Cyber Security Manager

Crown Agents Bank is a vastly growing and regulated UK bank that connects emerging and frontier markets to the rest of the world, using FX and payments technology. We are transforming the way payments and FX move through emerging markets, reducing friction so that more money gets to those who need it. Our solutions help fix these pain points, ultimately connecting traditionally hard‑to‑reach regions to global financial infrastructure.

Role Purpose

This is a specialist dual‑focus role at the intersection of secure delivery and security assurance. You will own two primary programmes of work for Crown Agents Bank:

• Security in Change: Acting as the security voice in project delivery — conducting risk assessments, reviewing architecture, maintaining the Secure SDLC framework, and providing formal security sign‑off on material changes.
• Security Assurance: Running the Bank’s security testing and vulnerability management programme — commissioning and managing penetration tests, owning vulnerability reporting and trend analysis, managing attack surface visibility, and working collaboratively across the business to drive remediation.

You will be technically credible enough to challenge architects and developers, and clear and persuasive enough to land risk decisions with senior stakeholders. As part of a small, high‑trust CISO team, you will also flex across the wider service catalogue beyond your primary accountabilities.

Role Responsibilities

Security in Change

• Own and maintain the Secure SDLC framework, ensuring security requirements, controls, and standards are embedded across all material change programmes and project deliveries.
• Conduct security risk assessments on new projects, significant changes, architecture proposals, and new technology initiatives, producing clear risk documentation and recommendations.
• Provide architecture review and formal security sign‑off for project delivery, acting as the gating authority for security acceptance of changes into production.
• Define and maintain application security standards including OWASP‑aligned secure coding guidelines, security requirements, and application security testing criteria.
• Act as the embedded security adviser to project and engineering teams, providing practical, timely guidance that enables secure delivery without impeding pace.
• Contribute to third‑party and vendor risk assessments for new solutions and integrations, ensuring security due diligence is conducted as part of onboarding.

Security Testing & Vulnerability Management

• Own the vulnerability management programme end‑to‑end: aggregate and analyse data from Tenable and other scanning tooling, maintain prioritisation logic based on exploitability, asset criticality, and business context, and produce governance‑ready reporting for ORC and senior stakeholders.
• Commission, scope, and manage penetration tests (infrastructure, application, and where appropriate red team/social engineering), tracking findings through to remediation closure.
• Own attack surface management — maintain visibility of the firm’s externally exposed assets and services, identify unmanaged or unexpected exposure, and feed findings into the vulnerability management and pentest scoping pipeline.
• Conduct technical analysis of vulnerability and assessment data to produce actionable prioritisation recommendations, distinguishing between critical risk and noise.
• Work collaboratively with Production Services, engineering, and infrastructure teams to promote and track remediation — owning the reporting and assurance of remediation progress.
• Maintain and continuously improve vulnerability management tooling, processes, and SLA frameworks in line with the firm’s risk appetite.

Contributing Responsibilities

• Support ISO 27001, Cyber Essentials, SWIFT CSP, DORA, and NYDFS Part 500 compliance activities within areas of ownership, including evidence collection and control testing.
• Contribute to security incident response where technical expertise in vulnerability exploitation, application security, or network threat analysis is relevant.
• Support security awareness activities including specialist training content and targeted communication.

Qualifications

• Degree or equivalent professional experience in a relevant technical or security discipline.
• Professional certification — one or more of the following is desirable: CISSP, CISM, OSCP, CEH, GPEN, GWAPT, or equivalent.
• Additional certifications (AWS Security, AZ‑500, SC‑200) are a plus.
• Candidates with strong hands‑on experience and demonstrable technical capability will be considered regardless of formal certification.

Experience

• Minimum 7–8 years’ experience in information security roles, ideally with exposure to both technical delivery and governance functions.
• Demonstrable experience owning or managing a vulnerability management programme, including use of Tenable, Qualys, or equivalent scanning platforms.
• Experience commissioning, scoping, and managing penetration tests and tracking remediation to closure.
• Strong understanding of Secure SDLC frameworks (OWASP SAMM, BSIMM, or equivalent) and practical application security knowledge (OWASP Top 10, secure coding, security requirements).
• Experience conducting security risk assessments on projects, changes, or third‑party integrations.
• Excellent communication skills — able to engage technical teams, project managers, and senior stakeholders with equal clarity.

Desirable

• Experience in or with a PRA/FCA dual‑regulated financial institution.
• Working knowledge of ISO 27001, SWIFT CSP, DORA, NYDFS Part 500, or Cyber Essentials.
• Familiarity with attack surface management tooling or methodology.
• Hands‑on experience with Microsoft Defender for Endpoint, Sentinel, or equivalent security tooling.
• Innovative mindset with a genuine interest in the evolving threat landscape, including AI‑driven threats and offensive tooling developments.

Additional Information

Why Join Us?

• Be part of a small, agile, and collaborative team where your impact is direct and visible.
• Opportunity to work on cutting‑edge financial services and security projects.
• Competitive salary and benefits, including training and development support.
• Hybrid working arrangements and a culture that values innovation and initiative.

Benefits

• Hybrid working
• Contributory personal pension plan: minimum employee 2% and employer 7%; employer matches contributions in 1% increments up to employee 5% and employer 10%.
• Life assurance – four times annual salary
• Group income protection
• Private medical insurance – may include cover for partner and/or children at company cost. Cover includes optical, dental and audiology.
• Discretionary bonus
• Competitive annual leave
• Two volunteering days
• Benefit hub