Senior DevSecOps - Cyber Security (Consulting) in London

Company Overview

CTSH is a leading provider of information technology, consulting, and business process outsourcing services, dedicated to helping the world's leading companies build stronger businesses. Headquartered in Teaneck, New Jersey, the company has over 340,000 employees as of January 2025. CTSH is a member of the NASDAQ-100, the S&P 500, the Forbes Global 1000, and the Fortune 500, and is ranked among the top performing and fastest growing companies in the world.

Role Summary

We are seeking a Senior DevSecOps / Security Consultant to assess, embed and uplift security practices across our client’s software delivery lifecycle. This is a security-first role. The candidate comes from a cyber security background, not a developer who has pivoted into security, and will spend time advising and coaching engineering squads to help them design, build and operate platforms securely by default.

The role is not about deploying a new security toolchain from scratch. The client already has tooling in flight; the job is to make it land. That means running a structured maturity assessment, prioritising what matters, embedding existing tools properly into developer workflows, and coaching teams to use them well. The candidate will be the bridge between Information Security and Engineering, moving the client beyond point-in-time audits toward a continuous, automated, shift-left model.

Responsibilities

• Run the DevSecOps Maturity Assessment – Conduct a comprehensive, evidence-based audit of the client’s current DevSecOps capabilities against recognised industry frameworks.
• Assess the adoption, configuration and effectiveness of existing controls across SAST, SCA, DAST, IaC scanning, container security and secrets management.
• Engage stakeholders across engineering, platform, InfoSec and product to gather both qualitative inputs and quantitative evidence.
• Score each product line against SAMM business functions and produce a clear maturity scorecard.
• Produce a prioritised 12-month roadmap, sequenced by risk reduction, delivery effort and developer impact.
• Re-baseline maturity periodically so progress is measurable and defensible to senior stakeholders.
• Embed Existing Security Tooling into Developer Workflows – Take the tools the client has already invested in and make them genuinely useful.
• Tune signal-to-noise ratio aggressively.
• Refine CI/CD security gates.
• Improve the developer experience of existing controls.
• Curate and maintain a library of secure CI/CD reference patterns.
• Coach and Enable Engineering Teams – Embed with developer squads as their trusted security partner.
• Run secure-coding clinics, brown-bag sessions and pairing sessions.
• Translate vulnerability findings into clear, contextualised remediation guidance.
• Champion a security as an enabler culture.
• Develop enablement materials such as playbooks, cheat sheets and onboarding guides.
• Lead Threat Modelling and Secure Design – Facilitate threat-modelling sessions at the design phase of new services.
• Produce lightweight, developer-friendly threat models and secure design patterns.
• Identify abuse cases, trust boundaries and data-flow risks early.
• Advise on secure-by-default choices for cloud-native workloads.
• Track Metrics, Governance and Progress – Define and track meaningful KPIs.
• Use metrics to evidence movement against the maturity roadmap.
• Ensure controls remain aligned with internal security standards.

Qualifications

• Background and Mindset – A security professional first.
• Comfortable in code – you read pipelines, IaC and application code fluently.
• Pragmatic, collaborative and delivery-minded.
• Essential Skills and Experience – Demonstrable experience running DevSecOps or AppSec maturity assessments.
• A track record of embedding security tooling into existing developer workflows.
• Working knowledge of CI/CD security tooling and platforms.
• Solid grounding in container and cloud workload security.
• Experience facilitating threat-modelling and secure design workshops.
• Familiarity with OWASP, NIST and MITRE ATT&CK.
• Strong communication skills.

Desirable

• Industry certifications such as CISSP, CCSP, CSSLP, CCSK or equivalent.
• Exposure to policy-as-code and supply-chain tooling.
• Awareness of AI / LLM application security concerns.
• Prior consulting experience.

Expected Deliverables

• A formal DevSecOps Maturity Assessment Report.
• A prioritised 12-month Shift-Left Implementation Roadmap.
• A library of Secure CI/CD Reference Patterns.
• Developer enablement materials.
• A live Security Metrics view evidencing progress against the maturity roadmap.

Engagement Details

Hybrid working, with on-site presence at the client location as required by the engagement.