Senior Cloud Security Engineer

Requirements

• Proven experience in application security, DevSecOps, or cloud security
• Strong understanding of cloud networking
• Experience securing cloud environments (AWS, Azure)
• Ability to read and write IAC (Terraform) code, comfortable with IAC lifecycles
• Familiarity with container security and Kubernetes
• Understanding of secure coding, penetration testing techniques, SIEM, and vulnerability management
• Strong technical skills relevant to Information Security such as secure coding standards, ethical hacking techniques, network security and risk analysis
• Understanding of managing Secure Development Lifecycle and Vulnerability Management
• Understanding and practical experience of ISO27001:2022 controls and audit processes
• (Desirable) AWS Security Specialty or similar certification
• (Desirable) Experience in regulated environments (healthcare, financial services)
• (Desirable) Familiarity with NHS DSPT
• (Desirable) Technical knowledge of GDPR and data protection requirements
• (Desirable) Hands‑on with CI/CD security tooling and pipeline integration
• (Desirable) Interest in learning other countries health and security regulations (France / UK / IR / DE)

What the job involves

• This role will form a fundamental part of a growing PlatformSecurity function, where the team covers application security, cloud security, security operations, culture and risk management
• As a tech‑centric organisation the Information Security team will play a critical part in embedding a security‑first mindset into application development and continuous application monitoring
• This role will co‑own the cloud security posture and tooling across HealthHero’s AWS and Azure estates and have the opportunity to tackle cloud security with an international scope
• The role will be supported by a multidisciplinary force of Infrastructure, Data Governance and Engineering team leads with a security focus as part of their remit
• The role has a focus on infrastructure and cloud networking when it comes to security posture
• DevSecOps & SDLC:
  • Champion integration of security testing into CI/CD pipelines across all development teams and usage of automated security gates: SAST, DAST, dependency scanning, secrets detection
  • Enable self‑serve security tooling for development teams
  • Ability to set up development environment
• Cloud Security:
  • Own cloud security posture management using Wiz (or similar CSPM)
  • Define and enforce cloud security baselines, guardrails, and policies in AWS
  • Implement and maintain IaC security scanning for Terraform
  • Manage IAM policies, network segmentation, and secrets management
  • Configure and tune SIEM (or similar) for cloud‑focused detection
  • Establish logging, monitoring, and alerting requirements based on threat modelling
  • Investigate and respond to cloud security events
• Risk & Compliance:
  • Identify, articulate, and elevate security risks to senior leadership with mitigation plans
  • Track and remediate vulnerabilities across infrastructure
  • Manage customer initiatives related to due diligence when required
  • Support and develop annual programme of Penetration Testing and associated remediations
• Stakeholder Engagement:
  • Partner with internal and stakeholder management to support any requirements from the security function – particularly governance and accreditation requirements across different countries
  • Provide expertise on emerging threats and vulnerabilities
  • Support response to customer/client due diligence requests with timely and accurate information regarding vulnerability exposure

#J-18808-Ljbffr…