This list contains only the countries for which job offers have been published in the selected language (e.g., in the French version, only job offers written in French are displayed, and in the English version, only those in English).
Made Tech helps UK government and public sector organisations build better digital services — and security is central to that mission. As a Lead Security Assurance Engineer in our Cyber practice, you'll be the most senior security assurance voice on client engagements, setting the technical direction for how organisations identify, assess, and respond to security risk. You'll work across complex government programmes where the stakes are real: services that affect citizens, systems that hold sensitive data, and teams that need to move quickly without cutting corners. This isn't a role where you sit at the edge of delivery reviewing outputs. You'll be embedded in multidisciplinary teams, shaping how security assurance is woven into everyday engineering work — from threat modelling at design time to control testing in production. You'll build trusted relationships with client security teams, senior stakeholders, and government security communities, translating between technical findings and the risk decisions that senior leaders need to make. You'll bring the judgement to know when a full ISO 27001 governance programme is appropriate and when a lighter-weight approach serves the engagement better. At Lead level, your impact extends beyond the immediate team. You'll establish assurance frameworks and standards across engagements, grow the security capability of the people around you — colleagues and client staff alike — and contribute to how Made Tech's Cyber practice develops as a community. If you're someone who builds capability rather than gatekeeping decisions, who treats security as an engineering concern rather than a compliance exercise, and who cares about leaving client teams genuinely stronger than you found them, this role is for you.
Job Responsibility
Own end-to-end assurance across engagements
Lead vulnerability management as a programme, not a process
Drive security into the team's normal rhythm
Navigate UK government security standards with confidence
Communicate security risk in terms that drive decisions
Set the standard for incident response and detection readiness
Grow the people around you
Contribute to Made Tech's Cyber practice beyond delivery
Requirements
Hold one of the following — Certified Information Systems Auditor (CISA), Certified Information Systems Security Professional (CISSP) — or an equivalent senior audit and assurance credential
Experience establishing and operating vulnerability management programmes at organisational scale — including risk-based prioritisation using EPSS, KEV, and asset criticality, and managing remediation across multiple delivery teams
Evidence of leading compliance programmes against UK government frameworks — GovAssure, CAF, Cyber Essentials, HMG Security Policy Framework — in a complex multi-supplier or multi-team environment
Experience conducting or coordinating security audits in UK public sector contexts, including producing formal findings and briefings for senior government stakeholders
Working knowledge of exposure management beyond CVE-only approaches — incorporating misconfiguration, identity exposure, and attack-path analysis using cloud-native tooling (AWS Inspector, GuardDuty, Security Hub, or equivalents)
Experience assessing and assuring supply chain security — including third-party and vendor risk — and integrating supplier risk into wider assurance and governance programmes
Experience building or shaping security assurance capability within a consultancy, programme delivery, or multi-client environment — including growing technical security skills in colleagues and client teams
Evidence of acting as a trusted adviser to senior client stakeholders — anchoring security recommendations on client outcomes, challenging briefs constructively, and making security value visible rather than reporting activity
Experience setting team ways of working in iterative delivery environments — establishing retrospective cadences, collaborative problem-solving norms, and pairing practices that spread security knowledge across the team
Familiarity with structured threat modelling approaches — STRIDE, MITRE ATT&CK, attack trees — and experience embedding these into agile delivery ceremonies
Experience integrating SAST, SCA, dependency scanning, and container security tooling into CI/CD pipelines as part of a shift-left security approach
Nice to have
Certified in Risk and Information Systems Control (CRISC)