Head of Security Architecture and Engineering - CISO function - BPL

Purpose of the role To develop, implement and manage the bank's cloud and security infrastructure, including the development and implementation of effective security administration processes for all platforms.

Accountabilities

• Execution of assessments and analysis on new security technologies in the bank, including cloud access security brokers (CASBs), cloud data loss prevention (DLP) solutions, and cloud encryption solutions, to secure the bank's cloud environments through seamless integration.
• Development and implementation of effective security administrative processes for all platforms, including cloud security architecture, aligned to the organisation's security and regulatory requirements.
• Implementation of cloud security monitoring solutions to detect and alert on potential security threats and anomalies.
• Execution of incident investigations related to cloud security to identify the root causes and implement corrective measures promptly to minimise damage and return to normal operations.
• Identification, analysis and implementation of emerging cloud security technologies and solutions to prevent threats and enhance the bank's cloud security posture.
• Development and maintenance of comprehensive documents and reports for senior stakeholders on cloud security architecture, policies, procedures and incidents.
• Collaboration with cloud operation team to manage the bank's cloud security infrastructure, including identity and access management (IAM), network security, and data security controls, to protect cloud resources from unauthorized access and data breaches.

Director Expectations To manage a business function, providing significant input to function wide strategic initiatives; contribute to and influence policy and procedures for the function and plan, manage and consult on multiple complex and critical strategic projects, which may be business wide. They manage the direction of a large team or sub function, leading other people managers and embedding a performance culture aligned to the values of the business; for an individual contributor, they lead organisation wide projects and act as deep technical expert and thought leader, identifying new ways of working and collaborating cross functionally. They will train, guide and coach less experienced specialists and provide information affecting long term profits, organisational risks and strategic decisions, providing expert advice to senior functional management and committees to influence decisions made outside of own function, offering significant input to function wide strategic initiatives. Manage, coordinate and enable resourcing, budgeting and policy creation for a significant sub function. Escalate breaches of policies / procedures appropriately. Foster and guide compliance, ensure regulations are observed with relevant processes in place to facilitate adherence. Focus on the external environment, regulators, or advocacy groups to monitor and influence on behalf of Barclays, when appropriate. Demonstrate extensive knowledge of how the function integrates with the business division / Group to achieve the overall business objectives. Maintain broad and comprehensive knowledge of industry theories and practices within own discipline alongside up to date relevant sector / functional knowledge, and insight into external market developments / initiatives. Use interpretative thinking and advanced analytical skills to solve problems and design solutions in often complex / sensitive situations. Exercise management authority to make significant decisions and certain strategic decisions or recommendations within own area. Negotiate with and influence stakeholders at a senior level both internally and externally. Act as principal contact point for key clients and counterparts in other functions / business divisions. Mandated as a spokesperson for the function and business division. All Senior Leaders are expected to demonstrate a clear set of leadership behaviours to create an environment for colleagues to thrive and deliver to a consistently excellent standard. The four LEAD behaviours are: L - Listen and be authentic, E - Energise and inspire, A - Align across the enterprise, D - Develop others. All colleagues will be expected to demonstrate the Barclays Values of Respect, Integrity, Service, Excellence and Stewardship - our moral compass, helping us do what we believe is right. They will also be expected to demonstrate the Barclays Mindset - to Empower, Challenge and Drive - the operating manual for how we behave.

Head of Security Architecture and Engineering The role owns the security reference architecture, cloud security posture, identity and access management strategy, data security (including tokenisation and encryption), and the technical standards that the entire engineering organisation builds upon. The pillar operates as an internal platform team: it publishes self service security capabilities, automated guardrails, and hardened defaults that enable product teams to build securely by default without needing deep security expertise for every design decision. The ideal candidate is a technically deep security leader who can set architectural direction, make pragmatic engineering trade offs, and build a team that earns the trust and respect of platform and product engineers. This is the most technically demanding leadership role in the CISO function. You will be expected to have credible opinions on cloud security architecture, cryptographic implementation, identity federation, container security, and zero trust design - and to translate those opinions into practical, adoptable standards and services.

Key Responsibilities

• Define and own the security reference architecture for the cloud native platform, including network security patterns, identity and authentication, encryption, logging, and inter service communication security.
• Own the cloud security posture management (CSPM) strategy, ensuring continuous monitoring and automated enforcement of security policies across the entire cloud estate.
• Set and maintain security technical standards, including approved technologies, cryptographic algorithms, authentication protocols, and secure design patterns for microservices.
• Lead the identity and access management strategy, including privileged access management (PAM), service identity (workload identity, service accounts), RBAC models, and zero trust architecture principles.
• Own the data security strategy, including cardholder data tokenisation, encryption key management (HSM/KMS), data classification, and data loss prevention implementation.
• Chair the Security Architecture Board, reviewing architecture proposals, approving non standard patterns, updating standards, and maintaining a decision log.
• Ensure security guardrails are implemented as automated policies (infrastructure as code, OPA/Rego, CSPM rules) that scale with the platform and enforce security without manual intervention.
• Publish self service security capabilities for engineering teams: secure base images, IaC security modules, encryption libraries, IAM templates, and approved architecture blueprints.
• Collaborate closely with Platform Engineering to embed security into the platform layer, ensuring security is a property of the infrastructure, not an afterthought applied on top.
• Advise the CISO on technical security strategy, emerging technology risks, and the security implications of architectural decisions.
• Support PCI DSS compliance from an architectural perspective, ensuring the platform design supports scope minimisation, network segmentation, and the technical requirements of PCI DSS 4.0.
• Manage and develop the Security Architecture and Engineering team of five, building deep technical capability across cloud security, identity, cryptography, and architecture.

Key Deliverables

• Security reference architecture document, covering cloud, network, identity, data, and application layers - reviewed and updated bi annually.
• Cloud security policy as code library (OPA/Rego, Terraform Sentinel, or cloud native equivalents) integrated into deployment pipelines.
• IAM strategy and RBAC model documentation, including privileged access management implementation and zero trust roadmap.
• Data security and encryption standards document, including approved algorithms, key management procedures, and tokenisation architecture.
• Technology security standards catalogue (approved languages, frameworks, libraries, protocols, and configurations).
• Secure design pattern library ("paved road" patterns for common scenarios: API authentication, inter service communication, data handling, secrets management).
• Security Architecture Board minutes and decision log.
• CSPM compliance dashboard and drift reporting.
• Secure base image catalogue for containers and VMs, published and maintained.

Required Skills and Experience

• AWS Security Specialty, GCP Professional Cloud Security Engineer, or equivalent cloud security certification.
• Significant experience within FinTech or PayTech/Payments Acquiring.
• CISSP ISSAP (Architecture concentration), SABSA, or TOGAF certification.
• Experience with payment processing architectures (card acquiring, transaction routing, settlement, tokenisation).
• Kubernetes security certifications (CKS - Certified Kubernetes Security Specialist).
• Experience with zero trust architecture implementation (BeyondCorp model, ZTNA).
• Experience with service mesh security (Istio, Linkerd) and mTLS implementation at scale.
• Published security architecture patterns, conference presentations, or thought leadership click apply for full job details