Principal Cryptographic Security Engineer

Description

Principal Cryptographic Security Engineer

The Principal Cryptographic Security Engineer is a hands‑on technical leader responsible for designing, operating, and evolving the organization’s cryptographic platforms with a strong emphasis on operational resilience, automation, and risk reduction.

This role sits at the intersection of Cryptography, PKI, Certificate Lifecycle Management, cloud KMS, automation, and incident prevention. The Cryptographic Engineering team must manage run‑the‑platform responsibility with build‑the‑future engineering, ensuring the enterprise’s cryptographic controls are stable today and adaptable to emerging threats such as post‑quantum cryptography (PQC).

Key Responsibilities

Cryptographic Engineering & Architecture

• Design and evolve enterprise cryptographic architectures across: 
  • Public Key Infrastructure (PKI)
  • TLS / certificate lifecycle management
  • Cloud key management (AWS KMS, Azure Key Vault)
  • Hardware Security Modules (HSM’s, Thales)
• Serve as a subject‑matter expert for: 
  • Cryptographic algorithms, protocols, and key management practices
  • Certificate chains, trust models, and lifecycle controls
• Provide senior technical oversight for cryptographic operations, including: 
  • Certificate issuance, renewal, validation, and incident response
  • Key rotation events (including CMKs managed via external HSM/KMS platforms)
  • Emergency response to cryptographic outages or trust failures
  • Act as an escalation point for complex cryptographic incidents where failure would cause production impact.
• Design and implement automation that reduces manual cryptographic work, including: 
  • Certificate discovery, ownership inference, and lifecycle automation
  • Integration with ServiceNow for workflow, ownership routing, and change enablement
  • API‑driven automation with platforms such as Venafi, CyberArk, Wiz, ServiceNow, AWS, Openshift Cert-Manager. 
• Lead the organization’s PQC strategy and preparedness, including: 
  • Inventorying quantum‑vulnerable cryptography
  • Defining crypto‑agility requirements
  • Evaluating hybrid TLS and PQC migration paths
• Translate evolving standards (NIST PQC, CNSA 2.0, industry guidance) into practical, staged engineering plans that do not destabilize production systems.
• Collaborate closely with cryptographic assurance and QA functions to: 
  • Validate correctness of cryptographic deployments
  • Review high‑risk changes
  • Assess and document exceptions and compensating controls
• Support audits and regulatory reviews by: 
  • Explaining cryptographic controls and operating models
  • Demonstrating risk‑based decision‑making
• 8+ years of experience in cryptographic systems, PKI, or security engineering
• Experience designing, implementing or supporting a large enterprise certificate management program. 
• Deep practical knowledge of: 
  • TLS, X.509 certificates, trust chains, and lifecycle management
  • Cryptographic key management and HSM platforms
• At least one major cloud provider’s encryption ecosystem (AWS and/or Azure)
• Tools & Platforms (hands‑on experience)
  • Venafi (TLS Protect / Trust Protection Platform or equivalent)
• Thales CipherTrust / HSM platforms (or comparable)
• ServiceNow CMDB, workflow, or task routing for security operations
• Scripting or automation using Python, PowerShell, or similar languages
• API‑based integration and automation
• Nice‑to‑Have Experience
  • Experience with post‑quantum cryptography planning or trials
  • Exposure to CBOM / cryptographic inventory efforts 
  • Financial services or other highly regulated environments

  • Prior experience balancing platform operations and engineering roles

Education and Certifications 

• A bachelor’s or master’s degree in Computer Science, Computer Engineering, Cryptography, Mathematics, or a related field. 
• Preferred Certifications:GIAC (GCED), CISSP, CCSP, CISM, AWS Certified Security, or relevant certification.

Pay Transparency

The salary range for this position is $145,000 - $175,000, plus an opportunity to earn an annual discretionary bonus. Actual pay is based on various factors including but not limited to the work location, and relevant skills and experience.

We offer competitive pay, comprehensive medical, dental and vision coverage, retirement benefits, maternity/paternity leave, flexible work arrangements, education reimbursement, wellness programs and more. Note, Citizens’ paid time off policy exceeds the mandatory, paid sick or paid time-away policy of every local and state jurisdiction in the United States. For an overview of our benefits, visit https://jobs.citizensbank.com/benefits .

Some job boards have started using jobseeker-reported data to estimate salary ranges for roles. If you apply and qualify for this role, a recruiter will discuss accurate pay guidance.

Equal Employment Opportunity

Citizens, its parent, subsidiaries, and related companies (Citizens) provide equal employment and advancement opportunities to all colleagues and applicants for employment without regard to age, ancestry, color, citizenship, physical or mental disability, perceived disability or history or record of a disability, ethnicity, gender, gender identity or expression, genetic information, genetic characteristic, marital or domestic partner status, victim of domestic violence, family status/parenthood, medical condition, military or veteran status, national origin, pregnancy/childbirth/lactation, colleague’s or a dependent’s reproductive health decision making, race, religion, sex, sexual orientation, or any other category protected by federal, state and/or local laws. At Citizens, we are committed to fostering an inclusive culture that enables all colleagues to bring their best selves to work every day and everyone is expected to be treated with respect and professionalism. Employment decisions are based solely on merit, qualifications, performance and capability.