Principal Cryptographic Security Engineer

About The Position

Requirements

• 8+ years of experience in cryptographic systems, PKI, or security engineering
• Experience designing, implementing or supporting a large enterprise certificate management program.
• Deep practical knowledge of: TLS, X.509 certificates, trust chains, and lifecycle management
• Cryptographic key management and HSM platforms
• At least one major cloud provider’s encryption ecosystem (AWS and/or Azure)
• Tools & Platforms (hands-on experience): Venafi (TLS Protect / Trust Protection Platform or equivalent)
• Thales CipherTrust / HSM platforms (or comparable)
• ServiceNow CMDB, workflow, or task routing for security operations
• Scripting or automation using Python, PowerShell, or similar languages
• API-based integration and automation
• A bachelor’s or master’s degree in Computer Science, Computer Engineering, Cryptography, Mathematics, or a related field.

Nice To Haves

• Experience with post-quantum cryptography planning or trials
• Exposure to CBOM / cryptographic inventory efforts
• Financial services or other highly regulated environments
• Prior experience balancing platform operations and engineering roles

Responsibilities

• Design and evolve enterprise cryptographic architectures across: Public Key Infrastructure (PKI), TLS / certificate lifecycle management, Cloud key management (AWS KMS, Azure Key Vault), Hardware Security Modules (HSM’s, Thales)
• Serve as a subject-matter expert for: Cryptographic algorithms, protocols, and key management practices, Certificate chains, trust models, and lifecycle controls
• Provide senior technical oversight for cryptographic operations, including: Certificate issuance, renewal, validation, and incident response, Key rotation events (including CMKs managed via external HSM/KMS platforms), Emergency response to cryptographic outages or trust failures, Act as an escalation point for complex cryptographic incidents where failure would cause production impact.
• Design and implement automation that reduces manual cryptographic work, including: Certificate discovery, ownership inference, and lifecycle automation, Integration with ServiceNow for workflow, ownership routing, and change enablement, API-driven automation with platforms such as Venafi, CyberArk, Wiz, ServiceNow, AWS, Openshift Cert-Manager.
• Lead the organization’s PQC strategy and preparedness, including: Inventorying quantum-vulnerable cryptography, Defining crypto-agility requirements, Evaluating hybrid TLS and PQC migration paths
• Translate evolving standards (NIST PQC, CNSA 2.0, industry guidance) into practical, staged engineering plans that do not destabilize production systems.
• Collaborate closely with cryptographic assurance and QA functions to: Validate correctness of cryptographic deployments, Review high-risk changes, Assess and document exceptions and compensating controls
• Support audits and regulatory reviews by: Explaining cryptographic controls and operating models, Demonstrating risk-based decision-making

Benefits

• competitive pay
• comprehensive medical coverage
• dental coverage
• vision coverage
• retirement benefits
• maternity/paternity leave
• flexible work arrangements
• education reimbursement
• wellness programs
• paid time off policy exceeds the mandatory, paid sick or paid time-away policy of every local and state jurisdiction in the United States