Lead PKI & Encryption Services Engineer

Who We Are

Join a team that puts its People First! Since 1889, First American (NYSE: FAF) has held an unwavering belief in its people. They are passionate about what they do, and we are equally passionate about fostering an environment where all feel welcome, supported, and empowered to be innovative and reach their full potential. Our inclusive, people-first culture has earned our company numerous accolades, including being named to the Fortune 100 Best Companies to Work For® list for ten consecutive years. We have also earned awards as a best place to work for women, diversity and LGBTQ+ employees, and have been included on more than 50 regional best places to work lists. First American will always strive to be a great place to work, for all. For more information, please visit www.careers.firstam.com.

What We Do

In this position you will play a critical role in ensuring the security and integrity of digital communications within the First American organization. This position will be responsible for managing the full lifecycle of digital certificates, including issuance, renewal, and revocation. This role also blends expertise in cryptography with practical skills in systems engineering, application integration, data security, and network security.

What You'll Do

• Design, develop, and deploy encryption solutions across various platforms (e.g., cloud, on-premises, mobile).
• Integrate encryption key management services into existing infrastructure to safeguard data at rest, in transit, and in use.
• Work closely with product and security teams to tailor encryption solutions for specific business needs.
• Develop and manage secure key generation, distribution, storage, and rotation processes, as well as quorum approvals.
• Automate key lifecycle management to enhance operational efficiency and security.
• Integrate encryption modules with APIs, databases, file storage systems, and communication protocols.
• Conduct rigorous unit, integration, and end-to-end testing to verify encryption strength and system resilience.
• Work alongside quality assurance teams to ensure encryption solutions perform as expected under various conditions.
• Stay abreast of the latest encryption methodologies, tools, and vulnerabilities, including post-quantum cryptography.
• Evaluate and recommend new technologies that can enhance encryption effectiveness or reduce performance overhead.
• Investigate and remediate encryption-related issues in collaboration with IT teams and incident response teams.
• Analyze logs and system behaviors to detect cryptographic anomalies or breaches.
• Develop mitigation strategies and improve systems based on lessons learned from security incidents.
• Responsible for creating and managing the Public Key Infrastructure for a company.
• Responsible for the safe generation and distribution of cryptographic keys as well as digital certificates.
• Responsible to manage PKI infrastructure, Certificate Authority (CA), Hardware Security Models (HSM), and KMS systems.
• Working knowledge of industry best practices and relevant standards and requirements (i.e. NIST 800-53, 800-57, 800-130, RFC’s 2560, 3647, 5280, 8555, and CA/B Forum Requirements)
• Ability to communicate clearly and effectively influence and instill confidence with key partners (e.g. PM’s, engineers, developers)
• Ability to use OpenSSL or other similar utilities to view certificates, CRLs, and OCSP responses.
• Experience in integrating digital certificates with applications and services.
• Streamline & drive global adoption of our PKI and encryption services.
• Work towards continual improvement in engineering and operations in our PKI and key management environments with a focus on security, simplicity, and stability.
• Integrate PKI and encryption services with various applications and systems for secure communication, authentication, and data protection.
• Troubleshoot and resolve complex issues related to certificate errors, authentication failures, and system performance.
• Monitor and maintain the security of the platforms and infrastructure, ensuring compliance with industry regulations and best practices.
• Manage the lifecycle of digital certificates, including issuance, renewal, revocation, and key rotation.
• Works in close coordination with the System and Business Process Analysts to understand and interpret certificate and key management requirements per application & initiative.
• Identifies problems, researches alternatives, prepares presentations, drives solutions, tests to confirm, gains consensus, and implements solutions for multiple processes within multiple functions.
• Creates reports; researches and analyzes data, report trends and vital information to management/business partner.
• Required to perform duties outside of normal work hours based on business needs.
• No formal responsibility for the supervision of others but may provide mentorship, functional advice, or training to less experienced team members
• May instruct, direct, and assign work to other team members, monitoring project status
• Act as a team leader for projects with moderate budgets or short to intermediate duration
• Works independently with supervisory consultation
• Sets objectives for project goals and other team members and monitors progress to achieve goals.
• Devises or modifies department processes and procedures.

What You'll Bring

Knowledge and Skills:

• Preferred: BS/BA in Computer Science or relevant education
• 7+ years of experience working with highly scalable enterprise software, consisting of (5+) years of proven experience working with commercial PKI products for a sizeable enterprise (preferably 5,000+ employees/Identities), cloud native key management systems, and other cryptographic systems and solutions.
• CISSP, ISSEP, ISSAP, or other relevant industry certifications preferred
• Strong ability to negotiate, persuade and gain consensus from cross functional team(s)
• Uses PKI and cryptography skills as a seasoned, experienced professional with extensive knowledge base of industry practices and established policies and procedures

Technical Expertise:

• Hands-on engineering experience and understanding of components and technologies of various platforms, such as Azure KeyVault, AWS KMS, Venafi, Fortanix, CipherTrust, ServiceNow, etc.
• Experience in implementing Identity and Access Management, PKI, and KMS technologies and/or processes required.
• Experience in product evaluation and managing vendor relationships required.
• Strong background in cryptographic operations, algorithms, protocols, and key management systems.
• Experience with encryption libraries (e.g., OpenSSL, Bouncy Castle) and understanding of their proper deployment.

Systems and Network Security:

• In-depth understanding of network security protocols and secure architecture design.
• Knowledge of secure software development practices and vulnerability management.
• Experience with cloud security concepts, automation, and encryption as a service (e.g., AWS KMS, Azure Key Vault).  Ability to articulate multiple encryption key management implementation models.

Regulatory and Compliance Knowledge:

• Familiarity with industry standards and legal requirements related to data encryption and privacy.
• Ability to translate regulatory mandates into technical specifications and implementations.

Problem-Solving and Analytical Skills:

• Strong analytical skills to diagnose and resolve complex encryption-related issues.
• Experience in performance tuning encryption systems to balance security, efficiency, and scalability.
• Strong understanding of PKI technologies including Certificate Authority systems (Venafi) and Key Mgmt (Fortanix).
• Ability to troubleshoot application level or client-side encryption issues.
• Solid understanding of scripting and programming languages as well as software development methodologies
• Solid communication and documentation skills
• Excellent interpersonal, relationship-building and teamwork skills
• Ability to work in a team environment and to contribute to multiple projects at once.

Salary Range: $126,100.00 - $168,10.00

This hiring range is a reasonable estimate of the base pay range for this position at the time of posting.  Pay is based on a number of factors which may include job-related knowledge, skills, experience, business requirements and geographic location.

What We Offer

By choice, we don’t simply accept individuality – we embrace it, we support it, and we thrive on it! Our People First Culture celebrates diversity, equity and inclusion not simply because it’s the right thing to do, but also because it’s the key to our success. We are proud to foster an authentic and inclusive workplace For All. You are free and encouraged to bring your entire, unique self to work. First American is an equal opportunity employer in every sense of the term.

Based on eligibility, First American offers a comprehensive benefits package including medical, dental, vision, 401k, PTO/paid sick leave and other great benefits like an employee stock purchase plan.