Senior Information Security Analyst – Product Assurance
Retail Tech | Hybrid | Large-Scale Engineering Environment
This is a product security role.
Which means you’ll be working with engineering teams to make sure the technology they build is secure from the start - not three weeks after it’s gone live and everyone’s pretending the vulnerability scanner findings are “low priority”.
The environment is big.
Millions of customers. Huge amounts of data. Constant releases. Lots of integrations. Lots of moving parts.
Which means security has to be embedded into engineering, not bolted on afterwards like an awkward compliance exercise.
What you’ll actually be doing
You’ll sit in the Product Assurance team, working closely with engineers, architects and product teams across the business.
In plain English, that means:
* Reviewing architecture and integrations to identify security risks before they become incidents
* Running risk assessments and threat modelling (the useful kind, not the 80‑page PowerPoint kind)
* Advising engineering teams on security controls across modern systems
* Reviewing third‑party and supplier technology to make sure it’s not quietly introducing risk
* Helping coordinate incident response when things inevitably get… interestingContributing to improving the organisation’s overall security posture
There’s also a mentoring element - helping raise the bar across the wider InfoSec and engineering community.
What this role isn’t
* A SOC role
* Writing policies that nobody reads but everyone says they comply with
* Security turning up after a product is already live and asking awkward questions
What it is:
* Security embedded into the product development lifecycle
* Working with engineers while systems are being designed
* Influencing architecture decisions across a large, complex tech environment
In other words - actually having some impact.
What you really need
We’re not expecting you to know everything. Nobody does.
But you’ll likely have:
* Experience securing cloud platforms such as AWS, Azure or GCP
* If you know what a secure CI/CD pipeline looks like and have worked with DevOps teams this is a good start. If you're thinking DevSecOps, you're on the right path.
* API integrations or microservice architectures would be great
* If you can sling code around (Python etc) this will go down well, albeit not imperative
* If you have been hands on with Hack The Box, CTF or just generally understand how to break things this will be useful but again, not imperative
* Knowledge of security frameworks like OWASP, MITRE ATT&CK, NIST or PCI‑DSS (let's be honest, if you don't by now, you are probably in the wrong job)
* A strong understanding of how modern systems are built and integrated
* The ability to assess risk and explain security clearly to both engineers and non‑technical stakeholders
* Experience working in enterprise environments
Certifications such as CISSP, CISM, Security+, CASP+, CCSK etc. are welcomed. But real‑world experience generally beats a wall full of certificates.
You’ll probably be a good fit if:
* You enjoy working with engineering teams rather than policing them
* You prefer preventing security issues rather than investigating them afterwards
* You’re comfortable working across large, complex systems
* You can explain security risks without sounding like a compliance manual
The package? Alongside salary you’ll get:
* Performance bonus up to 20%
* Pension and private healthcare
* Strong learning and development support
* Discounts across multiple brands
The bottom line
If you enjoy influencing how secure systems are built, rather than just reviewing them after the fact, this role will probably suit you.
If you prefer writing 40‑page policies and arguing about password complexity rules... this might not be your thing.
If you’re curious (even if you’re not actively job hunting), feel free to drop me a message for a confidential chat.
#J-18808-Ljbffr