As a PKI & Secrets Security Architect in the Cybersecurity Architecture Center of Excellence, your responsibilities include a comprehensive review of the existing public key infrastructure and secrets management capabilities for on-premises, client, and cloud. You will also influence changes in existing control standards, create new IT security standards that are easily consumed by stakeholders, create specific security patterns & diagrams, and own the relevant 3-year capability roadmap. This role will be key in ensuring a Security-First mindset during DTCC’s technology modernization journey.
Position Summary
- The primary focus areas for this position are the following:
- Produce security architecture deliverables as part of initiatives related to public key infrastructure (PKI) and secrets management.
- Proactively identify security gaps, propose solutions, and follow through with engineering teams for implementation.
- Be the subject matter expert for PKI and Secrets management through the enterprise.
- Inspire team members and junior staff to contribute new ideas and alternative approaches.
Your Responsibilities
- Create and drive the internal and client PKI security capability roadmap within information technology & the respective IT stakeholders.
- Create and drive the secrets management capability roadmap within information technology & the respective IT stakeholders.
- Influence change of control policies with Technology Risk Management & build strong partnerships with IT Architecture & Application Development partners.
- Create IT security standards and drive best-practices which are easily consumed by IT stakeholders.
- Own the enterprise-wide PKI architecture including HSMs – Hardware Security Modules, CAs – Certificate Authorities, CLM – Certificate Lifecycle Management.
- Proactively identify access management gaps and partner with app dev teams for remediation
- Design processes and workflows for generation, rotation, and revoking certificates.
- Identify automation opportunities for certificate lifecycle.
- Act as the domain specialist to help guide and shape how certificate management services are enabled.
- Design new certificate management services, integrations, and technologies.
- Mentor junior security architects to enhance their security and architecture skills within the team.
- Maintain professional and technical process knowledge by keeping abreast of the changing security landscape within the technology industry and changes in cybersecurity frameworks.
- Create white papers and present in industry conferences to present thought leadership in the security field.
- Align risk and control processes into day-to-day responsibilities to monitor and mitigate risk; escalates appropriately.
Specific Skills & Technologies
- Strong Information Security experience, specifically in PKI/Cryptography (on premise and cloud) & Secrets management.
- Solid working experience with certificate issuance ceremonies.
- In-depth knowledge of Certificate Lifecycle Management including certificate revocation list (CRLs) best practices.
- Working experience with 2+ vendors such as: Venafi, Hashicorp, Microsoft, Thales, Gemalto (SafeNet HSM), DigiCert, Hitachi (HiPAM).
- Experience in SSL certificate management concepts, processes, and solution management.
- Strong experience with Online Certificate Status Protocol (OCSP) infrastructure, Hardware Security Modules (HSM), CMS Enterprise, Venafi Trust Protection Platform, and Venafi TrustNet software suites.
- Experience in building Certificate Policy (CP) and Certificate Practice Statements (CPS).
- Solid experience with Python, networking fundamentals, OS (Windows/Linux) security.
- Experience with Information Security frameworks (e.g. ISO 27001 and NIST) & security architecture frameworks.
- Strong technical writing skills to support required documentation.
- Demonstrated ability to collaborate between product management, engineering, risk, and IT teams.
- Has strong communication skills with the ability to present in front of large audience.
Skills: pki,certificate management,ssl certificates