Security Architect

Mission Overview:

Keystone Solutions is seeking a Senior Security Architect to join a consultancy mission with our client, a leading banking company based in Brussels. As a Keystone Solutions consultant, you will operate within the clients architecture and cybersecurity functions to design, govern, and guide secure-by-design solutions across cloud and on-prem environments, ensuring alignment with banking regulations and industry best practices.

Consultancy Nature of Work:

This is a consultancy engagement through Keystone Solutions. You will be embedded within the clients teams (on-site in Brussels with hybrid flexibility as permitted by the client), acting as a trusted advisor who shapes security architecture decisions, partners with engineering, risk, and compliance stakeholders, and drives delivery of secure solutions. You will leverage Keystones internal community, accelerators, and expert network to bring added value to every client interaction.

Key Responsibilities:

• Act as the lead security architect (as a Keystone Solutions consultant) for banking initiatives covering digital channels, payments, data platforms, core banking transformations, and cloud adoption.
• Define, document, and communicate end-to-end security architectures, reference models, and guardrails for cloud (Azure and/or AWS) and on-prem solutions, ensuring defense-in-depth and zero-trust principles.
• Conduct solution security design reviews and threat modeling (STRIDE, attack trees) for critical applications, APIs, data flows, and integrations.
• Establish and enforce security patterns for microservices, containerized workloads (Kubernetes), and API gateways; integrate WAF, API protection, and runtime controls.
• Design and oversee IAM architectures, including MFA/SSO, federation (SAML, OIDC, OAuth 2.0), role-based access control, and privileged access management (e.g., CyberArk).
• Define and harden network security (segmentation, micro-segmentation, firewall policies, NAC) and service-to-service communication (mTLS, certificate lifecycle management).
• Design data protection strategies: encryption at rest/in transit, key and secret management (HSM, KMS, Vault), tokenization, masking, and DLP for sensitive financial data.
• Drive DevSecOps enablement: integrate SAST/DAST/IAST, container image scanning, IaC scanning (Terraform, Azure/AWS), dependency and SBOM management into CI/CD pipelines.
• Shape cloud security posture management and landing zone security (guardrails, policies, identity boundaries, logging/monitoring standards) on Azure and/or AWS.
• Define and implement logging, monitoring, and detection strategies with SIEM/SOAR (e.g., Splunk, Microsoft Sentinel), covering threat detection use cases and incident response playbooks.
• Collaborate with enterprise architects and domain architects; present solutions to architecture governance boards and risk committees, addressing security non-functionals and trade-offs.
• Perform risk assessments and control gap analyses, mapping to ISO/IEC 27001, NIST CSF, EBA/ECB guidelines, DORA, PSD2, SWIFT CSP, and relevant internal standards.
• Guide remediation for penetration test and vulnerability findings, prioritize risks, and ensure sustainable fixes are embedded in design and delivery.
• Assess third-party and SaaS solutions for security and compliance, support due diligence, and define secure integration patterns.
• Contribute to business continuity and disaster recovery architecture, including ransomware resilience, immutable backups, and recovery testing strategies.
• Produce high-quality artifacts: security architecture documents, roadmaps, decision records, standards, and solution blueprints tailored for engineering teams.
• Coach engineers and product teams on secure design and coding practices; conduct knowledge-transfer sessions and contribute to internal communities of practice.
• Support product selection and RFPs for security tooling (e.g., EDR/XDR, secrets management, API security, container security) and ensure fit-for-purpose adoption.
• Work closely with Legal, Risk, and Compliance to ensure privacy-by-design and alignment with GDPR and sector-specific requirements.

Required Skills and Experience:

• 7+ years in cybersecurity with substantial experience in security architecture for complex enterprises; proven impact in financial services or similarly regulated environments.
• Deep knowledge of cloud security (Azure and/or AWS), including identity, networking, policy/guardrails, encryption, logging/monitoring, and workload protection.
• Strong background in IAM, federation (SAML/OIDC/OAuth 2.0), PAM, and directory services (e.g., Entra ID/Azure AD).
• Hands-on understanding of DevSecOps, CI/CD, and security tooling integration (SAST/DAST/IAST, container and IaC scanning, SBOMs).
• Expertise in network and application security, zero trust, API security, WAF, and microsegmentation.
• Cryptography fundamentals and applied key management (HSM, KMS), secrets management (e.g., HashiCorp Vault, Azure Key Vault), and certificate management.
• Experience with Kubernetes security (admission controls, OPA/Gatekeeper, image signing, runtime protection) and container platforms.
• Proficiency with SIEM/SOAR (e.g., Splunk, Microsoft Sentinel), detection engineering, and incident response practices.
• Familiarity with banking and EU regulatory frameworks: EBA/ECB guidance, DORA, PSD2, SWIFT CSP, ISO/IEC 27001, NIST CSF, and GDPR.
• Ability to translate business goals and risk appetite into pragmatic, secure designs; strong documentation and stakeholder communication skills.
• Professional certifications are a plus: CISSP, CCSP, CISM, SABSA, TOGAF, AWS/Azure Security specialty.
• Language: Excellent English; French and/or Dutch are strong assets in the Brussels context.

Nice to Have:

• Experience in payments, open banking/PSD2 APIs, identity proofing and risk-based authentication.
• Knowledge of data platforms (Kafka, data mesh/lakehouse) and associated security patterns.
• Exposure to microservices eventing security, service meshes, and API monetization controls.
• Background in third-party risk and SaaS due diligence for core banking adjacencies.

Dynamic Projects:

As a Keystone Solutions consultant, you will tackle diverse security challenges across multiple initiatives within the banking client and, over time, across other client environmentsranging from cloud landing zones and digital channels to payments modernization and data protection programs.

Turbo-Charged Learning and Development:

• Dedicated certification budget and study time for security and cloud credentials.
• Access to Keystone Solutions mentors, architecture communities, and reusable accelerators.
• Hands-on labs, knowledge-sharing sessions, and post-mission debriefs to accelerate growth.

Ambition Skyrocketing within a Consultancy Framework:

• Clear pathways to grow toward Principal Architect or Security Chapter Lead roles.
• Opportunities to influence standards, publish point-of-view papers, and lead client workshops.
• Broaden your impact by rotating through strategic client engagements as you progress.

What It Means to Be a K-Stone:

At Keystone Solutions, our consultants embody client centricity, craftsmanship, integrity, ownership, and curiosity. Being a K-Stone means bringing these values to every client projectadvising with candor, building with excellence, and delivering secure outcomes that last.

Practical Details:

• Location: Brussels, Belgium (on-site at the client with hybrid flexibility per client policy).
• Engagement: Consultancy mission through Keystone Solutions (permanent employee or long-term freelance).
• Start: As soon as available.
• Work authorization: Eligible to work in the EU; on-site presence in Brussels required on a regular basis.

How to Apply:

If you are ready to tackle technical and strategic challenges in a dynamic consultancy environment, apply today at Keystone Solutions Career Portal.