Own end-to-end assurance across engagements. Establish risk-based assurance frameworks, coordinate audit programmes, and maintain living evidence of control effectiveness — feeding findings into vulnerability management backlogs and governance reporting rather than treating audits as point-in-time events.
Lead vulnerability management as a programme, not a process. Define the prioritisation framework — drawing on EPSS, KEV, CVSS, and asset criticality — set remediation SLAs, own the risk-acceptance register, negotiate remediation plans with IT operations and product teams, and report programme KPIs (MTTR by severity, backlog age, coverage, recurrence rate) to senior stakeholders.
Drive security into the team's normal rhythm. Embed threat modelling, secure code review, SAST, SCA, dependency policy, and container scanning into design and delivery cycles — making security a shared engineering responsibility rather than a specialist handover at the end of a sprint.
Navigate UK government security standards with confidence. Apply the NCSC Cyber Assessment Framework, GovAssure, Cyber Essentials, HMG Security Policy Framework, and relevant legislation (UK GDPR, NIS Regulations) proportionately across engagements — framing standards as guardrails that enable safe delivery, not barriers to it. Engage with government security communities and coordinate with departmental security teams.
Communicate security risk in terms that drive decisions. Report security posture, audit findings, and vulnerability programme performance to senior client stakeholders — tailoring the frame for the audience, showing trends over time, and structuring reports around the decisions the reader needs to make, not just the findings.
Set the standard for incident response and detection readiness. Drive adoption of incident response practices across engagements, own the IR-to-vulnerability-management feedback loop, and coordinate cross-team exercises including known-exploited-vulnerability scramble drills.
Grow the people around you. Mentor colleagues across the practice and at client organisations, pair on complex or unfamiliar assurance work, and create structured development opportunities — including for client engineers who may not yet have strong security habits.
Contribute to Made Tech's Cyber practice beyond delivery. Shape practice standards, contribute to hiring and calibration, build and share expertise externally, and help grow a security assurance community that raises capability across the organisation.
Requirements
Hold one of the following — Certified Information Systems Auditor (CISA), Certified Information Systems Security Professional (CISSP) — or an equivalent senior audit and assurance credential.
Experience establishing and operating vulnerability management programmes at organisational scale — including risk-based prioritisation using EPSS, KEV, and asset criticality, and managing remediation across multiple delivery teams
Evidence of leading compliance programmes against UK government frameworks — GovAssure, CAF, Cyber Essentials, HMG Security Policy Framework — in a complex multi-supplier or multi-team environment
Experience conducting or coordinating security audits in UK public sector contexts, including producing formal findings and briefings for senior government stakeholders
Working knowledge of exposure management beyond CVE-only approaches — incorporating misconfiguration, identity exposure, and attack-path analysis using cloud-native tooling (AWS Inspector, GuardDuty, Security Hub, or equivalents)
Experience assessing and assuring supply chain security — including third-party and vendor risk — and integrating supplier risk into wider assurance and governance programmes
Experience building or shaping security assurance capability within a consultancy, programme delivery, or multi-client environment — including growing technical security skills in colleagues and client teams
Evidence of acting as a trusted adviser to senior client stakeholders — anchoring security recommendations on client outcomes, challenging briefs constructively, and making security value visible rather than reporting activity
Experience setting team ways of working in iterative delivery environments — establishing retrospective cadences, collaborative problem-solving norms, and pairing practices that spread security knowledge across the team
Tech Stack
AWS
Cloud
Benefits
30 days Holiday
we offer 30 days of paid annual leave
Flexible Working Hours
we are flexible with what hours you work
Flexible Parental Leave
we offer flexible parental leave options
Remote Working
we offer part time remote working for all our staff
Paid counselling
we offer paid counselling as well as financial and legal advice
Lead Security Assurance Engineer at Made Tech | JobVerse