This is a brand new role for us and represents the start of our journey into automating compliance, security monitoring and auditing. We currently use a mix of third party services, consultancy, internal best practice and manual auditing but we want to be able to provide evidence of practices being implemented, tamper-proof systems, automated reports for clients and all without impact the pace and quality of our delivery of value to our clients.
You will be an important part of this journey as you will be the first person in the team to be able to work on these issues full time and will also have a chance to feed into the strategy and deliver of the key early pieces of work. We are therefore looking for someone who loves the idea of not being being a security silo but collaborating effectively across the company as an advocate for security.
While there will initially be a focus on continuous delivery, infrastructure, internal auditing and training this is not a pure operations or infrastructure role. We want someone who is excited in and capable of engaging in the entire process of value delivery via software development process.
We are also looking for someone who wants to be very practical and hands-on. We don’t want security or compliance to be a checkbox exercise or a case of setting down rules without taking responsibility for helping fulfil them. We want someone with a “Security says Yes!” attitude who wants to help people figure how to do something securely rather than telling them they can’t do something.
What kinds of things will you do?
This is a new role so nothing is set in stone but when we are thinking about what you might be working on with us this is what is in our minds right now.
Implementing integration and automation routines to promote effective security operations
Implementing automated on and offboarding procedures and auditing based on our current manual processes
Implementing automated security testing to prevent regressions
Reviewing vulnerability scans, reviewing results and eliminating false positives
Developing reporting tools to provide an aggregate picture of the security situation for our whole estate
Researching and assessing new security technologies
building proof of concepts to verify potential
presenting back to the wider team about how new technologies could be applied
Supporting the development team to integrate security best practice and automation into their day to day work including training where necessary
Supporting the Senior Vice-President of Technology in refining and developing security plans and threat models
Helping respond to client requests for information and evidence
ideally automating and standardising where possible to minimise effort and maximise consistency
Relevant experience
We are happy to consider different routes into this role either from development, tradition security roles or operational career paths.
We’re looking for someone who can have an impact quickly and bring experience that complements our own; we think you will need to have the following:
Experience designing and implementing secure, scaleable, resilient, highly available configurations of infrastructure components
Demonstrable knowledge of system security vulnerabilities and remediation techniques
Experience of automation of cloud deployments and developing infrastructure as code
Experience in simulating failure scenarios outside of production environments
Experience of creating low friction IT security solutions for both technical and non-technical staff members
Key technical knowledge
We currently think that a successful candidate must have experience in the following:
AWS
Terraform or equivalent infrastructure as code tooling
Development pipeline automation
Desirable experience
These are not necessary to apply for the role but we may use this this experience to differentiate between successful candidates.
Python and Javascript applications
Web technologies including security standards
Containerisation including securing and verifying containers
ISO and SOC certification and auditing processes
Security and reliability testing in production