Principal Security Engineer (Cryptography & PKI)

Cloudflare•San Francisco, CA

About The Position

About The Team Join Cloudflare’s Security Architecture Team with the following with the foll focus areas : Strategic Alignment: Translates the Organisations Cyber risk tolerance into specific technical blueprints and implements controls/prescriptive policies in mitigation/managing or remediating these risks Preventative Focus: Focuses on "shifting left" to fix architectural flaws before they become bigger risks or cost Technical Consulting: Acts as internal subject matter experts for Procurement (TPRM) and Engineering teams. About the role/ What You’ll Do Provide input on technical security requirements for new infrastructure and engineering initiatives. Assist with documentation and maintenance of the corporate security architecture blueprints. Participate in the design of robust PKI hierarchies (Root CAs, Intermediate CAs, Issuing CAs) and certificate policies, selecting appropriate hardware (HSMs) and software for scalable, secure deployments. Provide security guidance and review of the deployment of encryption solutions across systems, applications, and networks. Provide security guidance and review of the end-to-end lifecycle of cryptographic keys and digital certificates, including generation, secure storage, rotation, usage, backup, revocation and destruction. Conduct analysis of existing encryption and management solutions to find weaknesses and identify gaps. Ensure encryption implementations meet industry standards (e.g., NIST, FIPS) and compliance mandates (e.g., GDPR, HIPAA). Document security requirements and architectural decisions. Assist with defining security policies and standards, enforcing best practices, conducting risk assessments, and ensuring compliance with regulations. Work with CISO, IT teams, developers, and engineers to implement secure designs.

Requirements

Either advanced studies in Cybersecurity, Computer Science, Information Systems, or similar
Excellent written and verbal communication skills, including the ability to effectively collaborate with technical and senior business staff and management.
12+ years of experience in information security, with 7+ years focused on applied cryptography and Public Key Infrastructure (PKI).
Expert-level knowledge of cryptographic primitives, algorithms (AES, RSA, ECC), hashing functions, and digital signature standards.
Proven experience designing and deploying Hardware Security Modules (HSMs) and enterprise Key Management Systems (KMS).
Strong understanding of regulatory and compliance frameworks related to data protection and packaging

Nice To Haves

Certifications: CISSP, CISM, or CCSP.
Experience with cloud-native KMS solutions (e.g., AWS KMS, Azure Key Vault, GCP Cloud KMS).
Worked on similar organisations in the past as Cloudflare

Responsibilities

Provide input on technical security requirements for new infrastructure and engineering initiatives.
Assist with documentation and maintenance of the corporate security architecture blueprints.
Participate in the design of robust PKI hierarchies (Root CAs, Intermediate CAs, Issuing CAs) and certificate policies, selecting appropriate hardware (HSMs) and software for scalable, secure deployments.
Provide security guidance and review of the deployment of encryption solutions across systems, applications, and networks.
Provide security guidance and review of the end-to-end lifecycle of cryptographic keys and digital certificates, including generation, secure storage, rotation, usage, backup, revocation and destruction.
Conduct analysis of existing encryption and management solutions to find weaknesses and identify gaps.
Ensure encryption implementations meet industry standards (e.g., NIST, FIPS) and compliance mandates (e.g., GDPR, HIPAA).
Document security requirements and architectural decisions.
Assist with defining security policies and standards, enforcing best practices, conducting risk assessments, and ensuring compliance with regulations.
Work with CISO, IT teams, developers, and engineers to implement secure designs.