PKI Architect for Certificate Management

The PKI Architect (Global, Hybrid, Multi-CA) will be responsible for defining and governing the enterprise trust architecture across private and public Certificate Authorities within a hybrid environment. The role will provide architectural direction and oversight by establishing CA-agnostic policies, certificate profiles, cryptographic standards, and decision frameworks supporting Machine Identity, code signing, and certificate-based trust across on-premises, Azure, AWS, and SaaS platforms (and other technologies and services as required). The architect will also define the organization’s Certificate Lifecycle Management (CLM) operating model to ensure consistent controls for discovery, issuance, renewal, revocation, and compliance at global scale, while enabling audit readiness, risk reduction, and long-term crypto agility including the development, and delivery of the strategy for post quantum computing,

Key Responsibilities

· Defining the enterprise PKI reference architecture and trust model across ADCS and public CAs (DigiCert/Sectigo), including trust boundaries, CA roles, and chain strategy for hybrid environments.

· Owning global standards for certificate profiles/templates, naming/identity conventions, algorithms/key sizes, key management, cryptographic protocols, lifetimes, revocation requirements, and crypto-agility.

· Establishing governance for CLM policy enforcement: onboarding standards, approval models, exception handling, integration guardrails, and lifecycle controls independent of CA backend.

· Defining Machine Identity patterns for service-to-service trust (identity binding, issuance sources, rotation SLAs, trust distribution, and validation rules) across on-prem and cloud workloads.

· Defining the code signing architecture and governance: certificate sourcing, key protection requirements (e.g., HSM/controlled custody), signing workflow controls, timestamping standards, separation of duties, and audit evidence.

· Defining routing rules by use case (internal TLS, external TLS, Machine Identity, code signing, SaaS integrations) and establish decision criteria, ownership, and escalation paths.

· Setting standards for trust anchor management and distribution across endpoints, servers, cloud services, and SaaS, including rollout/rollback strategy and lifecycle change governance.

· Leading risk assessments and defining controls for mis-issuance, key compromise, revocation failures, and trust-chain outages.

· Maintaining emergency replacement/revocation playbooks.

· Leading PKI design reviews, approving new use cases and deviations, maintaining decision records, and managing an exception register with compensating controls.

Qualifications

· 8+ years in cybersecurity/IT architecture, including 5+ years specializing in PKI, certificate trust, and cryptographic governance at enterprise scale.

· Bachelor’s degree in technology (Computer Science, Computer Engineering etc.)

· Proven experience defining and governing a hybrid, multi-CA strategy (e.g., ADCS + public CAs such as DigiCert/Sectigo), including a clear CA selection and use-case allocation strategy and enterprise lifecycle standards.

· Strong governance ownership: CP/CPS (or equivalent policy suite), certificate profiles/templates, crypto standards (algorithms, key sizes, lifetimes), identity/naming conventions, and exception frameworks.

· Experience governing Certificate Lifecycle Management (CLM) controls and operating model (discovery, issuance, renewal, revocation, compliance).

· Deep knowledge of TLS/Machine Identity architectures (service identity, issuance/rotation standards, validation rules, trust distribution) across hybrid environments.

· Code signing governance experience (workflow controls, key custody/protection requirements, timestamping, separation of duties, auditability).

· Cloud trust architecture exposure across Azure and AWS, including certificate deployment/rotation patterns and SaaS integration considerations.

· Demonstrated ability to lead global architecture governance (standards adoption across regions, design reviews, stakeholder alignment, executive communication).

· Experience establishing CA allocation and certificate sourcing standards across internal and external trust use cases (e.g., internal TLS vs external TLS, Machine Identity, code signing, SaaS integrations).

· Trust store governance at scale (enterprise endpoints/servers/cloud/SaaS), including controlled rollout and rollback planning.

· Familiarity with OCSP/CRL architectural considerations and global resiliency requirements (availability/performance/distribution).

· Experience supporting regulated/audited environments (e.g., ISO 27001, SOC 2, PCI DSS) with evidence-based control design.

· Exposure to modern workload platforms (containers/Kubernetes/service mesh concepts) from an architecture and standards perspective.

· Vendor governance experience: defining requirements, SLAs/KPIs, roadmap alignment, and multi-provider management.

Certifications (Nice to have)

- Security Certifications (CISM, CISSP, CISA, CISM, CRISC, ITIL, PMP)

- Azure/AWS architecture or cloud security certifications

- PKI/CLM platform training and/or public CA program familiarity

- Applied cryptography or key management coursework/certifications

Career Stage:

Senior Associate

London Stock Exchange Group (LSEG) Information:

Join us and be part of a team that values innovation, quality, and continuous improvement. If you're ready to take your career to the next level and make a significant impact, we'd love to hear from you.

LSEG is a leading global financial markets infrastructure and data provider. Our purpose is driving financial stability, empowering economies and enabling customers to create sustainable growth.

Our purpose is the foundation on which our culture is built. Our values of Integrity, Partnership, Excellence and Change underpin our purpose and set the standard for everything we do, every day. They go to the heart of who we are and guide our decision making and everyday actions.

Working with us means that you will be part of a dynamic organisation of 25,000 people across 65 countries. However, we will value your individuality and enable you to bring your true self to work so you can help enrich our diverse workforce.

We are proud to be an equal opportunities employer. This means that we do not discriminate on the basis of anyone’s race, religion, colour, national origin, gender, sexual orientation, gender identity, gender expression, age, marital status, veteran status, pregnancy or disability, or any other basis protected under applicable law. Conforming with applicable law, we can reasonably accommodate applicants' and employees' religious practices and beliefs, as well as mental health or physical disability needs.

You will be part of a collaborative and creative culture where we encourage new ideas. We are committed to sustainability across our global business and we are proud to partner with our customers to help them meet their sustainability objectives. Our charity, the LSEG Foundation provides charitable grants to community groups that help people access economic opportunities and build a secure future with financial independence. Colleagues can get involved through fundraising and volunteering.

LSEG offers a range of tailored benefits and support, including healthcare, retirement planning, paid volunteering days and wellbeing initiatives.

Please take a moment to read this privacy notice carefully, as it describes what personal information London Stock Exchange Group (LSEG) (we) may hold about you, what it’s used for, and how it’s obtained, your rights and how to contact us as a data subject.

If you are submitting as a Recruitment Agency Partner, it is essential and your responsibility to ensure that candidates applying to LSEG are aware of this privacy notice.