Principal Cryptographic Security Engineer at Citizens Bank

Johnston, Rhode Island, United States -

Full Time

Start Date

Immediate

Expiry Date

20 Jul, 26

Salary

175000.0

Posted On

21 Apr, 26

Experience

10 year(s) or above

Remote Job

Yes

Telecommute

Yes

Sponsor Visa

Skills

Cryptography, PKI, TLS, Certificate lifecycle management, Cloud key management, AWS KMS, Azure Key Vault, Hardware Security Modules, Venafi, CyberArk, ServiceNow, Python, PowerShell, Post-quantum cryptography, Security engineering, API integration

Industry

Financial Services

Description

Principal Cryptographic Security Engineer The Principal Cryptographic Security Engineer is a hands‑on technical leader responsible for designing, operating, and evolving the organization’s cryptographic platforms with a strong emphasis on operational resilience, automation, and risk reduction. This role sits at the intersection of Cryptography, PKI, Certificate Lifecycle Management, cloud KMS, automation, and incident prevention. The Cryptographic Engineering team must manage run‑the‑platform responsibility with build‑the‑future engineering, ensuring the enterprise’s cryptographic controls are stable today and adaptable to emerging threats such as post‑quantum cryptography (PQC). Key Responsibilities Cryptographic Engineering & Architecture * Design and evolve enterprise cryptographic architectures across: * Public Key Infrastructure (PKI) * TLS / certificate lifecycle management * Cloud key management (AWS KMS, Azure Key Vault) * Hardware Security Modules (HSM’s, Thales) * Serve as a subject‑matter expert for: * Cryptographic algorithms, protocols, and key management practices * Certificate chains, trust models, and lifecycle controls * Provide senior technical oversight for cryptographic operations, including: * Certificate issuance, renewal, validation, and incident response * Key rotation events (including CMKs managed via external HSM/KMS platforms) * Emergency response to cryptographic outages or trust failures * Act as an escalation point for complex cryptographic incidents where failure would cause production impact. * Design and implement automation that reduces manual cryptographic work, including: * Certificate discovery, ownership inference, and lifecycle automation * Integration with ServiceNow for workflow, ownership routing, and change enablement * API‑driven automation with platforms such as Venafi, CyberArk, Wiz, ServiceNow, AWS, Openshift Cert-Manager. * Lead the organization’s PQC strategy and preparedness, including: * Inventorying quantum‑vulnerable cryptography * Defining crypto‑agility requirements * Evaluating hybrid TLS and PQC migration paths * Translate evolving standards (NIST PQC, CNSA 2.0, industry guidance) into practical, staged engineering plans that do not destabilize production systems. * Collaborate closely with cryptographic assurance and QA functions to: * Validate correctness of cryptographic deployments * Review high‑risk changes * Assess and document exceptions and compensating controls * Support audits and regulatory reviews by: * Explaining cryptographic controls and operating models * Demonstrating risk‑based decision‑making * 8+ years of experience in cryptographic systems, PKI, or security engineering * Experience designing, implementing or supporting a large enterprise certificate management program. * Deep practical knowledge of: * TLS, X.509 certificates, trust chains, and lifecycle management * Cryptographic key management and HSM platforms * At least one major cloud provider’s encryption ecosystem (AWS and/or Azure) * Tools & Platforms (hands‑on experience) * Venafi (TLS Protect / Trust Protection Platform or equivalent) * Thales CipherTrust / HSM platforms (or comparable) * ServiceNow CMDB, workflow, or task routing for security operations * Scripting or automation using Python, PowerShell, or similar languages * API‑based integration and automation * Nice‑to‑Have Experience * Experience with post‑quantum cryptography planning or trials * Exposure to CBOM / cryptographic inventory efforts * Financial services or other highly regulated environments * Prior experience balancing platform operations and engineering roles Education and Certifications * A bachelor’s or master’s degree in Computer Science, Computer Engineering, Cryptography, Mathematics, or a related field. * Preferred Certifications: GIAC (GCED), CISSP, CCSP, CISM, AWS Certified Security, or relevant certification. Pay Transparency The salary range for this position is $145,000 - $175,000, plus an opportunity to earn an annual discretionary bonus. Actual pay is based on various factors including but not limited to the work location, and relevant skills and experience. We offer competitive pay, comprehensive medical, dental and vision coverage, retirement benefits, maternity/paternity leave, flexible work arrangements, education reimbursement, wellness programs and more. Note, Citizens’ paid time off policy exceeds the mandatory, paid sick or paid time-away policy of every local and state jurisdiction in the United States. For an overview of our benefits, visit https://jobs.citizensbank.com/benefits [https://jobs.citizensbank.com/benefits] . Equal Employment Opportunity Citizens, its parent, subsidiaries, and related companies (Citizens) provide equal employment and advancement opportunities to all colleagues and applicants for employment without regard to age, ancestry, color, citizenship, physical or mental disability, perceived disability or history or record of a disability, ethnicity, gender, gender identity or expression, genetic information, genetic characteristic, marital or domestic partner status, victim of domestic violence, family status/parenthood, medical condition, military or veteran status, national origin, pregnancy/childbirth/lactation, colleague’s or a dependent’s reproductive health decision making, race, religion, sex, sexual orientation, or any other category protected by federal, state and/or local laws. At Citizens, we are committed to fostering an inclusive culture that enables all colleagues to bring their best selves to work every day and everyone is expected to be treated with respect and professionalism. Employment decisions are based solely on merit, qualifications, performance and capability. Equal Employment and Opportunity Employer Job Applicant Data Privacy Policy [https://jobs.citizensbank.com/Job-Applicant-Privacy-Policy] Background Check Any offer of employment is conditioned upon the candidate successfully passing a background check, which may include initial credit, motor vehicle record, public record, prior employment verification, and criminal background checks. Results of the background check are individually reviewed based upon legal requirements imposed by our regulators and with consideration of the nature and gravity of the background history and the job offered. Any offer of employment will include further information.

Responsibilities

The Principal Cryptographic Security Engineer designs and evolves enterprise cryptographic architectures, including PKI, TLS, and cloud key management. They also lead the organization's post-quantum cryptography strategy and provide technical oversight for cryptographic operations and incident response.