Head of Security Engineering (AWS/KMS)

About The Position

Requirements

• 8+ years in security engineering (cloud, platform, and/or product security), with 3+ years leading teams or leading org-wide technical programs.
• Expert AWS security experience in production environments (multi-account, high availability).
• Deep AWS KMS expertise: key policies, grants, rotation, and cross-account usage patterns.
• Strong working knowledge of IAM, identity design, and least-privilege access controls in cloud environments.
• Proven ability to build security automation (infrastructure-as-code, CI/CD integration, policy enforcement, developer enablement).
• Clear communication skills: can write standards/runbooks and influence senior engineers and executives.

Nice To Haves

• Experience in trading, fintech, crypto, or other 24x7 and/or low-latency production environments.
• Experience building paved-road platforms (golden pipelines, secure templates, internal developer platforms).
• Familiarity with cloud security tooling ecosystems (CSPM/CIEM, vulnerability management, SAST/DAST, secrets tooling).

Responsibilities

• Lead and grow a high-performing security engineering team (cloud, platform, application security), setting roadmap, standards, and measurable outcomes.
• Establish engineering patterns that balance speed and control (secure defaults, automation-first, self-service guardrails).
• Own cloud security architecture for AWS: landing zone patterns, multi-account strategy, network segmentation, identity and access design, logging/telemetry baselines, and infrastructure hardening.
• Build preventative controls using infrastructure-as-code and policy-as-code; drive adoption across engineering teams.
• Own the enterprise encryption program in AWS, including KMS key policy design and governance (least privilege, separation of duties, break-glass, auditable admin/use roles).
• Define safe grant usage patterns and operational best practices for AWS services and applications.
• Own key lifecycle management: rotation strategy, aliasing/migration patterns, and recovery considerations.
• Design cross-account and multi-account access patterns and controls aligned to Keyrock’s cloud operating model.
• Embed security into the SDLC: threat modeling, secure coding guidance, code scanning, dependency controls, build-time checks, and release gates.
• Partner with Platform Engineering to harden runtime environments (containers, Linux, CI/CD runners, secrets management, service-to-service authentication).
• Partner with Security Operations to ensure engineering-driven outcomes: high-signal detections, incident response tooling readiness, forensic logging, and secure configurations that reduce blast radius.

Benefits

• Work on security challenges unique to digital-asset liquidity and trading across venues.
• Build durable security capabilities for a high-impact, high-availability business.