Head of Security Engineering (AWS/KMS)

As Leader of Security Engineering, you will set the technical direction and execution for Keyrock’s security engineering program—building secure-by-design cloud foundations, developer "paved roads," and cryptographic/key-management controls appropriate for a high-availability trading environment.

This is a hands-on leadership role. Deep knowledge of AWS and AWS Key Management Service (KMS)—including key policies, grants, cross-account patterns, and rotation—is essential.

What you’ll do

Security engineering leadership

1. Lead and grow a high-performing security engineering team (cloud, platform, application security), setting roadmap, standards, and measurable outcomes.
2. Establish engineering patterns that balance speed and control (secure defaults, automation-first, self-service guardrails).

AWS cloud security architecture

1. Own cloud security architecture for AWS: landing zone patterns, multi-account strategy, network segmentation, identity and access design, logging/telemetry baselines, and infrastructure hardening.
2. Build preventative controls using infrastructure-as-code and policy-as-code; drive adoption across engineering teams.

Encryption and key management (KMS is core)

1. Own the enterprise encryption program in AWS, including KMS key policy design and governance (least privilege, separation of duties, break-glass, auditable admin/use roles).
2. Define safe grant usage patterns and operational best practices for AWS services and applications.
3. Own key lifecycle management: rotation strategy, aliasing/migration patterns, and recovery considerations.
4. Design cross-account and multi-account access patterns and controls aligned to Keyrock’s cloud operating model.

Secure SDLC and product security

1. Embed security into the SDLC: threat modeling, secure coding guidance, code scanning, dependency controls, build-time checks, and release gates.
2. Partner with Platform Engineering to harden runtime environments (containers, Linux, CI/CD runners, secrets management, service-to-service authentication).

Operational partnership (without owning SecOps)

1. Partner with Security Operations to ensure engineering-driven outcomes: high-signal detections, incident response tooling readiness, forensic logging, and secure configurations that reduce blast radius.

What we’re looking for

Required

1. 8+ years in security engineering (cloud, platform, and/or product security), with 3+ years leading teams or leading org-wide technical programs.
2. Expert AWS security experience in production environments (multi-account, high availability).
3. Deep AWS KMS expertise: key policies, grants, rotation, and cross-account usage patterns.
4. Strong working knowledge of IAM, identity design, and least-privilege access controls in cloud environments.
5. Proven ability to build security automation (infrastructure-as-code, CI/CD integration, policy enforcement, developer enablement).
6. Clear communication skills: can write standards/runbooks and influence senior engineers and executives.

Nice to have

1. Experience in trading, fintech, crypto, or other 24x7 and/or low-latency production environments.
2. Experience building paved-road platforms (golden pipelines, secure templates, internal developer platforms).
3. Familiarity with cloud security tooling ecosystems (CSPM/CIEM, vulnerability management, SAST/DAST, secrets tooling).