Senior Security Engineer – HSM & ICA Risk Management

Senior Security Engineer – HSM & ICA Risk Management

On Site Work Option

Senior Security Engineer responsible for risk management, governance, and control oversight of enterprise Internal Certificate Authority (ICA) services and HSMaaS. This role focuses on cryptographic risk, PKI vulnerability management, AD CS template governance, and assurance across on-prem, HSM-backed, and Cloud PKI platforms. The position serves as a designated risk and control owner, providing oversight, challenge, and assurance to Cyber Risk, Audit, and Regulatory stakeholders.

This is not a pure PKI Engineering role; the emphasis is on risk identification, control effectiveness, vulnerability remediation, and policy enforcement for cryptographic services.

Key Responsibilities

PKI Vulnerability Management

Own PKI vulnerability management for internal and external certificate services, including:

Weak or deprecated algorithms and key sizes

Certificate template configurations

Enrollment permissions and privilege management

SAN injection and name constraint risks

Expired, orphaned, or non-compliant certificates

[additional items may be cut off / not visible]

[cut off] exceptions, and compensating controls where scanning is restricted

PKI & ICA Risk Management — Primary Focus

Act as risk owner for Internal CA (ICA) and HSM cryptographic services.

Identify, assess, and manage PKI-specific risks, including mis-issuance, weak cryptography, SAN abuse, key compromise, expired certificates, and trust chain failures.

Maintain PKI risk registers, control mappings, and risk acceptance documentation aligned with enterprise risk frameworks.

Partner with Cyber Risk (CRISK), Audit, Compliance, and Architecture teams to support exams, audits, regulatory inquiries, and management responses.

Translate PKI and cryptographic weaknesses into business and regulatory risk language suitable for leadership and auditors.

AD CS Template Access Governance

Review, approve, and govern Microsoft AD CS certificate templates from a risk and control perspective.

Own and manage AD security groups used for certificate enrollment and template permissions.

Enforce strict governance for templates that allow Subject Alternative Name (SAN) [cut off / partially visible]

[cut off] compliant access.

Cryptographic & HSM Risk Oversight

Provide security oversight for HSM-protected CA and signing keys, including custody, ceremonies, backup, and recovery.

Assess and mitigate cryptographic risks related to:

Key management practices and HSM configuration

Cloud PKI and SaaS certificate management platforms

Drive crypto-agility and Post-Quantum Cryptography (PQC) readiness from a risk perspective.

Incident Response & Assurance

Support investigation and root cause analysis of PKI-related security incidents, including certificate compromise or mis-issuance events.

Assess impact, risk exposure, and required remediation actions.

Produce risk-focused reporting and metrics for security leadership and governance forums.

Minimum Qualifications

5+ years in Security Engineering, PKI, Identity, or Cryptographic Infrastructure roles.

Strong understanding of PKI risk, certificate misuse scenarios, and control failures in

DIRECT CANDIDATES ONLY. PLEASE. NO THIRD PARTY

CANDIDATE WHO CAN WORK FOR ANY EMPLOYER IN USA WITHOUT ANY SPONSORSHIP

Please submit your resume along with the following must required information to:

1. Contact number

2. Email

3. Current location

4. Work Authorization

5. Availability

6. Pay Rate