Secure Design Lead

Key Responsibilities Secure by Design Leadership

• Lead Secure by Design discovery and assessment activities across digital services and portfolios.
• Provide Secure by Design risk and security assurance functions within MOD/Public Sector accounts.
• Define pragmatic security control expectations aligned to service context and business risk appetite.
• Coach delivery teams to adopt secure working practices in Agile and iterative environments without impeding delivery speed.

• Conduct cyber risk assessments using NIST 800-30/37 (rev.
  5),
  ISO 27005
  , and NIST Cyber Security Framework (CSF).
• Perform threat modelling using STRIDE
  , attack trees
  , and other contemporary analytical methods.
• Identify vulnerabilities, threats, impacts, and control gaps to inform risk treatment decisions.
• Carry out technical and control-based risk assessments, incorporating outcomes of architecture reviews and testing activities.

• Develop actionable, prioritised risk remediation plans
  , including responsibilities, timelines, and mitigation steps.
• Provide pragmatic and business‑aligned risk remediation guidance
  , balancing operational needs with security obligations.
• Work closely with risk owners and technical leads to negotiate and agree treatment strategies.

• Support governance and assurance forums by articulating risk, mitigation options, and residual exposure.
• Produce concise, informative documentation including:
  • Risk assessment reports
  • Threat modelling outputs
  • Vulnerability and control analysis
  • Residual risk statements
  • Secure by Design compliance evidence
• Validate that required control patterns, assurance activities, and security testing have been completed.

• Facilitate security, risk, and threat modelling workshops with multi‑disciplinary teams and Authority stakeholders.
• Engage with business and technical stakeholders to ensure alignment with broader transformation goals and regulatory requirements.
• Work with MOD/Public Sector teams to ensure security expectations and compliance obligations are met.

• Identify, collect, and review evidence demonstrating compliance with Secure by Design principles.
• Produce documentation including:
  • Risk assessments
  • Security testing results
  • Evidence packs for Secure by Design compliance
  • Residual risk reports

• Mentor junior consultants, technical specialists, stakeholders and program across multiple business units.
• Produce and deliver awareness sessions on Secure by Design, secure development, governance, and best practice.
• Promote a culture of continuous security improvement.

• Eligibility for UK security clearance
• Proven experience leading Secure by Design across portfolios or multiple digital services.
• Strong experience supporting MOD
  , Defence, or UK Public Sector clients.
• Deep expertise in cybersecurity risk frameworks including:
  • NIST 800-30/37
  • ISO 27005
  • NIST CSF
• Demonstrated ability to facilitate structured threat modelling (STRIDE, attack trees).
• Highly skilled in producing clear, concise, decision‑focused reporting for senior stakeholders.
• Strong capability in running governance, risk, and assurance activities.
• Experience working with Agile, Dev Ops, and multi‑disciplinary delivery teams.
• Excellent stakeholder management and communication skills.
• Experience in Secure by Design frameworks used within Defence and Government.
• Knowledge of MOD security governance, assurance, and accreditation processes.
• Background risk consultancy, or security assurance.
• Certifications such as CISM
  , CRISC
  , CISSP
  , SABSA
  , CCP
  , or equivalent.

• Secure by Design discovery assessments and control expectations.
• Threat models, risk assessments, vulnerability analyses.
• Risk remediation action plans with clear owners and timelines.
• Concise assurance documentation and residual risk reports.
• Secure by Design compliance evidence aligned to programme and Authority requirements.
• Clear risk recommendations supporting decision‑making and governance.