Director, Infrastructure Security Engineer - Secrets & Privileged Access Management / PKI

About The Position

Requirements

• 10+ years of experience in infrastructure or security engineering, with 5+ years focused on PAM, secrets management, or PKI platforms
• Bachelor’s degree in Computer Science, Engineering, or related field, or equivalent hands-on experience
• Ability to work independently with minimal guidance — a hands-on practitioner who can architect, operate, and troubleshoot platforms end-to-end
• Strong problem-solving, communication, and collaboration skills with the ability to influence technical direction across teams
• Understanding of risk management, compliance frameworks, and business context needed to make sound technical decisions aligned to the company's security posture
• Strong expertise with CyberArk Privileged Cloud — Vault, CPM, PSM, PVWA, and REST/SCIM-based provisioning and automation
• Privileged account lifecycle management including discovery, onboarding, automated rotation, and decommissioning
• Just-in-Time (JIT) access, session recording, and privileged session management capabilities
• PAM integrations with Active Directory/LDAP, SIEM platforms (Splunk), ServiceNow, and ITSM workflows
• Strong expertise with HashiCorp Vault — cluster architecture, HA/DR replication, secrets engines, auth methods, and Vault Agent
• Vault policy authoring, token lifecycle management, lease management, and automated secrets rotation
• HashiCorp Vault Enterprise features: namespaces, performance replication, HSM auto-unseal, and replication topology design
• Secrets injection patterns for containerized workloads: Vault Agent Injector, CSI secrets provider, and Vault Secrets Operator for Kubernetes
• Experience with Keyfactor Command — including CA management, certificate templates, enrollment profiles, ACME/SCEP/EST, REST API integrations, and reporting
• Experience with EJBCA — CA hierarchy design, end-entity profiles, certificate profiles, RA operations, and REST API integration
• PKI lifecycle management: certificate issuance, renewal, revocation, CRL/OCSP, and key escrow/recovery workflows
• Certificate automation and DevOps PKI integration (ACME, cert-manager, Keyfactor integrations with Kubernetes and CI/CD pipelines)
• HSM (Hardware Security Module) integration
• Microsoft ADCS administration and/or migration experience to enterprise CA platforms
• Linux/Unix: file permissions, systemd services, network configuration, process management, and hardening for security platform components
• Windows Server: Active Directory, Group Policy, Windows Certificate Services, and PowerShell administration
• Containers: Kubernetes and container runtimes — deploying and operating security platform components in containerized environments
• Networking: TCP/IP, TLS/mTLS, DNS, load balancing, firewall rules, and proxy configurations for PAM/Vault/PKI
• Cloud: AWS and/or Azure — cloud IAM integrations with Vault and CyberArk, cloud-native secrets management, and PKI for cloud workloads
• Python and Shell/Bash/PowerShell scripting for platform automation, REST API integration, and operational tooling
• Ansible and Terraform for infrastructure-as-code, configuration management, and platform provisioning
• REST API consumption and development — building integrations between PAM, Vault, PKI, and enterprise systems
• CI/CD integration (Jenkins, GitLab CI, GitHub Actions) for secrets management pipelines and certificate lifecycle automation
• Identity, authentication, authorization, and zero-trust architecture principles
• Audit and compliance (PCI-DSS, SOX, and regulatory) — controls definition, evidence collection, and remediation for PAM, PKI, and Secrets Management findings
• Infrastructure & Cloud Security best practices including DevSecOps and secure SDLC

Responsibilities

• Administer and mature CyberArk Privileged Cloud — onboarding privileged accounts, configuring CPM/PSM/PVWA components, building safe structures, defining connectors, and integrating with enterprise identity and SIEM platforms
• Architect, deploy, and operate HashiCorp Vault clusters — managing secrets engines (KV, PKI, database, AWS/Azure), auth methods (LDAP, AppRole, Kubernetes), policies, leases, and DR/replication configurations
• Design, implement, and operate PKI platforms including Keyfactor Command and EJBCA — managing certificate authorities, certificate lifecycle automation, enrollment profiles, and integrations with enterprise systems
• Build and maintain automation using Python, Go, Ansible, Terraform, and REST APIs to streamline platform operations, integrations, and self-service workflows
• Develop and document platform patterns, runbooks, and self-service capabilities that enable application teams to consume PAM, Secrets Management, and PKI services consistently and at scale
• Ensure platform security throughout the product lifecycle — integrating new features, responding to vulnerability disclosures, applying patches, and validating configurations against security baselines
• Support audit and compliance engagements (PCI-DSS, SOX, and regulatory) by defining controls, producing evidence, and driving remediation for PAM, Secrets Management, and PKI findings
• Collaborate with product owners and tech leads to define feature stories, technical design, and deliver robust, high-impact solutions

Benefits

• Market competitive base salaries, with a yearly bonus potential at every level.
• Medical, dental, vision, life insurance, disability insurance, Paid Time Off (PTO), and leave of absences, such as parental and military leave.
• 401(k) plan with company match (up to 4%).
• Company-funded pension plan.
• Wellness Programs including up to $1,600 a year for reimbursement of items purchased to support personal wellbeing needs.
• Work/Life Resources to help support topics such as parenting, housing, senior care, finances, pets, legal matters, education, emotional and mental health, and career development.
• Education Benefit to help finance traditional college enrollment toward obtaining an approved degree and many accredited certificate programs.
• Employee Stock Purchase Plan: Shares can be purchased at 85% of the lower of two prices (Beginning or End of the purchase period), after one year of service.