Lead Cloud Security Engineer

As the living, growing home of our national story, The National Archives is already a special place to work. We’re an institution nearly 200 years old with a collection spanning 1,000 years of history. But it’s where we go next that makes things really interesting. In our strategic vision: Archives for Everyone, we set ourselves the challenge of becoming the 21st Century national archive – a different kind of cultural and heritage institution: Inclusive, Entrepreneurial, Disruptive. We won’t become this overnight. It will take time, focus, effort and daring. That’s where you come in. Because we can’t do this without you.

Our digital services support preservation and access at scale – and securing our systems means protecting history itself. We are seeking cyber professionals with hands‑on technical skills and a passion for protecting data and infrastructure that underpins national memory. Join us and be part of a unique, purposeful mission.

As the Lead Cloud Security Engineer, you will lead TNA wide initiatives to protect digital assets, data and cloud infrastructure from ever evolving threats. The role demands deep technical expertise, leadership in secure by design implementation and architecture governance, and the ability to influence decisions across departments and external suppliers. You will be accountable for the design, implementation and continuous improvement of multi‑cloud security frameworks (AWS, Azure and other environments), aligned with government standards and resilient to emerging risks. Your work protects critical information from malicious attacks, accidental loss and unauthorised access.

Reporting to the IT Security & Information Assurance Manager, you will own the “how” of secure cloud delivery across TNA – translating policy objectives into actionable technical standards, guardrails and patterns, and making the implementation decisions that ensure they are adopted effectively. You will chair a virtual Technical Design Authority (TDA) to embed secure by design practices across AWS, Azure and other cloud environments, define technical standards and roadmaps to reflect the desired cyber security posture and remain hands‑on engineering solutions, codifying controls and leading complex investigations. Through the TDA you hold decision rights to set guardrails and approve exceptions across directorates, combining technical authority, governance leadership and practical delivery to keep TNA’s systems secure, compliant and cost‑efficient.

As Lead Cloud Security Engineer, you will spearhead strategic decision‑making and shape the overall security posture of our cloud infrastructure. You’ll collaborate closely with cross‑functional teams across The National Archives to define security architecture, evaluate emerging technologies, and establish work practices and technologies that align with business objectives and regulatory requirements. Leveraging deep expertise in cloud platforms and threat landscapes, you’ll guide the selection and implementation of security controls, drive risk assessments, and lead incident response planning. Your leadership will ensure that security is embedded into every stage of cloud adoption and operations, fostering a culture of proactive defence and continuous improvement.

This is a full‑time post. However, requests for part‑time working, flexible working and job share will be considered, taking into account at all times the operational needs of the Department. A combination of onsite and home working is available and applicants should be able to regularly travel to our Kew site for a minimum of 60% of their work time.

Application Process

• Interviews will be held on‑site at The National Archives in Kew.
• We ask all applicants to submit work history details and a personal statement, not exceeding 1200 words.
• Selection for interview will be based on the ‘essential’ requirements in the job description below so please ensure that your statement demonstrates in detail how you meet these requirements.

SC clearance/willingness to obtain SC clearance will be required for this role. This requires candidates to have been resident in the UK for at least the past three years. Please do not apply if you have been resident in the UK for less than three years as your application will be rejected.

Role and Responsibilities

• Secure Design & Implementation: Define and enforce technical standards, roadmaps and guardrails, reference architectures and patterns for secure cloud delivery across AWS, Azure, on‑premises systems and SaaS platforms. Implement and maintain policy as code and IaC controls (e.g., Terraform); integrate security into CI/CD pipelines. Harden IAM, tune CSPM policies, develop Sentinel and Wiz queries, and lead complex incident response, automation and root cause remediation.
• Governance & Influence: Chair the virtual TDA – approve guardrails and exceptions; standardise threat‑modeling and design review processes. Influence architectural decisions across directorates; advise senior stakeholders on risk and technical trade‑offs.
• Cost Efficiency: Drive cost efficiencies across the security tooling portfolio (e.g., Wiz, Microsoft Defender/Sentinel, CI/CD security tools): optimise licensing, remove duplication, benchmark value and recommend investment/disinvestment options to the Head of IT Operations (budget holder).
• Leadership & Development: Provide technical and thought leadership to both internal and external stakeholders and mentoring across teams; build security engineering communities of practice. Influence and negotiate with technical and business stakeholders and drive adoption of good security practices across the organisation and suppliers.

Person Specification

• Significant expert knowledge of cloud security in either AWS or Azure, with proven experience leading cross‑organisation security initiatives.
• Demonstrable experience in architecture governance (guardrails, patterns, exceptions) and standardising threat modelling.
• Strong hands‑on engineering skills: IaC, CI/CD security, IAM hardening, CSPM tuning, incident response.
• Ability to drive cost efficiencies and make evidence‑based recommendations.
• Technical expertise in the following tech stack: AWS, Azure, Microsoft 365, GitHub, Kubernetes, Terraform, Linux, JAMF, Sentinel and Defender for Endpoint.
• Experienced in excellent communication and able to influence up to senior leadership, delivering complex technical concepts and summarising complicated events to senior stakeholders up to and including board level.

• Relevant certifications (AWS/Azure Security, CISSP, CCSP).
• Experience of external engagement in security communities.

Benefits

Generous benefits package, including pension, sports and social club facilities, onsite gym, discounted rates at our on‑site cafe and opportunities for training and development. Annual leave entitlement of 25 days per calendar year (rising to 26 days after 2 years’ service, and incrementally to 30 days after six years) and 10½ days public and privilege holidays per annum.

Selection process details

Reasonable adjustments: If a person with disabilities is put at a substantial disadvantage compared to a non‑disabled person, we have a duty to make reasonable changes to our processes. If you need a change to be made so that you can make your application, you should contact The National Archives via careers@nationalarchives.gov.uk as soon as possible before the closing date to discuss your needs.

Security: Successful candidates must pass a disclosure and barring security check. People working with government assets must complete basic personnel security standard checks.

Nationality requirements: This job is broadly open to the following groups: UK nationals, Nationals of Commonwealth countries who have the right to work in the UK, Nationals of the Republic of Ireland, Nationals from the EU, EEA or Switzerland with settled or pre‑settled status or who apply for either status by the deadline of the European Union Settlement Scheme (EUSS).

Working for the Civil Service: The Civil Service Code sets out the standards of behaviour expected of civil servants. We recruit by merit on the basis of fair and open competition, as outlined in the Civil Service Commission's recruitment principles. The Civil Service embraces diversity and promotes equal opportunities.

Contact point for applicants: Name: The National Archives Recruitment Team Email: careers@nationalarchives.gov.uk