Security Engineer

Keystone is a premier economics, technology, and strategy consulting firm built to help companies lead through transformation. As breakthrough innovations reshape industries, redefine competition and change our society, complex and highly competitive ecosystems emerge. Keystone advises technology leaders, Fortune 100 companies, their legal counsel, and governments on business, economic, litigation, and regulatory strategy in relation to these innovations and competitive eco-systems.

We operate globally from offices in New York, Boston, San Francisco, Seattle, London, Dubai, and Washington, D.C.

We’re growing quickly and looking for a Security Engineer with governance, risk and compliance (GRC) proficiency who will be responsible for strengthening the organization’s cybersecurity posture through the execution of governance, risk management, and compliance activities. This role will be building and maintaining structured governance by formalizing policies, controls, and accountability across the organization, enabling proactive risk management through continuous assessment, threat modeling, and mitigation strategies, and ensuring compliance efforts can scale effectively alongside company growth, evolving regulatory requirements, and increasing complexity in systems, data handling, and third-party relationships.

Reporting to the Director, IT Security you will work cross‑functionally with IT, product, compliance, and leadership team, and in some cases directly with clients or auditor, to ensure our security posture meets both technical and regulatory expectations across commercial and regulated environments. This role focuses on developing, documenting, and refining security standards and procedures; performing risk and control assessments; and ensuring alignment with government regulatory and security frameworks, including ISO, industry standards, and organizational policies.

This role is ideal for a technically strong security professional who enjoys building secure systems and translating regulatory and business requirements into practical, scalable security solutions.

• Design, implement, and maintain security controls across cloud and SaaS environments (AWS, Azure, GCP)
• Implement and manage IAM solutions (SSO, MFA, RBAC, least privilege)
• Support vulnerability management, secure configuration, and system hardening initiatives
• Support logging, monitoring, and alerting integrations (SIEM, cloud‑native tools)
• Assist with incident response planning, tabletop exercises, and post‑incident reviews
• Evaluate and implement security tooling to improve visibility, protection, and automation
• Partner with engineering teams to embed security into the SDLC (secure design reviews, threat modeling, security requirements)

• Enforce and maintain cybersecurity governance, risk, and control frameworks aligned with applicable laws and industry standards
• Perform cybersecurity risk assessments, maturity assessments, and Business Impact Analyses (BIA)
• Conduct control readiness and effectiveness assessments
• Maintain risk registers, POA&Ms, and remediation timelines
• Serve as a trusted advisor on control design, risk treatment, and security architecture decisions

• Support compliance initiatives such as FedRAMP Moderate/High, ISO 27001, and similar frameworks
• Develop and maintain compliance documentation, including:
• System Security Plans (SSPs)
• Policies, procedures, and SOPs
• Control implementation statements
• Coordinate evidence collection and technical validation for internal and external audits
• Work directly with auditors, 3
  
  PAOs, and internal stakeholders during assessments
• Support continuous monitoring activities (vulnerability scans, control testing, compliance reporting)

• Track security control implementation with leadership and IT teams
• Drive automation and tooling improvements to scale compliance and monitoring
• Support third‑party risk management, including technical vendor assessments and questionnaires
• Research and apply evolving security standards,…