The core of the role is hands-on security risk management, threat modeling, security risk assessments, and security design and architecture reviews, paired with the governance and process work that scales the program. You will partner on customer due-diligence and SOC 2 evidence and turn security controls into repeatable workflows that fit how the business already works. You will apply that lens across the full control landscape: cloud security, supply-chain and vulnerability management, endpoint and identity, detection and response, and AI security.
CMG operates in a highly regulated, client-facing market, so scope and impact here are unusually large for the level. We value strong collaboration and a deep sense of ownership: you will be trusted to take initiatives and run with them, often without an established process or a big team behind you. The defining shift for the program is moving from reactive to proactive, and this role is central to it. This is a high-growth-potential role: we expect the right person to start as a senior individual-contributor and grow into broader leadership, including people's leadership, as the function scales.
Responsibilities
- Lead threat modeling across products, infrastructure, and new initiatives, identifying and prioritizing risks, attack surfaces, and vulnerabilities.
- Conduct security risk assessments and translate findings into pragmatic, risk-based remediation prioritized by impact and blast radius.
- Run security design and architecture reviews, partnering with Engineering and DevOps to reduce risk through secure design and simplicity, not just added controls.
- Partner on customer due-diligence (DDQ) and SOC 2 Type II evidence gathering, keeping compliance sustainable rather than fire-drilled.
- Build repeatable security workflows that embed controls into existing engineering processes instead of creating parallel ones.
- Develop and maintain clear, role-relevant security policies, standards, and procedures, and drive consensus without direct authority.
- Understand and implement controls for supply-chain risk and vulnerability management, including CI/CD enforcement and dependency hygiene, and build vulnerability triage workflows that score real risk by exploitability, reachability, and compensating controls rather than raw CVSS.
- Harden and secure our cloud environment (Azure), partnering with platform engineering on secure configuration, reviewing and remediating vulnerabilities, identity and network controls, posture management, and logging and detection.
- Strengthen endpoint and identity controls across a global, remote workforce: least privilege, phishing-resistant MFA, and privileged access controls.
- Support detection and response, partnering with our DFIR and MDR relationships and helping mature toward a proactive posture.
- Address AI security risks (prompt injection, data poisoning, model and agent governance) and help keep AI controls ahead of adoption.
- Take ownership of large, loosely defined initiatives and drive them from problem framing to operationalized program.
- Work closely with senior leadership across the firm, bringing structure to ambiguity and sequencing work against risk.
- Surface risk early, challenge assumptions, and communicate clearly to both technical teams and senior stakeholders.
Qualifications
- Have 6+ years of hands-on security experience, with real depth in security risk management: threat modeling, risk assessments, and security design and architecture review.
- Have run governance, risk, and compliance work in practice, including audit and customer due-diligence support (SOC 2 or similar), and made it operational rather than just documented.
- Have thrived in a startup or other small, fast-paced environment, owning large, ambiguous initiatives end-to-end with little scaffolding and shipping them.
- Have working breadth across the control landscape: cloud security, supply-chain and vulnerability management, endpoint and identity, and detection and response.
- Are genuinely technical: comfortable in cloud environments (Azure preferred), CI/CD, and at least one scripting language (e.g. Python, Bash, PowerShell), so your controls hold up in engineering reality.
- Lead with empathy and influence, and distill complex security concepts into clear, actionable guidance for technical and non-technical audiences alike.
- Thrive navigating ambiguity and make sound, risk-based calls with incomplete information.
- Work effectively in a remote-first setup: most of the team is remote, with a small London in-office presence, so you communicate crisply and operate well asynchronously.
- Navigate an organization to get things done you know who to pull in for information or alignment, and you drive that alignment without formal authority.
Nice to have
- Have banking, fintech, or other regulated industry experience.
- Use AI tooling fluently in your own day-to-day work and are eager to integrate it into security workflows as a force multiplier.
- Have a bias toward automating repeatable security work β scripting, tooling, and process β to scale your impact.
- Be familiar with AI and agentic security risks (prompt injection, data poisoning, model and agent governance).
- Have experience mapping security frameworks (NIST CSF, ISO 27001, OWASP, NIST AI RMF).
- Have hands-on exposure to detection and response, red-team, or pen-test work.
- Have experience with our stack: Azure / Entra ID, GitHub Enterprise Cloud (GHAS, Actions, Dependabot), Sentinel, Zscaler, Intune, Vanta, and the Atlassian suite.
- Hold relevant certifications (e.g. CISSP, CRISC, OSCP) β valued but not required.
Our Values
- We innovate with purpose
- We focus on outcomes vs. output
- We believe diverse and inclusive teams fuel innovation
- We are humble yet candid
- We do right by the customer
What We Offer
-
Equity
-
Unlimited PTO (28 days including bank holidays + unlimited additional paid leave)
-
Comprehensive benefits program managed by Globalization Partners
-
Premium life and income protection
-
Top private medical and dental insurance
-
Employee Assistance Program (EAP)
-
Pension contributions
-
Hybrid work environment (initially remote until office setup is complete)
-
Education reimbursement
-
Continuous learning opportunities
-
Employee referral bonus
-
Parental leave
Senior Security Engineer in London employer: Capital Markets Gateway
At Capital Markets Gateway LLC (CMG), we pride ourselves on being an exceptional employer, offering a dynamic work culture that fosters innovation and collaboration. Our commitment to employee growth is evident through continuous learning opportunities and a clear pathway for advancement, particularly in high-growth roles like the Senior Security Engineer. With a hybrid work environment and comprehensive benefits, including unlimited PTO and equity options, CMG provides a supportive atmosphere where every team member can thrive and contribute meaningfully to our mission in the financial technology sector.