Security Solutions Principal - Cryptography, Key Management & Post-Quantum Readiness
Position Overview
We are seeking a highly experienced Principal Consultant specializing in enterprise cryptography, key management, and post-quantum readiness to lead strategic client engagements focused on cryptographic risk, encryption modernization, key lifecycle management, and quantum-resilient architecture.
Key Responsibilities
Client Advisory & Strategy
Advises executives and security leaders on cryptographic risk, key management strategy, quantum readiness, and long-term encryption posture
Leads cryptographic maturity evaluations, PQC readiness assessments, and key management capability reviews
Develops enterprise cryptographic roadmaps aligned to business risk, data classification, and regulatory drivers
Presents findings and recommendations to senior leadership and boards
Key Management & HSM Operations
Designs and assesses enterprise key management programs covering the full lifecycle: generation, distribution, rotation, revocation, escrow, and destruction
Architects HSM strategies including capacity planning, clustering/HA models, and FIPS 140-2/140-3 validation requirements
Evaluates and recommends HSM platforms (Thales Luna, Entrust nShield, Utimaco) and cloud-native options (AWS CloudHSM, Azure Managed HSM, GCP Cloud HSM)
Defines governance over key custodianship, separation of duties, and key ceremony procedures
Cryptographic Discovery & Inventory
Leads enterprise-wide cryptographic asset discovery across algorithms, certificates, keys, protocols, and encryption dependencies
Identifies “harvest now, decrypt later” exposure and prioritizes remediation based on data sensitivity and shelf life
Affords third-party and supply chain cryptographic dependencies including SaaS providers, payment processors, certificate authorities, and embedded systems
Develops cryptographic inventories that serve as the foundation for migration planning and risk quantification
PKI Architecture & Lifecycle
Provides guidance on automated enrollment protocols (ACME, SCEP, EST), certificate transparency, and private vs. public trust models
Leads PKI modernization efforts including migration from legacy Microsoft ADCS environments
Advises on code signing key management, firmware signing, and software supply chain integrity
Cryptographic Architecture & Engineering
Designs crypto-agility architectures supporting algorithm transitions, including hybrid key exchange implementations (e.g., ML-KEM combined with classical ECDH)
Defines and assesses enterprise encryption standards: approved algorithm suites, minimum key lengths, deprecation policies, and exception processes
Provides guidance on: TLS/IPsec/VPN modernization strategies, data-at-rest, data-in-transit, and data-in-use encryption controls, tokenization, format-preserving encryption, and data masking techniques
Supports integration of NIST-selected PQC algorithms into enterprise environments
Program Leadership
Leads multi-phase cryptographic transformation programs across key management, PKI, encryption, and PQC migration
Develops governance models for cryptographic lifecycle management
Establishes policies, standards, and crypto baselines
Develops risk-based migration strategies and prioritization models that account for data longevity versus quantum timeline estimates
Collaborates cross-functionally across security, networking, application development, DevOps, and compliance teams
Risk, Compliance & Standards Alignment
Aligns programs to: NIST guidance (PQC, SP 800-57, SP 800-131A, etc.), ISO 27001/27002 cryptographic controls, and regulatory expectations (financial services, healthcare, government)
Translates cryptographic risk into business and regulatory impact
Affords cryptographic compliance posture across third-party and supply chain dependencies
Thought Leadership
Contributes to whitepapers, research, and industry presentations
Supports client workshops, tabletop exercises, and executive briefings
Mentors consultants and client teams
Participates in industry working groups, standards bodies, or vendor advisory councils
Required Qualifications
10+ years in cybersecurity with deep focus on cryptography and encryption
Demonstrated expertise in: Enterprise key management lifecycle design and operations, HSM architecture, deployment, and FIPS validation requirements, PKI architecture, certificate lifecycle management, and trust models, Cryptographic protocols and algorithms (symmetric, asymmetric, hashing, digital signatures), Encryption architectures across data states (at-rest, in-transit, in-use) in cloud and hybrid environments
Strong understanding of Post-Quantum Cryptography concepts and enterprise migration challenges
Experience advising large enterprises and regulated industries
Exceptional communication and client-facing skills
Preferred Qualifications
Experience with PQC algorithm evaluation, testing, and hybrid cryptographic implementations
Familiarity with NIST PQC standardization outcomes and CNSA 2.0 migration timelines
Knowledge of crypto-agility frameworks
Experience with cloud KMS platforms (AWS KMS, Azure Key Vault, GCP Cloud KMS) and cloud HSM services
Hands-on experience with secrets management platforms (HashiCorp Vault, CyberArk Conjur, cloud-native secrets managers)
Experience with cloud KMS platforms (AWS, Azure, GCP)
Familiarity with HSM vendor platforms (Thales Luna, Entrust nShield, Utimaco) and their PQC firmware roadmaps
Relevant certifications (e.g., CISSP, CCSP, GSEC, or cryptography-focused credentials)
Master’s or PhD in cryptography, computer science, or related field