Cyber Security Architect - Outside IR35 - Remote - Up to £650pd

We are seeking an experienced Cyber Security Architect to lead a critical transformation of edge security and access control environment. You will be responsible for the end-to-end migration from Symantec WSS to Cloudflare One, establishing a robust Zero Trust Architecture., * Architectural Ratification: Review and improve the initial Cloudflare setup to ensure it meets enterprise-grade security standards.

• Migration & Policy Design: Lead the migration of existing Symantec WSS policies to Cloudflare SWG. Develop sophisticated Zero Trust policies for staff web browsing and application access.
• Cloudflare One Deployment: Configure and deploy Cloudflare ZTNA and SWG from the ground up, ensuring seamless integration with EntraID.
• Device Posture & Compliance: Implement posture checking via the WARP client to ensure only compliant, patched managed devices can access sensitive data.
• Unmanaged Device Strategy: Configure Secure Browser (Browser Isolation) for guest access to provide restricted, secure environments for non-managed devices.
• Application Onboarding: Successfully onboard a diverse SaaS and dev environment, including M365, Azure, Adobe, Netlify, Sage, Miro, Jira, and GitHub via SSO.
• Stakeholder Collaboration: Partner with Identity teams and the Managed Service Provider (MSP) to manage the delicate rollout of the WARP client (ensuring the removal of Symantec WSS to avoid client conflicts).
• Testing & Documentation: Execute rigorous UAT with test groups to prove policy efficacy and provide comprehensive "as-built" documentation for handover to operations.

• Cloudflare Mastery: Deep, hands-on experience with Cloudflare One, specifically Zero Trust Network Access (ZTNA) and Secure Web Gateway (SWG).
• Zero Trust Expertise: Proven track record of designing and implementing Zero Trust frameworks (Identity-based access, Least Privilege, Continuous Verification).
• Identity Integration: Strong experience integrating Zero Trust solutions with EntraID (Azure AD).
• Endpoint Security: Experience deploying and troubleshooting the Cloudflare WARP client and implementing device posture profiles.
• Legacy Migration: Experience migrating from traditional web proxies (specifically Symantec/Broadcom WSS) to modern SASE platforms.

Desirable

• Experience with Remote Browser Isolation (RBI) for guest/contractor access.
• Broad understanding of securing DevOps environments (GitHub, Netlify, etc.).
• Relevant certifications (eg, CISSP, CCSP, or Cloudflare certifications).

The primary focus is to replace a llegacy web proxying with Cloudflare Secure Web Gateway (SWG) and deploy Zero Trust Network Access (ZTNA) to secure a managed and unmanaged device landscape. This is a hands-on architectural role requiring design, policy development, deployment, and documentation.