Principal Product Security Engineer

Expleo
Bristol, United Kingdom
yesterday

Role details

Contract type
Permanent contract
Employment type
Full-time (> 32 hours)
Working hours
Regular working hours
Languages
English

Job location

Bristol, United Kingdom

Tech stack

Software System Penetration Testing
Computing Platforms
Systems Engineering
Software Bug Management
Configuration Management
Computer Security
Decision Support Systems
Identity and Access Management
Information Systems Security Architecture Professional
Mod Security
Sherwood Applied Business Security Architecture
Systems Integration
Software Vulnerability Management
Data Logging
Cloud Platform System
Software Security
Togaf
SC Clearance
Integration Tests
Process Control Systems
Vulnerability Analysis

Job description

The role requires a strong blend of cybersecurity leadership, secure engineering, technical assurance, stakeholder management, governance, supplier oversight and defence regulatory experience. You will need to operate with autonomy, technical credibility and the ability to provide clear decision support to senior leaders.

  • Own and maintain the Product Security Management Plan, ensuring it defines the approach, governance, assurance expectations and lifecycle security activities required for the programme.
  • Define and assure the OT and IT security architecture for shipboard and supporting systems.
  • Act as a senior security authority within the Integrated Project Team, providing direction, challenge and assurance across engineering and delivery activity.
  • Embed secure-by-design principles across platform design, system integration, IT/OT architecture, operational technology, networks, communications and mission-supporting systems.
  • Provide security input into formal engineering design reviews, including SRR, PDR, CDR and equivalent programme governance gates.
  • Conduct threat modelling and risk assessment activity across ship systems, platform services, navigation, propulsion, communications, IT, OT and associated support environments.
  • Define and assure network zoning, segregation, trust boundaries, secure configuration baselines and identity and access management requirements for shipboard systems.
  • Support the definition and validation of secure architecture patterns across onboard and supporting environments.
  • Apply relevant MOD, NCSC, defence, and maritime security frameworks to support assurance, accreditation, and compliance activities.
  • Maintain and support security risk registers, ensuring risks are clearly articulated, owned, treated, tracked and escalated where required.
  • Provide cybersecurity input to accreditation, certification, assurance, and acceptance activities.
  • Define supplier security requirements and ensure they are embedded in contracts, delivery expectations, security schedules, and technical acceptance criteria.
  • Review and assess supplier security deliverables, including security claims, compliance evidence, technical designs, assurance artefacts and software bills of materials.
  • Support the assessment of third-party and supply chain security risks across products, systems, components and supporting services.
  • Scope and support vulnerability assessment, penetration testing, and technical assurance activities across platform, IT, OT, and supporting environments.
  • Define security requirements for factory acceptance testing, integration testing, harbour trials and sea trial cyber validation.
  • Support test planning, test readiness, defect management and security acceptance activity.
  • Design and support onboard cyber incident response capabilities, including monitoring, logging, forensic readiness, and evidence-capture requirements.
  • Define and assure logging, monitoring and detection requirements across shipboard and supporting environments.
  • Provide security advice on operational resilience, cyber recovery, secure maintenance, patching, configuration control and through-life security management.
  • Work collaboratively with naval architects, systems engineers, platform engineers, OT specialists, IT teams, suppliers, assurance teams and senior programme stakeholders.
  • Produce clear technical assurance outputs, security design material, decision papers, risk statements, briefing notes and governance updates.
  • Work independently as a senior subject matter expert, determining the day-to-day technical approach, stakeholder engagement and assurance rhythm required to achieve agreed outcomes.

Requirements

  • Relevant education or industry-recognised certifications in cybersecurity, information assurance, secure engineering, security architecture, risk management or a related discipline.

  • Suitable qualifications may include BSc, MSc, CISSP, CISM, CRISC, CISA, CCP, ISO 27001 Lead Implementer/Lead Auditor, Security+, CySA+, SABSA, TOGAF, IEC 62443, NCSC CAF-related experience or equivalent professional experience.

  • Experience working within UK MOD, defence, maritime, shipbuilding, naval, critical national infrastructure or operationally critical environments would be highly beneficial.

  • Strong understanding of security architecture, including zoning, segregation, trust boundaries, secure configuration baselines, identity and access management and secure remote access.

  • Ability to lead security input into formal engineering design reviews and technical governance forums.

  • Ability to translate security risks and regulatory expectations into practical engineering, architecture and delivery actions.

  • Strong understanding of vulnerability assessment, penetration testing, technical assurance and security validation approaches.

  • Ability to review security evidence, technical designs, SBOMs, assurance artefacts and supplier security claims.

  • Strong stakeholder management skills, including the ability to influence senior technical and programme stakeholders.

  • Ability to work across engineering, architecture, platform, IT, OT, assurance, supply chain and programme teams.

  • Strong written and verbal communication skills, with the ability to produce concise technical assurance material, risk statements, executive briefings and decision papers.

  • Ability to work independently and provide senior technical direction without day-to-day supervision.

  • Proven experience in a senior cybersecurity, product security, information assurance, or secure engineering role.

  • Experience supporting major defence, maritime, naval, shipbuilding, CNI or complex engineering programmes.

  • Experience defining or maintaining a Product Security Management Plan, Security Management Plan, Security Case, accreditation pack or equivalent assurance artefact.

  • Experience embedding cybersecurity across the full engineering lifecycle, from requirements and design through to build, integration, validation, and acceptance.

  • Experience supporting secure architecture across IT and OT environments.

  • Experience with shipboard systems, platform systems, industrial control systems, mission systems, navigation, propulsion, communications or similar complex operational environments would be highly beneficial.

  • Experience leading security input into design reviews, technical governance forums and assurance gates.

  • Experience developing and maintaining security risk registers, treatment plans, control evidence and assurance records.

  • Experience supporting MOD, NCSC, defence or maritime compliance activity.

  • Experience defining supplier security requirements and assessing third-party security evidence.

  • Experience with SBOM review, software assurance, secure configuration, vulnerability management and technical security testing.

  • Experience supporting cyber incident response design, forensic readiness, logging, monitoring and detection requirements.

  • Experience operating within Integrated Project Teams or multi-disciplinary engineering delivery environments.

  • Experience handling high-classification or sensitive defence information in line with UK MOD, NCSC, client security and data protection requirements would be advantageous.

  • Cybersecurity experience within defence, maritime, shipbuilding, critical national infrastructure, or operationally critical environments.

  • Strong experience operating in a senior product security, cyber assurance, information assurance, secure engineering or security architecture role.

  • Strong understanding of secure-by-design principles and their application across complex engineering lifecycles.

  • Experience securing complex IT and OT systems, including platform systems, industrial control systems, operational technology, networks, communications and support environments.

  • Practical experience applying MOD, NCSC, defence security, information assurance or risk management frameworks.

  • Experience supporting security accreditation, assurance, compliance or certification activities in a UK defence or similarly regulated environment.

  • Experience conducting threat modelling, security risk assessment and security requirements definition.

  • Experience supporting FAT, integration testing, harbour trials, sea trials, or equivalent technical acceptance activities from a cybersecurity perspective.

  • TEMPEST awareness or experience, particularly as it relates to defence standards, secure design, and NCSC guidance.

  • Experience with maritime cybersecurity, naval systems, shipboard integration, or platform security.

  • Experience with MOD security policy, defence standards, JSPs, Secure by Design, NCSC guidance or equivalent assurance frameworks.

  • Experience supporting accreditation, security case development, security assurance planning, or certification activities for defence- or safety-related systems.

  • Experience with OT security architecture, industrial control systems, safety-related control environments and operational resilience.

  • Experience defining cybersecurity requirements for harbour trials, sea trials, factory acceptance testing, or operational acceptance.

  • Experience supporting supplier assurance across complex engineering supply chains.

  • Experience contributing to executive-level security reporting, assurance dashboards, risk briefings or programme decision packs.

  • Strong supplier and third-party oversight experience, including security requirements definition, deliverable review, dependency management and acceptance criteria.

  • Have the right to work in the UK.

  • Be willing and able to work in a hybrid model, including client site attendance as required.

  • Hold, or be eligible to obtain, UK Security Clearance where required by the client or programme.

  • Be comfortable working within secure collaboration environments.

  • Be able to work under the terms of applicable confidentiality and non-disclosure arrangements.

Apply for this position