Director - CIAM Architecture

The Canadian Bank is transforming client identity management to create secure, frictionless experiences across all digital touchpoints. In this high-impact role, you will own the end-to-end CIAM architecture strategy, leading the design and implementation of advanced solutions for risk-based authentication, user consent and privacy management, API security, and real-time integration of fraud and threat intelligence signals. You will bridge Azure cloud environments with on-premise systems to enable scalable identity solutions that protect clients while enhancing usability. This role is ideal for a seasoned architect who is passionate about cybersecurity, data-driven decision-making, and enterprise governance. You will collaborate with cross-functional teams in Digital, Security, Data, and Product to pilot innovative technologies and scale them enterprise-wide. The role offers a balanced mix of responsibilities across architecture, governance, and analytics, with opportunities to innovate, enforce standards, and derive actionable insights from complex data sets.

• 60% Solution Architecture (Lead Architect Role): Define and evolve the target state CIAM architecture, create reference patterns and multi-year roadmaps spanning web, mobile, API, and call-center channels. Leverage Azure technologies (Entra External ID / Azure AD B2C) alongside on-premise identity services to build hybrid ecosystems. Architect risk-based and passwordless authentication workflows with MFA, FIDO2 / WebAuthn, device trust signals, and step-up authentication. Use OAuth 2.1, OpenID Connect (OIDC), SAML, and SCIM to ensure secure, standards-compliant implementations. Integrate with API gateways, WAFs, CDNs, and fraud detection platforms; design resilient data pipelines that aggregate threat intelligence and behavioral analytics into policy decision engines for real-time risk assessment. Develop comprehensive solution dossiers including NFRs, sequence and flow diagrams, data models, integration contracts, 12-factor app adherence, resiliency patterns, and migration strategies from legacy IAM systems (e.g., AD, ADFS, CA SiteMinder). Foster partnerships with Digital, Security, Data, and Product teams to deliver pilots, iterate on feedback, and scale solutions across lines of business in compliance with regulatory requirements.
• 20% Architecture Governance (TOGAF-Aligned): Champion governance to maintain architectural integrity and promote reusability, applying TOGAF methodologies. Lead architecture reviews and ARBs, enforce enterprise standards, reusable building blocks, and ArchiMate-based models for capability maps and viewpoints. Establish and enforce CIAM guardrails for API security, secrets and key management, token lifetimes, user consent frameworks, and data retention policies; measure compliance through audits and metrics. Manage risk and technical debt backlogs, oversee exception processes and remediation planning, and contribute to strategic investment cases, vendor evaluations, licensing, and total cost of ownership analyses.
• 20% Analytics & Intelligence: Use data analytics to optimize CIAM operations and threat detection. Analyze large-scale identity and fraud datasets (e.g., clickstream, authentication logs, SIEMs, data lakes/warehouses) to refine policies, minimize unnecessary MFA prompts, and reduce user friction. Operationalize threat intelligence feeds (STIX/TAXII, FS-ISAC, commercial sources, OSINT) into automated detections, risk scoring models, and adaptive security controls. Define and track KPIs (e.g., Authentication Assurance Levels, false positives/negatives, conversion rates, session abandonment, fraud loss avoidance) and publish interactive dashboards for decision-makers.

• CIAM Leadership: 8+ years designing and leading CIAM or external identity platforms at enterprise scale, preferably in financial services or regulated industries.
• Fusion / Intelligence Expertise: 7+ years in cyber fusion, threat intelligence, or data-fusion environments, integrating multiple intelligence sources for real-time security decisions. (Note: Fusion refers to the integration of cyber, threat, and data signals.)
• Large-Scale Data Handling: 10+ years with big data and advanced analytics tools (Azure Data Lake, Databricks, Apache Spark, Kafka, SQL/NoSQL) to transform telemetry into policy-driven actions.
• Cloud and On-Premise Proficiency: Extensive experience with Azure services (Entra External ID / Azure AD B2C, Key Vault, Event Hubs, Functions, App Service) and on-premise IAM systems.
• Threat Analytics Skills: Experience with SIEM/UEBA tools (e.g., Sentinel, Splunk), bot mitigation, device fingerprinting, anomaly detection, and orchestration of fraud/risk signals.
• Standards and Security Mastery: Deep knowledge of OAuth 2.1, OIDC, SAML, SCIM, FIDO2/WebAuthn, JWT/JWE/JWS, mTLS; familiarity with NIST 800-63, PCI DSS, PIPEDA, GDPR for consent and privacy management.
• TOGAF Application: Practical use of TOGAF ADM, with ArchiMate modeling experience (certification a plus).
• Leadership Track Record: Experience building and mentoring architecture teams, influencing senior stakeholders, and managing vendor relationships (e.g., Okta, Ping Identity, ForgeRock).
• Must-Have Skills: Architecting CIAM at scale for web, mobile, and API; integrating Azure Entra External ID / Azure AD B2C with hybrid on-premise identity; implementing risk-based authentication, MFA/passwordless, and consent management; incorporating threat intel, SIEM, and bot mitigation; data engineering with Spark, Databricks, Kafka; leading TOGAF-based governance and ARBs; creating reference architectures; proficiency in OAuth 2.1, OIDC, SAML, SCIM, API security, and zero-trust patterns.
• Nice-to-Have Skills: Experience with anti-fraud platforms (ThreatMetrix, Arkose Labs, BioCatch) and device intelligence; familiarity with API gateways (Apigee, Kong, Azure APIM) and WAF/CDN (Akamai, Cloudflare); knowledge of CDP, MDM, CMP (OneTrust); expertise in mobile identity (AppAuth/OIDC, pinning, device attestation); experience in regulated FI environments with OSFI/SOC 2/ISO 27001.