Senior Cyber Security Consultant

This is a senior, people focused role at the intersection of secure software engineering , application security , and enterprise cyber operations . You will lead the strategy and hands-on execution for AppSec across a broad technology stack, partner with engineers to remediate complex vulnerabilities (first party code and third-party libraries), run and improve offensive security and vulnerability management practices, and ensure alignment with ISO 27001, CE+, SOC2 and internal standards. A core expectation is to coach and upskill teams , embedding security by design and accelerating safe delivery. -focused role-on execution -party code and third-party libraries), run and improve offensive security and vulnerability management practices, and ensure alignment with, * AppSec program uplift: SAST/DAST/SCA standardised and embedded across CI/CD with clear policies, SLAs and reporting .

• Risk reduction: Demonstrable reduction in critical/high vulnerabilities in products and platforms; time-to-remediate improved quarter-on-quarter.
• Developer enablement: Training programme launched (secure coding, threat modelling, vuln triage), with >90% adoption in priority teams.
• Zero-day readiness: Playbooks defined and tested; cross functional warroom capability established. -day readiness: -functional -room
• Governance: Metrics and KPI/KRI dashboards in place for exec and board-level reporting.

Core Responsibilities

1. Strategy & Leadership

• Own the application security strategy and roadmap across products and platforms, aligned to business risk and compliance obligations (e.g., ISO 27001 , NIST).
• Work with Group Architect to set and govern secure SDLC standards.
• Influence senior engineering leadership on security architecture decisions, backlog prioritisation, and risk acceptance.

2. Application Security Engineering

• Lead and mature SAST, DAST, SCA usage (e.g., Mend for SCA; equivalent SAST/DAST tools), with policy-as-code and pipeline gating where appropriate.
• Conduct lightweight threat modelling and design reviews for new features and critical services (APIs, microservices, containers, serverless).
• Guide and unblock remediation of complex vulnerabilities in first party code and third-party libraries , providing developer ready fixes and patterns. -party code-party libraries -ready fixes and patterns.
• Design and deliver a hands-on security training programme (secure coding, threat modelling, cloud AppSec, vuln triage) working closely with the Group Architect and Application Security Engineers -on security training programme

3. Offensive Security & Vulnerability Management

• Direct and coordinate penetration testing (internal or partnerled); define scope, success criteria, and exec level reporting .-led); define scope, success criteria, and -level reporting
• Validate findings (false positives/negatives), and partner with product/infrastructure teams to track remediation to closure.

4. Zero-Day & Incident Readiness

• Lead the response to zero-day events affecting our stack: assess exposure, coordinate mitigations, communication, and after-action reviews.
• Support security incident investigations ; ensure escalation paths and evidence handling align with policy and legal requirements.
• Lead tabletop exercises alongside incident response partners to ensure the effectiveness of Causeway's Cyber Incident Response Plan.

5. Governance, Risk & Compliance

• Provide security input to policies, standards, and customer/security questionnaires.
• Report risk posture regularly to the Head of GRC and senior IT leadership; contribute to Compliance Management Forum .
• Ensure controls remain effective and audit-ready for ISO 27001 and related frameworks.
• Provide expertise in customer-led security reviews and audits, demonstrating the effectiveness of security controls across Causeway products.

6. DevSecOps Tooling & Platform Enablement

• Administer and optimise AppSec and vulnerability tooling (e.g., Mend SCA, Qualys/Tenable , Defender for Endpoint ), integrated into CI/CD and developer workflows (e.g., Git, build systems, ticketing such as Jira ).

Technical & Engineering

• Proven background in software engineering (e.g., .NET, Java, JavaScript/TypeScript, Python) and secure coding practices .
• Strong experience operating and integrating SAST/DAST/SCA and AppSec controls into CI/CD.
• Understanding of modern architectures: APIs, microservices, containers (Docker/K8s), serverless , secrets management, identity and access.

Offensive Security & Vulnerability Ops

• Hands-on with penetration testing methods and tooling (e.g., OWASP, Burp Suite, ZAP); able to set test charters and interpret results.
• Practical experience with vulnerability scanners and endpoint/cloud security platforms ( Qualys/Tenable , Defender for Endpoint ), plus asset/coverage hygiene.
• Skilled at triage and risk framing , mapping to business impact and SLAs.

Cloud & Platform

• Experience securing workloads in AWS, Azure and/or GCP ; multi-cloud exposure preferred.
• Familiar with cloud-native controls (e.g., identity, networking, container security, posture management).
• Experience in optimisation of perimeter security (WAF/API Security/Bot Protection).

Governance & Standards

• Working knowledge of ISO 27001 , NIST controls, CE+, SOC2 and secure SDLC /DevSecOps practices.
• Comfortable producing metrics, KPIs/KRIs , and executive reporting.

Soft Skills (Senior)

• Influential communicator -able to translate complex security issues into clear decisions for engineering and leadership.
• Coach/mentor mindset; proven track record of uplifting teams .
• Pragmatic, solutions oriented, and comfortable owning outcomes in ambiguous environments.-oriented, and comfortable

Qualifications (Nice to Have)

• Relevant certs such as OSCP, GWAPT/GWEB, CSSLP, CISSP, CISM , or cloud security (e.g., AWS Security Specialty , AZ-500 ).
• Evidence of building/running training programmes or Security Champions networks.

Tools & Technologies

• SCA: Mend (preferred), Snyk, etc.
• SAST/DAST: SonarQube/ Burp Suite/ZAP.
• Vulnerability Management: Tenable; Defender for Endpoint
• Pipelines & Dev: GitHub/GitLab/Azure DevOps; Jira; IaC (Terraform), containers/K8s.
• Web Application Firewalls

As a leader in employee engagement and people management, there are fantastic benefits and rewards at Causeway. We strive, year on year, to achieve recognition as an award-winning workplace that our employees love. We've selected just a few of the many benefits available below to show you how we take care of our Causeway stars.

• 25 days annual leave + public holidays, increasing with length of service.
• 4% matched pension.
• Income protection and life assurance.
• Access to our award-winning benefits platform.
• We take mental health seriously and have a dedicated EAP available 24/7.
• £100 allowance towards a fitness club.
• Dell discounts.
• Private Medical Insurance.
• Paid study leave + volunteering days.
• Car Scheme.

We are ranked as the UK's #1 construction specific software player and our mission is simple; to provide market leading end-to-end software solutions to the construction and construction like industries across the entire build life cycle. If you are looking to build an exceptional career with an award-winning company you've come to the right place. Our teams are based in the UK, Europe, and India, working on products that are used on a global scale. We have a clear and defined road map to deliver over the next 3 years, which is centred around a large-scale digital transformation as well as continuing our growth and expansion. We embrace diversity and equality and want our employees to be comfortable bringing their whole selves to work. We are committed to building a team with a variety of backgrounds, skills and views. Creating a culture of Equality isn't just the right thing to do, it improves every aspect of our business., If you're looking to build an exceptional career with an award-winning company you've come to the right place. We believe everyone at Causeway has a vital role to play in our success. Causeway is fuelled by curiosity and is a place for people who beam with positivity and burn with ambition. Our team is everything, so we'll take good care of you. In fact, we give well-being the same priority as our other business goals. We're strong advocates of work-life balance, offering hybrid working alongside the opportunity to work from modern, collaborative offices. Our Values We are United . As part of a team, we're better together., Like all responsible companies Causeway is aware of the need to recognise the importance of protecting our environment and addressing the climate emergency. Causeway is a carbon neutral company and we offset our calculated carbon footprint. However, we recognise that offsetting is not a permanent solution, so we set environmental objectives to reduce our footprint year-on-year.