Lead Systems Engineer, Secrets and Vault Engineering
ICE · New York, NY · Yesterday
On-siteEngineering$149k–$180k/yrFull-time
Job Purpose
The Lead Systems Engineer joins our Secrets and Vault Engineering team within Identity and Access Management. The team is responsible for the platforms and services that protect secrets, certificates, encryption keys, and machine identity across the enterprise.
Responsibilities
- Design, build, and maintain platform services for secrets management, certificate lifecycle, encryption key management, and policy enforcement.
- Develop automation and tooling in Python and Ansible to streamline operations, enforce security controls, and reduce manual provisioning effort.
- Contribute to a self-service model for application teams, including golden-pattern templates, declarative manifests, and approval workflows integrated with enterprise systems such as ServiceNow.
- Collaborate with cross-functional teams (application, infrastructure, security, compliance) to translate requirements into reliable, well-governed services.
- Help shape the team's roadmap in emerging areas including workload identity (SPIFFE/SPIRE), policy-as-code, and identity controls for AI and machine-driven workloads.
- Participate in code reviews, design reviews, and architecture discussions; mentor and coach engineers earlier in their career.
- Contribute to internal documentation, runbooks, and knowledge-sharing.
- Participate in a light on-call rotation supporting the team's services.
Knowledge And Experience
- 7+ years of infrastructure, platform, or systems engineering experience.
- Production experience with HashiCorp Vault — secret engines, authentication methods, policies, and operational concerns.
- Strong proficiency in Python and Shell scripting for automation and tooling.
- Experience with Ansible for configuration management and orchestration.
- Solid understanding of identity, authentication, and secure communication protocols (TLS, OAuth, OIDC, x.509).
- Working knowledge of CI/CD tooling (Jenkins, GitHub Actions, GitLab CI, or similar) and Infrastructure-as-Code (Terraform preferred).
- Experience designing and consuming RESTful APIs.
- Strong fundamentals in Linux systems.
- Demonstrated ability to write production-quality code, communicate design trade-offs clearly, and collaborate across teams.
Preferred Knowledge And Experience
- Bachelor's degree in Computer Science, Engineering, or related field.
- Experience building or contributing to a self-service Vault, secrets, or cryptography platform.
- Familiarity with SPIFFE/SPIRE or other workload identity frameworks.
- Familiarity with policy-as-code tooling such as Open Policy Agent (OPA) or HashiCorp Sentinel.
- Exposure to AI/ML infrastructure or interest in identity controls for AI and agentic workloads.
- Awareness of post-quantum cryptography standards (NIST PQC, hybrid key exchange) and their operational implications.
- Experience with cloud platforms (AWS, GCP, or hybrid environments) and cloud-native secrets services such as AWS Secrets Manager or KMS.
- Exposure to container platforms (Docker, Kubernetes, OpenShift).
- Understanding of threat modeling, secrets rotation, secret-zero patterns, and zero trust architectures.
- Experience in fintech, financial services, mortgage technology, or other regulated and security-sensitive domains.
New York Base Salary Range
The expected base salary for this role, if located in New York, is between $149,400 - 180,000 USD. The base salary range does not include Intercontinental Exchange’s incentive compensation. While we provide this range as general guidance, at ICE we compensate employees based on the skillset and experience of the individual.