Principal Security Engineer

We are looking for a visionary Principal Security Engineer to bridge the gap between rapid development and ironclad security. In this role, you won't just be "checking boxes" - you will be the primary architect of a culture where security is invisible, automated, and inseparable from the CI/CD pipeline.

Reporting to the Director of Engineering Operations, you'll lead the charge in evolving our infrastructure-as-code (IaC) secure practices, mentoring a team of engineers, and ensuring that our scale never outpaces our safety.

What You'll Do:

• Architect & Lead: Design and implement end-to-end secure software development toolchain. You'll own the roadmap for security automation, including building out our AI security posture for our platform.
• Automate Everything: Integrate SAST, DAST, and SCA tools directly into our pipelines so that vulnerabilities are caught before they ever hit a staging environment.
• Cloud Governance: Oversee security posture management (CSPM) across [AWS/Azure/GCP], ensuring our cloud infrastructure is resilient and compliant, including working with our Risk team for ISO and SOC2 compliance.
• Mentor & Evangelise: Act as a technical mentor to all flavours of our Software Engineers, fostering a "Security-First" mindset through workshops and code reviews, fostering ownership of the responsibility for security to our teams and their services.
• Tooling: Own the current and future of our security toolchain, which currently includes Wiz at the heart of our security posture management, but also have a key input into managing the security aspects of our source code management (GitHub) and owning the management of our edge security.
• Threat Response: Partner with Cyber Security and other teams to develop automated remediation playbooks for security events, and 'shifting left' by being a key contributor to our Threat Modelling processes, assisting the process and reviewing architecture.
• Monitoring & Observability: owning our security observability scope and implementations.

Do you have experience in Terraform?, The skills, experience, and aptitudes we are looking for are listed below but please don't be discouraged from applying if you don't meet every single one of these criteria - having a 'can do' attitude is sometimes more important than being able to tick every box.

Your Technical Background

• Container Security: Deep expertise in Kubernetes security (e.g., Wiz, OPA Gatekeeper, etc).
• Infrastructure as Code: Mastery of Terraform, or CloudFormation, with a focus on automated linting and policy-as-code.
• CI/CD Mastery: Advanced experience with GitLab CI, GitHub Actions, or Jenkins.
• Scripting & Backend: Proficiency in Python, Go, or Bash for building custom security tooling.
• Security Tooling: Hands-on experience with tools like Wiz, Snyk, SonarQube etc., * A Pragmatic Leader: You understand that security shouldn't be a bottleneck. You find ways to say "Yes, and here is how we do it safely."
• A Veteran Engineer: You have experience in DevOps/SRE roles with a focus specifically on security leadership (or becoming one).
• Curious and Egoless: There's lots of things happening in our Engineering function, some of which you'll need to know when to jump into, and be comfortable being the person in the meeting with the least contextual information (but knowing the right way to engage and discover more!).
• A Clear Communicator: You can explain the business impact of a $log4j$-style vulnerability to a Stakeholder just as easily as you can explain a heap overflow to a Developer.

Pulled from the full job description

• Employee discount
• Sabbatical
• Employee assistance programme
• Private medical insurance, At Smart, one of the eight principles we work to is "We want happy and good people in our team". We created a list of benefits that helps us achieve this goal:
• 25 days' holiday per year, increasing with length of service.
• £500 annual training budget to spend on your professional development.
• Extensive private healthcare, including dental, eyecare and EAP.
• Enhanced sick leave (three months' pay per year).
• Enhanced maternity and paternity (maternity - 6 months fully paid/paternity - 3 weeks fully paid).
• Death in service insurance cover.
• Fully-paid five-week sabbatical after five years of employment.
• In office wellbeing, such as manicures, massages and barbers.
• Smart employees also enjoy a 50% discount on orders from our sister company Arena Flowers, Britain's most ethical florist. They offer unique hand-tied bouquets, luxury flowers, letterbox flowers, plants and gifts to spend on friends and loved ones or even for yourself.

At Smart, we are committed to creating an inclusive and equitable workplace where everyone feels valued, respected, and empowered to do their best work.

At Smart, our mission is to transform retirement, savings and financial wellbeing, across all generations, around the world., We work in partnerships with governments and financial institutions in the UK and internationally. Our cloud-native digital platform is revolutionising how people around the world think about, and save for, their retirement. At heart, we're a financial technology business. What we do is all about innovation, and using the power of digital change to put the customer first. Our Engineers will tell you that working at Smart gives you the opportunity to play your part in developing world-class technological solutions, working with - and learning from - like-minded people. You'll also find that, across our business, our colleagues love Smart's culture, and how what we do means better financial outcomes for savers. That feels worthwhile, and it means that what we do, collectively, goes way beyond the nine to five of a typical working day. Don't just take our word for it - you can see what our colleagues say about working at Smart on LinkedIn Life and Glassdoor.