Head of Security Architecture and Engineering - CISO function - BPL
On-site · Canary Wharf, England, United Kingdom
Job Summary
Head of Security Architecture and Engineering leads the pillar responsible for designing and building the security foundations of the cloud-native platform. This role owns the security reference architecture, cloud security posture, identity and access management strategy, data security (including tokenisation and encryption), and the technical standards that the entire engineering organisation builds upon. The pillar operates as an internal platform team delivering self-service security capabilities, automated guardrails, and hardened defaults to enable product teams to build securely by default. The ideal candidate is a technically deep security leader who can set architectural direction, make pragmatic engineering trade-offs, and build a team that earns the trust of platform and product engineers. Responsibilities include defining and owning the security reference architecture for the cloud-native platform, owning CSPM strategy, setting security technical standards, leading IAM and zero-trust strategies, driving data security and tokenisation practices, chairing the Security Architecture Board, ensuring guardrails are implemented as code, publishing secure base images and patterns, collaborating with Platform Engineering, advising on security strategy, and supporting PCI DSS compliance from an architectural perspective. The role also entails managing and developing a security architecture and engineering team, delivering key artifacts (architecture documents, policy libraries, RBAC models, encryption standards), and presenting to senior leadership.
Required Qualifications
- AWS Security Specialty or GCP Professional Cloud Security Engineer or equivalent cloud security certification
- Significant FinTech or PayTech/Payments Acquiring experience
- CISSP-ISSAP (Architecture concentration), SABSA, or TOGAF certification
- Kubernetes security certifications (CKS)
- Experience with zero-trust architecture implementation (BeyondCorp, ZTNA)
- Experience with service mesh security (Istio, Linkerd) and mTLS at scale
- Published security architecture patterns, conference presentations, or thought leadership
- Several years of progressive experience in security engineering or security architecture with leadership experience
- Hands-on experience with at least one major cloud provider (AWS or GCP) at an architectural level (IAM, networking, encryption services, logging, security-specific services)
- Strong understanding of cloud-native architectures (containers, Kubernetes, microservices, service mesh, serverless, event-driven) and security implications
- Experience designing security guardrails as code (OPA/Rego, Terraform Sentinel, policy engines)
- Understanding of cryptographic principles and tokenisation, HSM/KMS key management, PCI DSS concepts
- Ability to communicate architectural decisions to technical and non-technical stakeholders
- Understanding of PCI DSS from an architectural perspective (network segmentation, CDE scope, encryption, logging, access control)
- Identity architecture knowledge: OAuth 2.0, OpenID Connect, SAML, SCIM, workload identity federation
- Infrastructure-as-code practices (Terraform, CloudFormation, Pulumi) and CI/CD pipeline architecture
Apply with one swipe on Sorce. We auto-fill applications and apply on your behalf — no cover letters, no 40-minute forms.
Hiring someone like this?
Get your role in front of qualified candidates on Sorce.