Principal Security Engineer

Orgvue is a leading organizational design and planning software platform that captures the power of data visualization and modelling to build more adaptable, and better performing organizations. HR, finance and business leaders use Orgvue for actionable insight and analysis that helps them make faster workforce decisions in a constantly changing world.

Orgvue is used by the world’s largest and best-known enterprises and management consulting firms to visualize and confidently build the businesses they want tomorrow, today. The company is headquartered in London, with offices in Philadelphia, The Hague, Toronto, and Sydney.

We are seeking a strategic Principal Security Engineer with hands-on leader experience responsible for evaluating, evolving, and executing Orgvue’s security engineering strategy across our entire application development and cloud-hosting estate.

Role

In this role you will be partnering closely with Information Security, Engineering, and Product teams, you will embed secure-by-design principles throughout the software-development lifecycle (SDLC), champion modern DevSecOps practices, and ensure that security is a first-class citizen in everything we build and operate.

This role reports directly to the Chief Technology Officer (CTO) and maintains a dotted-line relationship with the VP of TechOps.

Responsibilities

Security Strategy & Governance – Define and continuously refine the technical security roadmap that aligns with business objectives, industry best practice (, NIST CSF, OWASP SAMM), and compliance frameworks (SOC 2, ISO 27001, GDPR). Secure SDLC & DevSecOps – Build and maintain guardrails for static/dynamic analysis, container and IaC scanning, SBOM management, and supply-chain security; automate enforcement through CI/CD pipelines. Cloud & Infrastructure Security – Design and implement robust controls for AWS (primary) and Azure/GCP (secondary): IAM, network segmentation, KMS, secrets management, WAF, EDR, and zero-trust patterns. Identity & Access Management (IAM) – Own enterprise IAM strategy, including RBAC, least-privilege provisioning, SSO, federation (OIDC/SAML), and privileged-access workflows. Monitoring, Detection & Response – Define audit logging, metrics, and telemetry requirements; integrate with SIEM/SOAR to deliver actionable alerts and playbooks for engineering-led incident response. Threat Modeling & Risk Assessment – Conduct regular architecture and code-level reviews, drive remediation plans, and present risk posture to leadership. Tooling & Automation – Evaluate, select, and integrate security tooling (SAST, DAST, SCA, container scanners, CSPM, CWPP) and champion IaC/Terraform modules for reusable controls. Collaboration & Mentorship – Act as a trusted advisor to engineering squads, provide security training, and mentor senior engineers on emerging attack vectors and defensive techniques. Compliance & Audits – Partner with InfoSec and Legal to prepare evidence, manage technical controls, and remediate audit findings. InfoSec Partnership – Collaborate proactively with the Information Security team on policy development, threat intelligence sharing, incident response, and compliance initiatives, ensuring organisation-wide alignment. Engineering Partnership & Enablement – Work hand-in-hand with engineering squads to raise security awareness, improve secure coding practices, and foster a culture of shared security ownership. Architecture Alignment – Partner closely with Orgvue’s Principal Architect to ensure security patterns, controls, and roadmaps align with overall system architecture and future technical strategy.

We are unable to offer Sponsorship for this position and are we not engaging with agencies.

Requirements

Extensive experience in security engineering and/or software engineering with a strong security focus, including demonstrated leadership of complex security initiatives Expert-level knowledge of at least one major cloud platform (AWS preferred) and its native security services. Proven success embedding security within modern microservice, container, and serverless architectures. Proficiency with Infrastructure-as-Code (Terraform, CloudFormation) and Kubernetes security hardening (admission controllers, network policies). Strong understanding of and practical experience of software engineering and how security can be an enabler to success as an engineer. Experience working within high-sensitivity data environments Strong awareness of compliance standards and the requirements on software teams, especially for ISO27001 and SOC2. FedRAMP experience advantageous. Demonstrated experience performing threat modelling, penetration test scoping, and vulnerability management. Deep understanding of IAM concepts, encryption/key-management, and secure network design. Excellent communication skills with ability to translate technical risk to non-technical stakeholders. Ideally you will have certifications such as CISSP, CSSLP, AWS Certified Security. Familiarity with data privacy controls (tokenization, field-level encryption, data mesh) would be a bonus. Experience implementing security and governance programs for emergent AI tooling and capabilities.

Benefits

Hybrid working - 1+ days a week in the London office Wellbeing: Sanctus Coaching, Virtual fitness sessions, Wellbeing webinars, Annual Wellbeing day Subsidised Gym Membership Private Medical Insurance (including Dental and Vision) and Life Assurance 25 days holiday (increasing to 30 days at a rate of 1 extra day per year) Summer Fridays (half-day Fridays for the months of July and August) Employer pension contribution of 5% of your gross salary, if you contribute a minimum of 3% Season ticket Loan Cycle to Work Scheme Annual Discretionary Bonus

'Here at Orgvue we promote individualism and a diverse workforce to build on our future success'