At a Glance
- Tasks: Lead the design and implementation of security architecture for a cloud-native platform.
- Company: Join a leading FinTech company focused on innovative security solutions.
- Benefits: Competitive salary, flexible working options, and opportunities for professional growth.
- Other info: Be part of a collaborative team driving cutting-edge security initiatives.
- Why this job: Shape the future of cloud security and make a significant impact in a dynamic environment.
- Qualifications: Proven experience in security architecture and cloud security certifications required.
The predicted salary is between 60000 - 80000 £ per year.
The Head of Security Architecture and Engineering leads the pillar responsible for designing and building the security foundations of the cloud-native platform. This role owns the security reference architecture, cloud security posture, identity and access management strategy, data security (including tokenisation and encryption), and the technical standards that the entire engineering organisation builds upon. The pillar operates as an internal platform team: it publishes self‑service security capabilities, automated guardrails, and hardened defaults that enable product teams to build securely by default without needing deep security expertise for every design decision.
The ideal candidate is a technically deep security leader who can set architectural direction, make pragmatic engineering trade‑offs, and build a team that earns the trust and respect of platform and product engineers. This is the most technically demanding leadership role in the CISO function. You will be expected to have credible opinions on cloud security architecture, cryptographic implementation, identity federation, container security, and zero‑trust design — and to translate those opinions into practical, adoptable standards and services.
Key Responsibilities- Define and own the security reference architecture for the cloud-native platform, including network security patterns, identity and authentication, encryption, logging, and inter-service communication security.
- Own the cloud security posture management (CSPM) strategy, ensuring continuous monitoring and automated enforcement of security policies across the entire cloud estate.
- Set and maintain security technical standards, including approved technologies, cryptographic algorithms, authentication protocols, and secure design patterns for microservices.
- Lead the identity and access management strategy, including privileged access management (PAM), service identity (workload identity, service accounts), RBAC models, and zero‑trust architecture principles.
- Own the data security strategy, including cardholder data tokenisation, encryption key management (HSM/KMS), data classification, and data loss prevention implementation.
- Chair the Security Architecture Board, reviewing architecture proposals, approving non‑standard patterns, updating standards, and maintaining a decision log.
- Ensure security guardrails are implemented as automated policies (infrastructure‑as‑code, OPA/Rego, CSPM rules) that scale with the platform and enforce security without manual intervention.
- Publish self‑service security capabilities for engineering teams: secure base images, IaC security modules, encryption libraries, IAM templates, and approved architecture blueprints.
- Collaborate closely with Platform Engineering to embed security into the platform layer, ensuring security is a property of the infrastructure, not an afterthought applied on top.
- Advise the CISO on technical security strategy, emerging technology risks, and the security implications of architectural decisions.
- Support PCI DSS compliance from an architectural perspective, ensuring the platform design supports scope minimisation, network segmentation, and the technical requirements of PCI DSS 4.0.
- Manage and develop the Security Architecture and Engineering team of five, building deep technical capability across cloud security, identity, cryptography, and architecture.
- Security reference architecture document, covering cloud, network, identity, data, and application layers — reviewed and updated bi‑annually.
- Cloud security policy‑as‑code library (OPA/Rego, Terraform Sentinel, or cloud‑native equivalents) integrated into deployment pipelines.
- IAM strategy and RBAC model documentation, including privileged access management implementation and zero‑trust roadmap.
- Data security and encryption standards document, including approved algorithms, key management procedures, and tokenisation architecture.
- Technology security standards catalogue (approved languages, frameworks, libraries, protocols, and configurations).
- Secure design pattern library (paved road patterns for common scenarios: API authentication, inter‑service communication, data handling, secrets management).
- Security Architecture Board minutes and decision log.
- CSPM compliance dashboard and drift reporting.
- Secure base image catalogue for containers and VMs, published and maintained.
- AWS Security Specialty, GCP Professional Cloud Security Engineer, or equivalent cloud security certification.
- Significant experience within FinTech or PayTech/Payments Acquiring.
- CISSP‑ISSAP (Architecture concentration), SABSA, or TOGAF certification.
Head of Security Architecture and Engineering - CISO function - BPL in London employer: 慨正橡扯
At 慨正橡扯, we pride ourselves on being an exceptional employer that champions innovation and collaboration in the field of Behavioral Economics and Retirement Research. Our hybrid working model not only offers flexibility but also nurtures a vibrant work culture where employees are encouraged to grow and develop their skills through meaningful projects and leadership opportunities. Join us in Europe, where your expertise will directly contribute to enhancing investor outcomes and shaping impactful business strategies.