Senior Cyber Security Consultant

Purpose

This is a senior, people focused role at the intersection of secure software engineering, application security, and enterprise cyber operations. You will lead the strategy and hands-on execution for AppSec across a broad technology stack, partner with engineers to remediate complex vulnerabilities (first party code and third-party libraries), run and improve offensive security and vulnerability management practices, and ensure alignment with ISO 27001, CE+, SOC2 and internal standards. A core expectation is to coach and upskill teams, embedding security by design and accelerating safe delivery.‑focused role‑on execution‑party code and third‑party libraries), run and improve offensive security and vulnerability management practices, and ensure alignment with

Key Responsibilities

• AppSec program uplift: SAST/DAST/SCA standardised and embedded across CI/CD with clear policies, SLAs and reporting.
• Risk reduction: Demonstrable reduction in critical/high vulnerabilities in products and platforms; time‑to‑remediate improved quarter‑on‑quarter.
• Developer enablement: Training programme launched (secure coding, threat modelling, vuln triage), with >90% adoption in priority teams.
• Zero-day readiness: Playbooks defined and tested; cross functional warroom capability established.‑day readiness:‑functional ‑room
• Governance: Metrics and KPI/KRI dashboards in place for exec and board‑level reporting.

Core Responsibilities

1) Strategy & Leadership

• Own the application security strategy and roadmap across products and platforms, aligned to business risk and compliance obligations (e.g., ISO 27001, NIST).
• Work with Group Architect to set and govern secure SDLC standards.
• Influence senior engineering leadership on security architecture decisions, backlog prioritisation, and risk acceptance.

2) Application Security Engineering

• Lead and mature SAST, DAST, SCA usage (e.g., Mend for SCA; equivalent SAST/DAST tools), with policy‑as‑code and pipeline gating where appropriate.
• Conduct lightweight threat modelling and design reviews for new features and critical services (APIs, microservices, containers, serverless).
• Guide and unblock remediation of complex vulnerabilities in first party code and third-party libraries, providing developer ready fixes and patterns.‑party code‑party libraries‑ready fixes and patterns.
• Design and deliver a hands-on security training programme (secure coding, threat modelling, cloud AppSec, vuln triage) working closely with the Group Architect and Application Security Engineers‑on security training programme

3) Offensive Security & Vulnerability Management

• Direct and coordinate penetration testing (internal or partnerled); define scope, success criteria, and exec level reporting.‑led); define scope, success criteria, and ‑level reporting
• Validate findings (false positives/negatives), and partner with product/infrastructure teams to track remediation to closure.

4) Zero‑Day & Incident Readiness

• Lead the response to zero‑day events affecting our stack: assess exposure, coordinate mitigations, communication, and after‑action reviews.
• Support security incident investigations; ensure escalation paths and evidence handling align with policy and legal requirements.
• Lead tabletop exercises alongside incident response partners to ensure the effectiveness of Causeway’s Cyber Incident Response Plan.

5) Governance, Risk & Compliance

• Provide security input to policies, standards, and customer/security questionnaires.
• Report risk posture regularly to the Head of GRC and senior IT leadership; contribute to Compliance Management Forum.
• Ensure controls remain effective and audit‑ready for ISO 27001 and related frameworks.
• Provide expertise in customer-led security reviews and audits, demonstrating the effectiveness of security controls across Causeway products.

6) DevSecOps Tooling & Platform Enablement

• Administer and optimise AppSec and vulnerability tooling (e.g., Mend SCA, Qualys/Tenable, Defender for Endpoint), integrated into CI/CD and developer workflows (e.g., Git, build systems, ticketing such as Jira).

Key Skills, Experience and Qualifications

Technical & Engineering

• Proven background in software engineering (e.g., .NET, Java, JavaScript/TypeScript, Python) and secure coding practices.
• Strong experience operating and integrating SAST/DAST/SCA and AppSec controls into CI/CD.
• Understanding of modern architectures: APIs, microservices, containers (Docker/K8s), serverless, secrets management, identity and access.

Offensive Security & Vulnerability Ops

• Hands‑on with penetration testing methods and tooling (e.g., OWASP, Burp Suite, ZAP); able to set test charters and interpret results.
• Practical experience with vulnerability scanners and endpoint/cloud security platforms (Qualys/Tenable, Defender for Endpoint), plus asset/coverage hygiene.
• Skilled at triage and risk framing, mapping to business impact and SLAs.

Cloud & Platform

• Experience securing workloads in AWS, Azure and/or GCP; multi‑cloud exposure preferred.
• Familiar with cloud‑native controls (e.g., identity, networking, container security, posture management).
• Experience in optimisation of perimeter security (WAF/API Security/Bot Protection).

Governance & Standards

• Working knowledge of ISO 27001, NIST controls, CE+, SOC2 and secure SDLC/DevSecOps practices.
• Comfortable producing metrics, KPIs/KRIs, and executive reporting.

Soft Skills (Senior)

• Influential communicator—able to translate complex security issues into clear decisions for engineering and leadership.
• Coach/mentor mindset; proven track record of uplifting teams.
• Pragmatic, solutions oriented, and comfortable owning outcomes in ambiguous environments.‑oriented, and comfortable

Qualifications (Nice to Have)

• Relevant certs such as OSCP, GWAPT/GWEB, CSSLP, CISSP, CISM, or cloud security (e.g., AWS Security Specialty, AZ‑500).
• Evidence of building/running training programmes or Security Champions networks.

Tools & Technologies

• SCA: Mend (preferred), Snyk, etc.
• SAST/DAST: SonarQube/ Burp Suite/ZAP.
• Vulnerability Management: Tenable; Defender for Endpoint
• Pipelines & Dev: GitHub/GitLab/Azure DevOps; Jira; IaC (Terraform), containers/K8s.
• Web Application Firewalls