Lead Security Assurance Engineer
Listed on 2026-07-06
-
Security
Cybersecurity
Made Tech helps UK government and public sector organisations build better digital services — and security is central to that mission. As a Lead Security Assurance Engineer in our Cyber practice, you'll be the most senior security assurance voice on client engagements, setting the technical direction for how organisations identify, assess, and respond to security risk. You'll work across complex government programmes where the stakes are real: services that affect citizens, systems that hold sensitive data, and teams that need to move quickly without cutting corners.
This isn't a role where you sit at the edge of delivery reviewing outputs. You'll be embedded in multidisciplinary teams, shaping how security assurance is woven into everyday engineering work — from threat modelling at design time to control testing in production. You'll build trusted relationships with client security teams, senior stakeholders, and government security communities, translating between technical findings and the risk decisions that senior leaders need to make.
You'll bring the judgement to know when a full ISO 27001 governance programme is appropriate and when a lighter‑weight approach serves the engagement better.
At Lead level, your impact extends beyond the immediate team. You'll establish assurance frameworks and standards across engagements, grow the security capability of the people around you — colleagues and client staff alike — and contribute to how Made Tech's Cyber practice develops as a community. If you're someone who builds capability rather than gatekeeping decisions, who treats security as an engineering concern rather than a compliance exercise, and who cares about leaving client teams genuinely stronger than you found them, this role is for you.
Keyresponsibilities
- Own end-to-end assurance across engagements. Establish risk‑based assurance frameworks, coordinate audit programmes, and maintain living evidence of control effectiveness — feeding findings into vulnerability management backlogs and governance reporting rather than treating audits as point‑in‑time events.
- Lead vulnerability management as a programme, not a process. Define the prioritisation framework — drawing on EPSS, KEV, CVSS, and asset criticality — set remediation SLAs, own the risk‑acceptance register, negotiate remediation plans with IT operations and product teams, and report programme KPIs (MTTR by severity, backlog age, coverage, recurrence rate) to senior stakeholders.
- Drive security into the team's normal rhythm. Embed threat modelling, secure code review, SAST, SCA, dependency policy, and container scanning into design and delivery cycles — making security a shared engineering responsibility rather than a specialist handover at the end of a sprint.
- Navigate UK government security standards with confidence. Apply the NCSC Cyber Assessment Framework, Gov Assure, Cyber Essentials, HMG Security Policy Framework, and relevant legislation (UK GDPR, NIS Regulations) proportionately across engagements — framing standards as guardrails that enable safe delivery, not barriers to it. Engage with government security communities and coordinate with departmental security teams.
- Communicate security risk in terms that drive decisions. Report security posture, audit findings, and vulnerability programme performance to senior client stakeholders — tailoring the frame for the audience, showing trends over time, and structuring reports around the decisions the reader needs to make, not just the findings.
- Set the standard for incident response and detection readiness. Drive adoption of incident response practices across engagements, own the IR‑to‑vulnerability‑management feedback loop, and coordinate cross‑team exercises including known‑exploited‑vulnerability scramble drills.
- Grow the people around you. Mentor colleagues across the practice and at client organisations, pair on complex or unfamiliar assurance work, and create structured development opportunities — including for client engineers who may not yet have strong security habits.
- Contribute to Made Tech's Cyber practice beyond delivery. Shape practice standards, contribute to hiring and…
To Search, View & Apply for jobs on this site that accept applications from your location or country, tap here to make a Search: