DevSecOps

This is a brand new role for us and represents the start of our journey into automating compliance, security monitoring and auditing. We currently use a mix of third party services, consultancy, internal best practice and manual auditing but we want to be able to provide evidence of practices being implemented, tamper-proof systems, automated reports for clients and all without impact the pace and quality of our delivery of value to our clients.

You will be an important part of this journey as you will be the first person in the team to be able to work on these issues full time and will also have a chance to feed into the strategy and deliver of the key early pieces of work. We are therefore looking for someone who loves the idea of not being being a security silo but collaborating effectively across the company as an advocate for security.

While there will initially be a focus on continuous delivery, infrastructure, internal auditing and training this is not a pure operations or infrastructure role. We want someone who is excited in and capable of engaging in the entire process of value delivery via software development process.

We are also looking for someone who wants to be very practical and hands-on. We don't want security or compliance to be a checkbox exercise or a case of setting down rules without taking responsibility for helping fulfil them. We want someone with a "Security says Yes!" attitude who wants to help people figure how to do something securely rather than telling them they can't do something.

What kinds of things will you do?

This is a new role so nothing is set in stone but when we are thinking about what you might be working on with us this is what is in our minds right now.

• Implementing integration and automation routines to promote effective security operations
• Implementing automated on and off boarding procedures and auditing based on our current manual processes
• Implementing automated security testing to prevent regressions
• Reviewing vulnerability scans, reviewing results and eliminating false positives
• Developing reporting tools to provide an aggregate picture of the security situation for our whole estate
• Researching and assessing new security technologies
  • building proof of concepts to verify potential
  • presenting back to the wider team about how new technologies could be applied
• Supporting the development team to integrate security best practice and automation into their day to day work including training where necessary
• Supporting the Senior Vice-President of Technology in refining and developing security plans and threat models
• Helping respond to client requests for information and evidence
  • ideally automating and standardising where possible to minimise effort and maximise consistency

Relevant experience

We are happy to consider different routes into this role either from development, tradition security roles or operational career paths. We're looking for someone who can have an impact quickly and bring experience that complements our own; we think you will need to have the following:

• Experience designing and implementing secure, scaleable, resilient, highly available configurations of infrastructure components
• Demonstrable knowledge of system security vulnerabilities and remediation techniques
• Experience of automation of cloud deployments and developing infrastructure as code
• Experience in simulating failure scenarios outside of production environments
• Experience of creating low friction IT security solutions for both technical and non-technical staff members

Key technical knowledge

We currently think that a successful candidate must have experience in the following:

• AWS
• Terraform or equivalent infrastructure as code tooling
• Development pipeline automation

Desirable experience

These are not necessary to apply for the role but we may use this experience to differentiate between successful candidates.

• Python and Javascript applications
• Web technologies including security standards
• Containerisation including securing and verifying containers
• ISO and SOC certification and auditing processes
• Security and reliability testing in production