Security Engineer (Crypto)

We are seeking a highly skilled HSM Engineer/Cryptography SME to join our Cyber Security function within a Tier 1 financial institution. This role is critical in ensuring the confidentiality, integrity, and availability of cryptographic services that underpin the bank's most sensitive systems, including payments, authentication, cloud workloads, and data-at-rest protection.

As the bank's internal expert on Hardware Security Modules (HSMs), you will design, implement, operate, and improve cryptographic platforms and services that support enterprise-wide security controls. You will work closely with security architects, payments technology teams, cloud engineering, IAM, and application delivery teams to ensure secure key management practices and compliance with regulatory and audit requirements.

Key Responsibilities HSM Engineering & Operations

• Lead engineering, configuration, and life cycle management of enterprise HSM platforms (eg, Thales Luna, nCipher/nShield, PayShield, Utimaco, Entrust).

• Manage secure key creation, rotation, distribution, backup, and archival procedures in line with industry best practice and regulatory expectations.

• Oversee firmware upgrades, patching cycles, and platform resilience improvements.

• Operate and troubleshoot cryptographic hardware and associated services across on-prem and cloud environments.

• Support the design and implementation of HSM integrations with payment systems, authentication services, PKI, and internal business applications.

Cryptography Subject Matter Expertise

• Serve as the internal SME for cryptography, advising on algorithms, key lengths, FIPS certifications, and emerging standards (eg, PQC).

• Provide expert guidance on crypto use cases across the bank: TLS, tokenisation, digital signatures, securing APIs, data at rest, and cloud KMS/HSM integrations.

• Assess cryptographic risk and provide controls assurance to satisfy regulatory and audit expectations.

• Translate complex security requirements into engineering solutions suitable for banking-grade platforms.

Platform Design & Engineering

• Contribute to the technical roadmap for HSM and cryptographic services, ensuring scalability, resilience, and alignment with cloud transformation initiatives.

• Work with Architecture to define patterns, standards, and reusable components for secure key management.

• Develop automation and tooling to streamline key management processes and reduce operational overhead.

Governance, Compliance & Audit

• Ensure HSM processes comply with internal security policies, PCI DSS, FFIEC, SWIFT CSP, and other relevant banking regulatory frameworks.

• Maintain full auditability of key events, system access, and life cycle changes.

• Support internal and external audit engagements, providing evidence, walkthroughs, and control descriptions.

Stakeholder Collaboration

• Partner with payments, digital channels, cloud engineering, platform teams, SOC, and IAM to embed secure cryptographic practices.

• Support development teams with integrations, secure usage patterns, and troubleshooting guidance.

• Provide technical mentorship to junior engineers and security analysts.

Required Skills & Experience Technical Expertise

• Strong hands-on experience with enterprise HSMs such as:

  • Thales Luna (preferred)

  • nCipher/nShield

  • Thales PayShield or other payment HSMs

  • Utimaco, Entrust (advantageous)

• Deep understanding of key management life cycle, certificate management, and cryptographic operations.

• Expertise in symmetric, asymmetric, and elliptic-curve cryptography.

• Experience working with PKI, CA hierarchies, certificate authority tooling, and trust models.

• Experience integrating HSMs with:

  • Payments platforms (FPS, CHAPS, card issuing/acquiring)

  • Authentication/SSO services

  • Kubernetes, cloud workloads, API gateways, or web platforms

Software & Automation Skills

• Scripting experience (Python, Bash, PowerShell or similar).

• Knowledge of automation tooling and Infrastructure as Code (Terraform, Ansible) beneficial.

• Understanding of cloud cryptographic services (AWS KMS/CloudHSM, Azure Key Vault HSM, GCP KMS).

Professional & Industry Background

• Experience working in financial services, ideally Tier 1 banking or payments.

• Strong understanding of regulatory frameworks governing cryptographic controls.

• Experience working in highly controlled, audited, mission-critical environments.

Soft Skills

• Excellent communication skills with the ability to explain complex crypto concepts to both technical and non-technical stakeholders.

• Strong problem-solving mindset with the ability to work autonomously on complex engineering challenges.

• High attention to detail, particularly around operational discipline and audit evidence.

• Team player with a collaborative mindset and willingness to coach others.