Senior Principal, Cybersecurity Architect

As a Senior Principal, Cybersecurity Architect at QXO , you’ll author the enterprise cybersecurity standards and reference architecture that technology programs are built against. This is the senior-most individual contributor seat in the cybersecurity function reporting to the SVP, CISO with a dotted line to the VP, IT Strategy & Architecture.

QXO is building a modern cybersecurity function from the ground up — automation-first, AI-native, sized to the risk profile of a high-growth Fortune 500. Your architecture and collaboration shape how infrastructure, software engineering, enterprise applications, and data platforms get built — not just how cyber runs. This role is recognized as a senior technical voice inside and outside the company.

QXO, Inc. (NYSE: QXO) is the largest publicly traded distributor of roofing, waterproofing, and related products, and the second largest publicly traded distributor of lumber and building materials in North America. QXO is the fastest growing company in the $800 billion building products distribution industry and plans to become the tech-enabled leader by delivering best-in-class customer satisfaction and outsized returns for its shareholders. The company is targeting $50 billion in annual revenues within the next decade through accretive acquisitions and organic growth.

• Define and maintain the enterprise identity reference model, including zero trust, identity governance, access lifecycle, and privileged access concepts
• Define and maintain the enterprise application security reference model, including secure software development lifecycle, code-to-cloud, signed software bills of materials, artifact provenance, and runtime posture management
• Partner with infrastructure leaders to embed security architecture across network, endpoint, cloud platform, and data center environments
• Partner with engineering leaders to embed security architecture into developer pipelines, secure-by-design patterns, and continuous integration and delivery controls
• Partner with enterprise application and data leaders to embed security architecture across ERP, business systems, third-party integrations, data classification, lineage, and access models
• In partnership with the VP, IT Strategy & Architecture, define and maintain the security reference architecture for mergers and acquisitions integration, so acquired environments can be absorbed at speed while preserving security posture
• Establish architectural guardrails for agentic AI across the security function and the enterprise, including scope boundaries, prompt auditing, tool permissions, AI security posture management, and model supply chain controls
• Engineer for simplicity, standardization, and automation in every control. Automation comes before headcount — the charter is to size cybersecurity to QXO’s risk and scale.
• Hold the line on private-by-default, zero trust, and CIS hardening via Infrastructure-as-Code. Anything that ships at QXO ships hardened.
• Translate cybersecurity architecture into business outcomes. Tight, data-backed, no jargon unless warranted.
• Lead by architecture, not by org chart. Influence the technical direction across IT, engineering, and external implementers without owning their headcount.
• Anchor the program to NIST CSF 2.0. Own the architectural roadmap that drives measurable maturity gains year over year.

• 12+ years in cybersecurity, with 7+ as a hands-on architect at Fortune 500 scale.
• Authorship — not familiarity — with agentic AI and AI-SPM architecture. You have designed guardrails for AI agents in production: scope, prompt auditing, tool permissions, MCP supply chain.
• CI/CD experience. Signed SBOMs, artifact provenance, runtime posture management, configuration drift — and you can defend the architectural choices on a whiteboard.
• IaC-first instincts. Terraform, hardened images, private-by-default, zero trust. You have shipped the automation, not just sketched it.
• M&A integration scars. You have absorbed acquired environments at speed without breaking the security posture. Enclave models and brokered access are second nature.
• Deep cloud architecture across OCI, Azure, or GCP. Multi-cloud preferred.
• A point of view on where cybersecurity is headed in the next 6–12 months. You build to where the industry is going, not where it is.
• Bachelor’s degree in Computer Science, Information Assurance, MIS, or equivalent practical experience. Master’s preferred.
• CISSP, CISM, or SANS GIAC

• Base pay range: $147,200 - $235,500

• Annual performance bonus

• Long term incentive (equity/stock)
• 401(k) with employer match
• Medical, dental, and vision insurance
• PTO, company holidays, and parental leave
• Paid Time Off/Paid Sick Leave: Applicants can expect to accrue 15 days of paid time off during their first year (4.62 hours for every 80 hours worked) and increased accruals after five years of service.
• Paid training and certifications
• Legal assistance and identity protection
• Pet insurance
• Employee assistance program (EAP)

To comply with Pay Transparency laws, employers must disclose an annual salary range. Actual offers depend on factors such as location, experience, skills, and market data. This position may also offer variable compensation. 

Please contact  View email address on jobs.qxo.com if you have any questions related to this job posting.

QXO is an Equal Opportunity Employer. We value diversity and do not discriminate  on the basis of race, color, religion,  gender or sexual orientation , national origin, age, disability, or any other protected status.

Salary Range: