Lead Engineer – Key Management & HSM

Pay is based on several factors which vary based on position. These include labor markets and in some instances may include education, work experience and certifications. In addition to your pay, Target cares about and invests in you as a team member, so that you can take care of yourself and your family. Target offers eligible team members and their dependents comprehensive health benefits and programs, which may include medical, vision, dental, life insurance and more, to help you and your family take care of your whole selves. Other benefits for eligible team members include 401(k), employee discount, short term disability, long term disability, paid sick leave, paid national holidays, and paid vacation. Find competitive benefits from financial and education to well-being and beyond at https://corporate.target.com/careers/benefits.

About us:

Working at Target means helping all families discover the joy of everyday life. We bring that vision to life through our values and culture. Learn more about Target here.

Role summary:

As a Lead Engineer, you are the technical anchor for the engineering team that supports a product. You create, own, and evolve the application architecture that best serves the product’s functional and non-functional needs. You identify and drive architectural changes to accelerate feature development and improve reliability and quality. You have deep and broad engineering skills and can stand up an architecture end to end, while scaling your impact by mentoring engineers and acting as a force multiplier. Job duties may change at any time due to business needs.

We are seeking a Lead Engineer to own our enterprise key management platform and make it easy and safe for teams to use encryption and signing at scale. This role is ideal for someone who deeply understands key lifecycle management and HSM-backed systems and enjoys building reliable, scalable services in a modern engineering environment.

You will lead technical strategy, mentor engineers, architect core security services, and partner with platform, cloud, identity, and application teams to deliver secure, seamless cryptographic capabilities across the enterprise, while ensuring our key management and cryptographic services can adapt to evolving algorithms, standards, and enterprise security requirements.

What you’ll do:

• Lead the architecture and lifecycle management of enterprise key management platforms, including key generation and import, rotation, rewrap and rekey, escrow and backup, revocation and destruction, and auditability.
• Design, integrate, and operate HSM-backed cryptographic services, including tenancy and partitioning, high availability and failover, performance and capacity planning, and secure operational controls.
• Define and standardize integration patterns that reduce secret sprawl, including secure injection and rotation workflows, developer guardrails, and paved-road adoption patterns in partnership with platform and application teams.
• Establish standards, automation, and best practices for cryptographic service consumption across teams, including APIs, SDKs, and guardrails.
• Partner across cloud, platform, identity, and application teams to enable secure cryptographic capabilities at scale.
• Lead complex implementations, mentor engineers, and raise the quality and security bar through architecture reviews and technical guidance.
• Drive measurable improvements in reliability, security posture, and developer experience for cryptographic platforms.

About you:

Required

• 5+ years of software development and/or platform engineering experience, including hands-on work with enterprise key management and HSM-backed systems in production.
• Demonstrated expertise in enterprise key management and key lifecycle practices.
• Hands-on experience integrating with and operating Hardware Security Modules in production environments.
• Experience building and operating scalable, distributed systems with strong reliability practices, including observability, automation, and operational readiness.
• Proven ability to lead technical strategy, influence architecture, and mentor engineers.

Preferred

• Experience with the Thales product suite.
• Experience building or operating encryption-as-a-service capabilities.

Bonus

• Experience with PKI platforms such as Keyfactor EJBCA, Windows ADCS, Venafi, Vault PKI, or equivalent solutions.
• Strong PKI fundamentals and certificate lifecycle automation, including issuance, renewal, revocation, and OCSP/CRL.
• Proficiency in Go, Java, or Python.
• Experience with secrets platforms such as HashiCorp Vault or Google Secret Manager and secret rotation patterns.
• Experience with cloud-native security architecture, including Kubernetes, service identity, mTLS, and workload authentication.

Benefits Eligibility

Americans with Disabilities Act (ADA)

In compliance with state and federal laws, Target will make reasonable accommodations for applicants with disabilities. If a reasonable accommodation is needed to participate in the job application or interview process, please reach out to candidate.accommodations@HRHelp.Target.com.Non-accommodation-related requests, such as application follow-ups or technical issues, will not be addressed through this channel.