Security Architect in Sheffield

Dev/Null Security is a leading cybersecurity consultancy specializing in security solution architecture, engineering, implementation, and operational support. With decades of experience, our expert teams protect high-value systems from advanced threats. We provide exceptional consulting services and deliver value at every step, focusing on Strategy and Advisory, Consulting and Managed Services, and Privileged Access Management. Dev/Null Security is dedicated to safeguarding critical assets and helping clients navigate complex cybersecurity challenges.

Purpose of the Role

The Cyber Security Architect is responsible for defining, governing, and continuously improving the architecture of the organisation's cybersecurity assessment capabilities. This means owning the strategic direction of tooling, processes, and integration patterns and ensuring those capabilities translate into meaningful, actionable risk intelligence for the business. The role is architectural and advisory in nature. The successful candidate sets direction, defines standards, and provides expert guidance on tools and services; they do not deliver hands‑on assessment or testing activity themselves. The emphasis is on enterprise‑scale thinking, stakeholder engagement, and the ability to translate capability requirements into coherent, implementable architecture.

Key Responsibilities

• Define and maintain the security architecture for cybersecurity assessment capabilities, including tool selection, integration patterns, data flows, and coverage models across Exposure Management, Offensive Security, and Code Assessment.
• Lead the design and implementation of Exposure Management capabilities, including External Attack Surface Management (EASM), continuous vulnerability scanning, configuration baseline assessment, and risk‑based prioritisation frameworks.
• Design and embed Code Assessment capabilities within existing Software Development Lifecycle (SDLC) processes, covering Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), Interactive Application Security Testing (IAST), Runtime Application Self‑Protection (RASP), and Software Composition Analysis (SCA).
• Translate technical vulnerabilities and assessment findings into material business risk, with clear communication suitable for technical and non‑technical audiences, including senior leadership.
• Develop and maintain architecture strategies, roadmaps, and design patterns for cybersecurity assessment capabilities, ensuring alignment with the broader enterprise security architecture.
• Work with solution architects and engineering teams across business units and functions to apply secure‑by‑design practices and embed cybersecurity assessment tooling within delivery pipelines.
• Conduct threat modelling and complex risk assessments to support new technologies, platforms, and design patterns across the organisation.
• Review and recommend enhancements to security standards, controls, and policies related to assessment and testing.
• Provide security subject matter expertise to transformation programmes across business units and functions, ensuring security risk is correctly identified and factored into design decisions from the outset.
• Support the education and development of solution architects and engineering teams to improve their awareness and application of security testing practices.

Experience Required

• Demonstrable experience designing and architecting cybersecurity assessment capabilities in a large enterprise environment, covering at minimum two of the three domains: Exposure Management, Offensive Security, or Code Assessment.
• Experience implementing and supporting vulnerability management capabilities at enterprise scale, including vulnerability scanning, centralised reporting, and configuration baseline assessment.
• Experience designing and integrating application security testing tools (SAST, DAST, IAST, RASP, SCA) within SDLC processes, including CI/CD pipelines.
• Experience architecting offensive security programmes, including scoping, methodology definition, toolchain selection, and integration with remediation workflows.
• Experience with External Attack Surface Management (EASM) and continuous exposure monitoring — understanding how to translate asset discovery and exposure data into prioritised risk.
• Ability to translate complex technical findings into business risk terms, with experience presenting to senior technical and non‑technical stakeholders.
• Experience creating architecture strategies, roadmaps, and design patterns and presenting them to diverse audiences.
• Experience performing threat modelling and risk assessments to support new technology adoption or design pattern development.
• Strong understanding of cloud security across at least one major platform (AWS, Azure, or GCP), including how cybersecurity assessment capabilities apply in cloud‑native and hybrid environments.
• At least eight years of relevant technical experience, including experience working in a large corporate or regulated environment.
• University degree in a technical discipline, or equivalent experience.
• Relevant industry certifications (OSCP, CREST, CEH, CISSP, or equivalent).
• Familiarity with standard IT engineering and architecture frameworks (TOGAF, SABSA, or equivalent).
• Experience with Purple Team operations and the integration of offensive testing findings into defensive capability improvement.
• Familiarity with risk quantification frameworks (CVSS, EPSS, or proprietary models) and how they support prioritisation at scale.
• Experience working in a federated global organisation with distributed technology teams.
• Ability to work efficiently under pressure with tight timelines across globally distributed teams.

Additional Information

The success of cybersecurity assessment architecture will be measured not only by what is delivered, but by how effectively those capabilities are adopted, integrated, and used to reduce real risk across the organisation. The ideal candidate is technically credible, comfortable working across organisational boundaries, and able to operate effectively in a federated environment where influence matters as much as authority.

The role requires:

• A collaborative, team‑oriented approach with a genuine willingness to share knowledge and develop others.
• Openness to constructive challenge and the ability to give clear, direct feedback in return.
• A self‑starting attitude with the drive to move work forward without waiting for direction.
• Intellectual curiosity and a commitment to staying current across a fast‑moving threat and tooling landscape.

Working at DevNull Security

Whilst DevNull Security is a remote‑first company, our consulting team may be required to travel to client sites up to three times per week, depending on project and customer needs. We believe that a career in cybersecurity should be accessible to everyone. We actively welcome applicants from all walks of life, regardless of race, ethnicity, gender identity, age, sexual orientation, disability, neurodiversity, socioeconomic background, or any other aspect of identity. As a growing company, we’re committed to fostering an inclusive, equitable, and accessible hiring experience. We proactively offer adjustments during application and assessment - tell us what you need.