITIL), production cutovers, and rollback plans.
• Excellent written/verbal communication; ability to lead workshops and train admins.

Preferred/Bonus
• Relevant certifications (one or more highly desired): CCNP Security, Cisco Certified Specialist – ISE/Firepower, CCIE Security (written or lab), CISSP, GIAC (e.g., GPCS, GCIA, GSEC).
• Experience with Duo, Secure Client/AnyConnect posture, Secure Endpoint (AMP), Umbrella, ISE SGT integration with FMC, and SecureX.
• Cross vendor exposure (Palo Alto, Fortinet, Aruba ClearPass, Check Point, Juniper) and migration experience.
• Scripting/automation for repeatability (e.g., Python, Ansible, REST APIs for FMC/ISE), Git basics, and templating mindset.
• Exposure to Zero Trust segmentation, identity centric access, and compliance frameworks (NIST, CIS Controls, ISO 27001).
• SIEM/EDR/SOAR integrations and incident response collaboration experience.

Success Metrics (KPIs):
• On‑time, on budget delivery across assigned SOWs.
• Adoption & Stability: Post-go-live incident rate, mean time to resolution, and policy efficacy (e.g., reduced false positives).
• Quality: Artifact completeness (HLD/LLD/as-built/runbooks), peer reviews passed, and customer satisfaction (CSAT/NPS).
• Knowledge Transfer: Customer admin readiness and KT scoring.
• Practice Enablement: Reusable assets contributed; mentorship feedback.
• Utilization: Billable utilization targets met while maintaining quality.

Sample Project Types You’ll Lead:
• Enterprise 802.1X rollout with ISE (wired/wireless), posture assessment, guest/BYOD, and SGT-based segmentation.
• ASA-to-FTD migration including policy rationalization, NAT redesign, SSL decryption strategy, and high availability.
• ISE pxGrid integration with FMC/SIEM/EDR for adaptive policy and threat response.
• Zero Trust network access initiative mapping identities to SGTs and enforcing via TrustSec and FMC policies.

Education:
• Bachelors in computer science, Information Systems, Cybersecurity, or equivalent experience.