Principal Security Engineer

Principal Security Engineer

Our client, a leading global supplier for IT services, requires Principal Security Engineer to be based at their client's office in London, UK.

This is a hybrid role - you can work remotely in the UK and attend the London office 4 days per week .

This is a 6+ month temporary contract to start ASAP

Day rate: Competitive Market rate

Senior hands-on secure engineer responsible for secure-by-design and operational security across the programme. Validate every delivery activity from a cyber security perspective - from threat model at requirements capture, through architecture and design approval, build assurance, security testing, live validation, hyper-care, and operational handover to BAU and external assurance. The principal authority on threat modelling, control validation, and security evidence across the CIS Controls v8.1 IG3 scope.

Key Responsibilities

  • Operate as senior cyber architect and SME within the programme's structured operating model - actively engaged from requirements capture through to BAU handover, owning Definition-of-Done evidence at every gate.
  • Break down each Master Programme Plan activity into discrete People/Process/Technology tasks viewed through a cyber security lens - define the validation and assurance criteria, embed them as DoD acceptance criteria, and evidence them before status can advance.
  • Requirements: author threat model v1, control intent statement, and compensating controls; validate requirements against current operational baseline and monitoring posture.
  • Architecture (LEAD): author security architecture, safeguard mapping, and trust boundaries; approve the threat model; chair Security Council review of the architecture pack.
  • Design (LEAD): approve detailed security design, evidence template, and telemetry specification; validate operational controls in the design; confirm evidence-capture feasibility before build commences.
  • Build: run periodic build-vs-design reviews, architecture drift checks, and re-approve changes; configure operational controls, prepare security testing, support agent rollout, validate log feeds.
  • Test (LEAD): sign off that the security architecture is proven by test evidence; revalidate the threat model; lead security testing, penetration testing, control validation, and evidence pack creation.
  • Deploy: provide production architecture sign-off; confirm final control mapping in Continuous Control Monitoring (CCM); run live security validation, monitoring tuning, alert calibration, and IR playbook readiness.
  • Hyper-care (LEAD): address security-architecture defects, approve in-warranty changes; lead control monitoring and tuning; produce security evidence and establish Key Risk Indicator (KRI) baselines.
  • Handover: hand architecture over to the Security Council, lodge the final threat model, ensure the CCM tile goes live; transition operational controls to L1 SOC operations with a complete evidence pack to external assurance.
  • Liaise directly with external assurance providers on threat-model defensibility, control effectiveness, and evidence chain across the CIS Controls v8.1 IG3 scope.
  • Chair or jointly chair the Security Council review at the architecture stage gate; participate in TDA decisions at the design stage gate.
  • People: Led security engineering across the programme; senior peer to Security Solution Architects, Cyber Operations, and the MSSP L1 SOC interface.
  • Process: Embedded structured operating-model discipline into every security validation and assurance step; Definition-of-Done evidence at every gate, no exceptions.
  • Technology: Delivered secure-by-design as bui personally signed off every architecture and operational handover, with an audit-traceable evidence chain from threat model to live monitoring

Key Requirements

Essential Skills:

  • 12+ years cyber engineering and security architecture experience at enterprise scale.
  • 5+ years hands-on security design AND validation - comfortable both as architect (design authority) and as engineer (hands-on implementer).
  • Direct experience with CIS Controls v8.1, NIST CSF, ISO 27001/27002 control frameworks.
  • Threat modelling at scale - proven authorship using STRIDE, MITRE ATT&CK, OWASP - across multiple in-scope controls.
  • Hands-on penetration testing, security testing, and control validation track record.
  • Workflow discipline - operates comfortably within Definition-of-Done, evidence-at-gate frameworks.
  • Exceptional executive-level interactions, presentation, and engagement - proven ability to influence CISO, Security Council, External Assurance, and cross-functional senior stakeholders across Procurement, Architecture, and Technology heads.
  • Retail or large dispersed-estate enterprise experience strongly preferred.
  • CISSP (Certified Information Systems Security Professional)
  • One of: CISM, CISA, CCSP, SABSA Practitioner, or CRISC
  • One penetration-testing certification: OSCP, GIAC GPEN, or CEH (or equivalent demonstrable experience)

Tooling & Methodology Proficiency:

  • Hands-on with leading enterprise PM tools - Jira, Azure DevOps, MS Project, or equivalent - and willing to adopt (the programme's tool) on the job at senior architect and SME level.
  • End-to-end Agile delivery - Scrum/Kanban - combined with DevSecOps deep hands-on practice (security gates Embedded in CI/CD).
  • SAFe PI Planning participation as the cyber security representative.
  • Executive-grade MS PowerPoint - Security Council paper authoring, threat-model presentation, design narrative for Programme Board.
  • Advanced dashboards and modelling - one or more of Advanced MS Excel, PowerBI, Python, or Copilot - for KRI baselines, control-effectiveness analytics, and risk reporting.
  • Budgeting awareness - security control cost shaping and total-cost-of-ownership analysis .

Desirable Skills:

  • Direct hands-on experience at senior architect/SME level.
  • Practical DevSecOps Foundation or SANS GIAC GCSA.
  • SABSA for Architects.
  • Microsoft Threat Modeling Tool/OWASP Threat Dragon authorship.
  • PowerBI Data Analyst (PL-300) for KRI and risk dashboards.
  • CompTIA CASP+ or PenTest+
  • GIAC GCIH, GCFA, GCIA, or GREM
  • AWS Security Specialty or Azure Security Engineer/Security Architect Expert
  • BMC Helix Certified Professional (SecOps)
  • ISO 27001 Lead Auditor or Lead Implementer
  • TOGAF 9.2 awareness

Due to the volume of applications received, unfortunately we cannot respond to everyone.

If you do not hear back from us within 7 days of sending your application, please assume that you have not been successful on this occasion.

Apply Now
Apply Now

Job Details

Company
Project Recruit
Location
London, United Kingdom
Hybrid / Remote Options
Employment Type
Contract
Salary
GBP Annual
Posted