Security Engineer

Keystone is a premier economics, technology, and strategy consulting firm built to help companies lead through transformation. As breakthrough innovations reshape industries, redefine competition and change our society, complex and highly competitive ecosystems emerge. Keystone advises technology leaders, Fortune 100 companies, their legal counsel, and governments on business, economic, litigation, and regulatory strategy in relation to these innovations and competitive eco-systems. We operate globally from offices in New York, Boston, San Francisco, Seattle, London, Dubai, and Washington, D.C.

About Keystone

Keystone is a premier economics, technology, and strategy consulting firm built to help companies lead through transformation. As breakthrough innovations reshape industries, redefine competition and change our society, complex and highly competitive ecosystems emerge. Keystone advises technology leaders, Fortune 100 companies, their legal counsel, and governments on business, economic, litigation, and regulatory strategy in relation to these innovations and competitive eco-systems. We operate globally from offices in New York, Boston, San Francisco, Seattle, London, Dubai, and Washington, D.C.

We’re growing quickly and looking for a Security Engineer with governance, risk and compliance (GRC) proficiency who will be responsible for strengthening the organization’s cybersecurity posture through the execution of governance, risk management, and compliance activities. This role will be building and maintaining structured governance by formalizing policies, controls, and accountability across the organization, enabling proactive risk management through continuous assessment, threat modeling, and mitigation strategies, and ensuring compliance efforts can scale effectively alongside company growth, evolving regulatory requirements, and increasing complexity in systems, data handling, and third-party relationships.

About the Security Engineer – GRC Role

Reporting to the Director, IT Security you will work cross-functionally with IT, product, compliance, and leadership team, and in some cases directly with clients or auditor, to ensure our security posture meets both technical and regulatory expectations across commercial and regulated environments. This role focuses on developing, documenting, and refining security standards and procedures; performing risk and control assessments; and ensuring alignment with government regulatory and security frameworks, including ISO, industry standards, and organizational policies. This role is ideal for a technically strong security professional who enjoys building secure systems and translating regulatory and business requirements into practical, scalable security solutions.

Key Responsibilities

Security Engineering & Technical Controls

• Design, implement, and maintain security controls across cloud and SaaS environments (AWS, Azure, GCP)

• Implement and manage IAM solutions (SSO, MFA, RBAC, least privilege)

• Support vulnerability management, secure configuration, and system hardening initiatives

• Support logging, monitoring, and alerting integrations (SIEM, cloud-native tools)

• Assist with incident response planning, tabletop exercises, and post-incident reviews

• Evaluate and implement security tooling to improve visibility, protection, and automation

• Partner with engineering teams to embed security into the SDLC (secure design reviews, threat modeling, security requirements)

Governance, Risk & Compliance (GRC)

• Enforce and maintain cybersecurity governance, risk, and control frameworks aligned with applicable laws and industry standards

• Perform cybersecurity risk assessments, maturity assessments, and Business Impact Analyses (BIA)

• Conduct control readiness and effectiveness assessments

• Maintain risk registers, POA&Ms, and remediation timelines

• Serve as a trusted advisor on control design, risk treatment, and security architecture decisions

Regulatory & Audit Support

• Support compliance initiatives such as FedRAMP Moderate/High, ISO 27001, and similar frameworks

• Develop and maintain compliance documentation, including:

• System Security Plans (SSPs)

• Policies, procedures, and SOPs

• Control implementation statements

• Coordinate evidence collection and technical validation for internal and external audits

• Work directly with auditors, 3PAOs, and internal stakeholders during assessments

• Support continuous monitoring activities (vulnerability scans, control testing, compliance reporting)

Program Execution & Improvement

• Track security control implementation with leadership and IT teams

• Drive automation and tooling improvements to scale compliance and monitoring

• Support third-party risk management, including technical vendor assessments and questionnaires

• Research and apply evolving security standards, regulatory requirements, and threat trends

• Lead process improvements to enhance security efficiency and operational maturity

What You’ll Bring

Required

• Bachelor’s degree in Cybersecurity, Computer Science, Information Technology, or equivalent practical experience

• 5–8+ years of experience in security engineering, GRC, or hybrid security/IT roles

• Strong hands-on experience with:

• Cloud platforms (AWS, Azure, GCP)

• IAM, network security, encryption, and secure system design

• Vulnerability management and secure configuration

• Strong working knowledge of security frameworks and compliance standards:

• NIST SP 800-53 (Rev. 5), NIST RMF (800-37), NIST CSF

• FedRAMP Moderate/High (including SSPs, POA&Ms, and audits)

• ISO 27001, CIS

• Experience translating compliance requirements into technical implementations

• Excellent technical writing, documentation, and stakeholder communication skills

• Ability to operate independently, manage multiple initiatives, and influence without authority

Preferred

• Experience with FedRAMP 20x, GovRAMP, CMMC, TX-RAMP, or HIPAA

• Familiarity with GRC platforms (JupiterOne or similar)

• Experience with SIEM, WAF, CSPM, CNAPP, and vulnerability scanning tools

• Background in incident response, threat modeling, or penetration testing

• Scripting or automation experience (Python, Bash, Terraform)

• Cybersecurity certifications such as CISSP, CISA, CRISC, CCSP, Security+

At Keystone we believe diversity matters. At every level of our firm, we seek to advance and promote diversity, foster an inclusive culture, and ensure our colleagues have a deep sense of respect and belonging. If you are interested in growing your career with colleagues from varied backgrounds and cultures, consider Keystone.

In addition to annual salary, we provide an annual discretionary bonus, 401k contribution, and competitive benefits package. Actual Compensation within the range will depend upon the level the individual is hired into based on their skills, experience, and qualifications.

Annual Salary Range
$110,000—$150,000 USD

At Keystone we believe diversity matters. At every level of our firm, we seek to advance and promote diversity, foster an inclusive culture, and ensure our colleagues have a deep sense of respect and belonging. If you are interested in growing your career with colleagues from varied backgrounds and cultures, consider Keystone.