RoleCybersecurity

PKI Engineer

Certificate authorities, HSMs, key rotation, signing infrastructure.

The verdict

Tiny market, deep specialism, almost recession-proof if you're properly competent. Take it knowing you'll be one of very few who understand it.

Pick this if

You enjoy long-lived systems that can't be casually rebuilt
You're meticulous about lifecycle, expiry and rotation
You like being the person three teams call when nothing else makes sense
You're patient with cryptographic specs and vendor implementations that drift

Skip this if

You want fast iteration, PKI cycles in years
You can't tolerate work where one small mistake breaks everything
You'd struggle being the only person in the room who knows the topic

What "doing well" looks like in the seat

Your CA migrations go in cleanly with no surprise outage
Auditors leave PKI alone in your environment
You've automated certificate lifecycle in a way the next engineer can maintain
You can explain trust hierarchies to leadership without losing them

The bit you're probably underestimating

Specialism is a double edge. There are very few PKI roles in the UK, but each one is hard to fill, so the people who hold the seat tend to stay until they retire. That stability is the upside. The downside is you can become unmoveable, and your skills are easy to pigeonhole. Pair PKI with broader IAM or cloud security work, not just deeper PKI, if you want the option to leave.

Tradeoffs at a glance

Hover any chip for the calibrated meaning. Ratings are directional, not absolute.

Promotion ceiling

Moderate but well-paid, small market, hard to displace.

Who actually gets in

+Security Engineer
+Cryptography enthusiast
+Senior sysadmin

Common misconceptions

−That it's a dying skill, modern zero-trust pushed demand up, not down.

Where this leads

IAM
Cloud Security
Cryptography Engineer

Pathways that pass through here

Cloud Security Engineer
Cloud-native IAM, workload security, policy-as-code. Entered from cloud, not from SOC.

Where this fits

Roles connect to pathways, certs and other roles. Use one to test the next.

Pathways that touch this

Roles to consider

Perspectives that bear on this

AI will not delete IT, but it will shrink one kind of IT role
The 'AI replaces all of IT' narrative is wrong. The narrower version is mostly right, and worth planning around.

The serious next step

You've read about the role. The harder question is whether it's the right one for you.

A Career Verdict is the written, practitioner-authored call on your specific route into and out of this role. Six primitives, same format every time.

Plateau zone

The flat year nobody warns you about, named and timed.

Reality vs Fantasy

Your actual five-year curve against the one you've been sold.

What to sit and what to skip

Each cert on your list: useful, optional, or skip, with reasons.

The call

A single written judgment on whether your plan holds up.

Tradeoff spectrum

What you're giving up for what you're choosing, plotted.

Decisive factors

The two or three things that will actually make or break this.

See what a Career Verdict looks like £25 · one verdict, yours to keep

Built on POST's practitioner-authored assessment framework, calibrated by James from twenty years across helpdesk, infrastructure and security. Framework is human-authored; the verdict applies it to your inputs.

All roles