Technical Security Consultant - Threat Modeling

Description

This role is within the Security Consultancy sub-team who provide specialist technical security advice collaborating with technical and business teams throughout the entire or part of a digital solutions life cycle.

The team owns and develops Security Patterns, Security Specifications, and the Threat Modelling Framework, to support secure technology innovation in a changing threat landscape.

The Technical Security Consultants responsibilities will vary based on business alignment and will include :

• Lead as an internal consultant at Manager level to an assigned
• Platform/Product/Capability/Practice Management area as part of our Centre of Excellence function providing technical security direction, stakeholder management, and driving improvements to our ways of working.
• Collaborate with programmes and projects, product and engineering teams to help deliver digital solutions that meet the business need, by supporting and contributing to design reviews.
• Ensuring that the proposed design, build and run are compliant with and client security requirements ensuring all applicable security controls and patterns are implemented.
• Work alongside internal Design Authorities and Change Management functions to ensure all change initiatives are reviewed, supported, and aligned with security requirements.
• Using threat modelling to provide risk and threat-based advice to programme stakeholders along with actionable recommendations where necessary in the design and implementation of digital solutions.
• Advise on secure-by-design adoption of AI/GenAI capabilities (e.g. Microsoft 365 Copilot/Copilot Studio and LLM integrations) including prompt and data protection, model/service selection considerations, misuse and abuse cases, and appropriate technical guardrails.
• Manage the scoping of security testing requirements for new systems and products working closely with our Security Testing function.
• Undertake Post Deployment Security Architecture reviews of existing digital solutions.
• Support the creation of secure development guidance documentation and eLearning, security patterns and specifications in collaboration with Engineering/Development teams and Enterprise Security Architecture.
• Provide solution architecture support (i.e. PoC, design creation, roadmap support) for security solutions (e.g. AI, IAM).
• Work towards and achieve or extend professional certifications as part of personal development (e.g. security or cloud vendor certifications).
• Share experiences with others to assist their learning and understanding, and promote good security hygiene and its benefits.
  
  

• Have worked in at least one of :
• Infrastructure/Solution Architect
• Technical Security Architect/Consultant
• Security Operations
• Secure application development
• A good understanding of concepts and their application across several key areas including application, cloud, and SaaS security, best practices, and industry standards (and where relevant, AI/GenAI security concepts).
• You will bring hands on experience and knowledge in securing digital products/solutions in at least one or more of the following areas :
• Artificial intelligence (e.g. AWS Bedrock, CoPilot, CoPilot Studio, Google Gemini, Azure OpenAI, Google Vertex)
• Cloud (e.g. AWS, Azure/M365, Google, ServiceNow, SAP)
• Networks (e.g. firewalls, routers, switches, WIFI, LAN/WAN, SDN)
• Operating Systems and hardware (e.g. Microsoft, Linux, Apple, Android)
• Security Solutions (e.g. Entra ID, CyberArk, SailPoint, Threat Modeler)
• Good experience of working in an Agile/DevOps software development environment using Threat Modelling.
• Be able to demonstrate the ability to adapt communication style to explain technical concepts to different people within an organisation whether advising stakeholders, directing teams, or sharing experience.
• Experience prioritising and delivering in an environment with competing demands and evolving requirements.
• Able to navigate through complex security problems to find the root cause and a balanced outcome, taking ownership of activities.
  
  

• Container/serverless platforms.
• Infrastructure/network security.
• Modern application development processes and testing.
• AI/GenAI security (e.g. threat modelling for AI solutions, prompt injection and data exfiltration risks, data poisoning/model integrity risks, model/service supply chain considerations, and applying appropriate guardrails and monitoring).
• Have or working towards technical security certifications (e.g. CISSP, CCSP, Microsoft/Google/AWS technologies).
• Having worked in customer service/regulated environments, delivering high quality information security services.