Senior Cyber Security Consultant IT

Senior Cyber Security Consultant Gerrards Cross (Hybrid or remote)

Do you want to help shape software that affects thousands of lives?

We are ranked as the UK’s #1 construction specific software player and our mission is simple; to provide market leading end-to-end software solutions to the construction and construction-like industries across the entire build life cycle.

If you are looking to build an exceptional career with an award-winning company you’ve come to the right place. Our teams are based in the UK, Europe, and India, working on products that are used on a global scale. We have a clear and defined road map to deliver over the next 3 years, which is centred around a large‑scale digital transformation as well as continuing our growth and expansion.

We embrace diversity and equality and want our employees to be comfortable bringing their whole selves to work. We are committed to building a team with a variety of backgrounds, skills and views. Creating a culture of Equality isn’t just the right thing to do, it improves every aspect of our business.

This is a senior, people‑focused role at the intersection of secure software engineering, application security, and enterprise cyber operations. You will lead the strategy and hands‑on execution for App Sec across a broad technology stack, partner with engineers to remediate complex vulnerabilities (first‑party code and third‑party libraries), run and improve offensive security and vulnerability management practices, and ensure alignment with ISO 27001, CE+, SOC2 and internal standards.

A core expectation is to coach and upskill teams, embedding security by design and accelerating safe delivery.

• App Sec program uplift: SAST/DAST/SCA standardised and embedded across CI/CD with clear policies, SLAs and reporting.
• Risk reduction: Demonstrable reduction in critical/high vulnerabilities in products and platforms; time‑to‑remediate improved quarter‑on‑quarter.
• Developer enablement: Training programme launched (secure coding, threat modelling, vuln triage), with >90% adoption in priority teams.
• Zero‑day readiness: Playbooks defined and tested; cross‑functional warroom capability established.
• Governance: Metrics and KPI/KRI dashboards in place for exec and board‑level reporting.

• Own the application security strategy and roadmap across products and platforms, aligned to business risk and compliance obligations (e.g., ISO 27001, NIST).
• Work with Group Architect to set and govern secure SDLC standards.
• Influence senior engineering leadership on security architecture decisions, backlog prioritisation, and risk acceptance.

• Lead and mature SAST, DAST, SCA usage (e.g., Mend for SCA; equivalent SAST/DAST tools), with policy‑as‑code and pipeline gating where appropriate.
• Conduct lightweight threat modelling and design reviews for new features and critical services (APIs, microservices, containers, serverless).
• Guide and unblock remediation of complex vulnerabilities in first‑party code and third‑party libraries, providing developer‑ready fixes and patterns.
• Design and deliver a hands‑on security training programme (secure coding, threat modelling, cloud App Sec, vuln triage) working closely with the Group Architect and Application Security Engineers.

• Direct and coordinate penetration testing (internal or partner led); define scope, success criteria, and exec level reporting.
• Validate findings (false positives/negatives), and partner with product/infrastructure teams to track remediation to closure.

• Lead the response to zero‑day events affecting our stack: assess exposure, coordinate mitigations, communication, and after‑action reviews.
• Support security incident investigations; ensure escalation paths and evidence handling align with policy and legal requirements.
• Lead tabletop exercises alongside incident response partners to ensure the effectiveness of Causeway’s Cyber Incident Response Plan.

• Provide security input to policies, standards, and…