Security Engineer

About the London Metal Exchange and LME Clear

The London Metal Exchange is the world centre for industrial metals trading. Most of the world's global non-ferrous futures business is conducted on the LME's three trading platforms totalling $18 trillion, 178 million lots and 4 billion tonnes with a market open interest high of 1.8 million lots in 2024. All trades are cleared and settled by LME Clear. Participants can transfer or take on price risk against aluminium, copper, nickel, tin, zinc, lead, molybdenum, cobalt, lithium, steel scrap, rebar and hot‑rolled coil as well as alumina, aluminium premiums and alloys. The LME and LME Clear are HKEX Group companies.

Overall Purpose of Role

This role is an experienced‑level position within the Information Security team at the London Metal Exchange (LME), responsible for leading the secure design, delivery, and operation of infrastructure, applications, and identity and access management (IAM) across LME's platforms. The Senior Security Engineer serves as a subject matter expert, resolving complex technical and operational challenges by interpreting and applying security policies, guidelines, and best practices. The successful candidate will have ownership of one or more critical security processes, platforms, or products, and will be contributing to shaping LME's security posture. This includes driving automation, secure configuration management, and the integration and migration of security controls into cloud and on‑prem environments. The role also involves representing the Information Security function in cross‑functional projects, contributing to workflow redesign, and influencing strategic security initiatives.

Ideal candidates will bring 5+ years of experience in security engineering or DevSecOps, with a strong analytical mindset, deep technical expertise, and the capability to manage and drive multiple initiatives to completion, ensuring secure, scalable, and resilient outcomes.

Key Responsibilities:

• Security Engineering & Automation: Lead the deployment, configuration, and lifecycle management of enterprise security platforms such as SIEM, XDR, DLP, Email Security, and Endpoint Protection. Design and implement automation frameworks for security tooling, configuration, and updates using Python, PowerShell, Bash, or equivalent. Drive Infrastructure as Code (IaC) adoption using Terraform and Ansible, ensuring secure, scalable, and repeatable deployments. Define and enforce secure configuration baselines across Windows, Linux, and Kubernetes environments, aligning with regulatory and internal standards.
• Identity & Access Security: Engineer and manage identity and access solutions using SailPoint, Keycloak, Active Directory and CyberArk, enforcing least privilege and RBAC across hybrid environments. Automate Identity Access Management workflows and integrate identity governance into CI/CD pipelines and cloud‑native platforms. Own and continuously improve access review processes, onboarding/offboarding workflows, and privileged access controls. Ensure compliance with identity‑related policies and contribute to the evolution of IAM strategy and tooling.
• DevOps Integration: Lead the integration of security controls into CI/CD pipelines, including SAST/DAST, API security testing, secrets management, and policy enforcement. Collaborate with engineering and DevOps teams to embed security into build, release, and deployment processes. Design and implement secure, resilient infrastructure solutions that align with business and operational requirements.
• Operational Support: Provide expert‑level support for incident response, threat detection, and forensic analysis supporting tools such as SIEM, XDR and XSOAR. Support Red/Blue team exercises and coordinate engineering involvement during penetration testing efforts, understanding how to translate findings into actionable improvements of LME's security controls stack. Maintain and evolve security documentation, standards, and operational procedures. Participate in on‑call rotations and ensure continuity of security operations across critical infrastructure.

Qualifications Required:

University degree in Computer Science, Engineering, Information Systems, or a related STEM field. Preferred certifications: CISSP, GIAC, Microsoft SC‑200, AWS/Azure Security Specialty, CyberArk Defender, SailPoint IdentityNow, or equivalent.

Required Knowledge and Experience:

• 5+ years of hands‑on experience in security engineering, DevSecOps, or infrastructure security.
• Proven expertise in IAM platforms and protocols (SailPoint, CyberArk, LDAP, OAuth, SAML).
• Security automation and scripting (Python, PowerShell, Bash).
• Cloud platforms and CI/CD tools (AWS, Azure, Bitbucket, GitHub Actions).
• Security tooling (ArcSight SIEM, XSOAR, SonarQube, HSMs, EDR, DLP).
• Operating systems and container orchestration (Windows, Linux, Kubernetes).
• Network and security protocols (zScaler, Squid, TCP/IP, HTTPS, DNS, Firewalls, VPNs).

Personal Qualities:

• Strong analytical and problem‑solving skills with a proactive approach to complex challenges.
• Ability to lead and coordinate multiple concurrent security projects across teams.
• Effective communicator with excellent documentation and reporting habits.
• Detail‑oriented, adaptable, and committed to continuous improvement in a regulated, fast‑paced environment.
• Passionate about security engineering, automation, and protecting critical infrastructure.

The LME is committed to creating a diverse environment and is proud to be an equal opportunity employer. In recruiting for our teams, we welcome the unique contributions that you can bring in terms of education, ethnicity, race, sex, gender identity, expression and reassignment, nation of origin, age, languages spoken, colour, religion, disability, sexual orientation and beliefs. In doing so, we want every LME employee to feel our commitment to showing respect for all and encouraging open collaboration and communication.