Cyber Security Lead: Secure Delivery & Assurance (Hybrid)

Crown Agents Bank is a vastly growing and regulated UK bank that connects emerging and frontier markets to the rest of the world, using FX and payments technology. We are transforming the way payments and FX move through emerging markets, reducing friction so that more money gets to those who need it. Emerging markets payments are usually challenging, expensive, unreliable and opaque. Our solutions help fix these pain points. Ultimately, we connect traditionally hard-to-reach regions to global financial infrastructure, giving access to the best prices and the fastest, most reliable settlement.

FX and cross-border payments are often complex and expensive, especially when operating in emerging markets. Crown Agents Bank (CAB) wraps its deep and trusted relationships and strength of network around innovative digital capabilities, and cross-border transaction banking solutions to enable fintech, corporates, governments, development organisations and banks to move money to, from, and across often hard-to-reach markets.

Role Purpose

This is a specialist dual-focus role at the intersection of secure delivery and security assurance. You will own two primary programmes of work for Crown Agents Bank:

• Security in Change: Acting as the security voice in project delivery — conducting risk assessments, reviewing architecture, maintaining the Secure SDLC framework, and providing formal security sign-off on material changes.
• Security Assurance: Running the Bank’s security testing and vulnerability management programme — commissioning and managing penetration tests, owning vulnerability reporting and trend analysis, managing attack surface visibility, and working collaboratively across the business to drive remediation.

You will be technically credible enough to challenge architects and developers, and clear and persuasive enough to land risk decisions with senior stakeholders. As part of a small, high-trust CISO team, you will also flex across the wider service catalogue beyond your primary accountabilities — this provides variety, genuine career breadth, and direct visibility of the firm’s full security posture that a siloed role in a larger team would not.

Role Responsibilities

PILLAR 1 — Security in Change

Primary accountability: own security throughout the project and change lifecycle

• Own and maintain the Secure SDLC framework, ensuring security requirements, controls, and standards are embedded across all material change programmes and project deliveries.
• Conduct security risk assessments on new projects, significant changes, architecture proposals, and new technology initiatives, producing clear risk documentation and recommendations.
• Provide architecture review and formal security sign-off for project delivery, acting as the gating authority for security acceptance of changes into production.
• Define and maintain application security standards including OWASP-aligned secure coding guidelines, security requirements, and application security testing criteria.
• Act as the embedded security adviser to project and engineering teams, providing practical, timely guidance that enables secure delivery without impeding pace.
• Contribute to third-party and vendor risk assessments for new solutions and integrations, ensuring security due diligence is conducted as part of onboarding.

PILLAR 2 — Security Testing & Vulnerability Management

Primary accountability: own the firm’s assurance and vulnerability posture

• Own the vulnerability management programme end-to-end: aggregate and analyse data from Tenable and other scanning tooling, maintain prioritisation logic based on exploitability, asset criticality, and business context, and produce governance-ready reporting for ORC and senior stakeholders.
• Commission, scope, and manage penetration tests (infrastructure, application, and where appropriate red team/social engineering), tracking findings through to remediation closure.
• Own attack surface management — maintain visibility of the firm’s externally exposed assets and services, identify unmanaged or unexpected exposure, and feed findings into the vulnerability management and pentest scoping pipeline.
• Conduct technical analysis of vulnerability and assessment data to produce actionable prioritisation recommendations, distinguishing between critical risk and noise.
• Work collaboratively with Production Services, engineering, and infrastructure teams to promote and track remediation — owning the reporting and assurance of remediation progress, not the delivery of fixes.
• Maintain and continuously improve vulnerability management tooling, processes, and SLA frameworks in line with the firm’s risk appetite.

Contributing Responsibilities

As part of a lean CISO team, this role is expected to contribute across the following service areas as capacity and business need require:

• Support ISO 27001, Cyber Essentials, SWIFT CSP, DORA, and NYDFS Part 500 compliance activities within areas of ownership, including evidence collection and control testing.
• Contribute to security incident response where technical expertise in vulnerability exploitation, application security, or network threat analysis is relevant.
• Support security awareness activities including specialist training content and targeted communication.

Qualifications

Degree or equivalent professional experience in a relevant technical or security discipline. Professional certification — one or more of the following is desirable:

• Additional certifications (AWS Security, AZ-500, SC-200) are a plus.

Candidates with strong hands-on experience and demonstrable technical capability will be considered regardless of formal certification.

Experience

Minimum 7–8 years’ experience in information security roles, ideally with exposure to both technical delivery and governance functions.

• Demonstrable experience owning or managing a vulnerability management programme, including use of Tenable, Qualys, or equivalent scanning platforms.
• Experience commissioning, scoping, and managing penetration tests and tracking remediation to closure.
• Strong understanding of Secure SDLC frameworks (OWASP SAMM, BSIMM, or equivalent) and practical application security knowledge (OWASP Top 10, secure coding, security requirements).
• Experience conducting security risk assessments on projects, changes, or third-party integrations.
• Excellent communication skills — able to engage technical teams, project managers, and senior stakeholders with equal clarity.
• Experience in or with a PRA/FCA dual-regulated financial institution.
• Working knowledge of ISO 27001, SWIFT CSP, DORA, NYDFS Part 500, or Cyber Essentials.
• Familiarity with attack surface management tooling or methodology.
• Hands-on experience with Microsoft Defender for Endpoint, Sentinel, or equivalent security tooling.
• Innovative mindset with a genuine interest in the evolving threat landscape, including AI-driven threats and offensive tooling developments.

Additional Information

Why Join Us?

• Be part of a small, agile, and collaborative team where your impact is direct and visible.
• Opportunity to work on cutting-edge financial services and security projects.
• Competitive salary and benefits, including training and development support.
• Hybrid working arrangements and a culture that values innovation and initiative.

Benefits include:

• Contributory personal pension plan: - Minimum: Employee 2% and Employer 7%. Employer matches contributions in 1% increments to a maximum of: Employee 5% and Employer 10%.
• Life Assurance – 4 times annual salary.
• Group Income Protection.
• Private Medical Insurance – this may include cover for partner and or children at company cost. Cover includes Optical, Dental and Audiology.