Security & Identity Architect - Doxford, SR3 3XP
Arriva is a leading European passenger transport partner, operating in 11 countries across the UK and Europe. The company employs around 35,000 people, delivering more than 1.5 billion passenger journeys connecting people and communities safely, reliably and sustainably.
We have strong roots dating back to 1938, an ambitious growth and sustainability agenda, and a continuously developing relationship with I Squared Capital – a global infrastructure investment fund manager - who acquired Arriva in 2024.
We are looking for a Security & Identity Architect to join our Information Security Team on a full time, permanent basis. This role will be based from either our Sunderland, London, Derby or Thurmaston office.
Re p ortin g to th e G rou p H e ad of Se cu rity Op e ration s, th e Se cu rity an d I d e n tit y Arch itec t is a s tra tegi c an d techn ical le ad e r re sp ons ib le f or em b e dd in g grou p w id e Se cu rity b y De s ign p rin ciples. T h is ro le e nsu re s th at s e cu rity is s y s tem at ically in tegrated th rou gh ou t th e s olu tio n d e v e lop me n t lif e cy cl e, w ork in g c los e ly w ith arch itec tu re, p ro je ct, an d d e liv e ry teams to in f lu e n c e an d as s u re th e s e cu re d e s ig n of sys tem s, p lat f orms, an d d igita l s e rv ice s .
A key re sp ons ib ili ty of th i s p o s ition is to e nh an ce an d im p l e m e n t Arriv a’ s p ro jec t assu ra n ce f ram ew ork th at ev alu at e s in itia tiv e s for adh e re n ce t o n on - f un ction al se cu rity re qu ire m e n ts. T h is fra m e w ork wil l b e ta ilored to as s es s ris k p o s tu re, id e n tify m is con f igur at ion s or d ef ici e n cie s, an d su p p ort op e r at ion al teams in m itigat in g e xp osu re b ef or e sys tem s are d e p loy e d or go liv e. T h e Ar ch itec t w ill p r ov id e on goin g gu id an ce an d ov e rs ight t o en s u re a lign me n t w ith en terp ris e s e cu rity s tand ar ds .
T h e ro le w ill le ad a f ocu s e d eff ort on m ain ta in in g a n d im p le m e n tin g n on -f un ction al s e cu rity re qu ire m e n ts (NFRs ) acros s t h e organ is at ion. T h is in clud e s d ef in in g m in im u m acce p ta b le criteria f or id e n tity, acce ss, con f id e n tia lity, in tegrity, av ailab ility, an d aud itab ility in all tech n ical d e s igns. Add ition ally, th e ro le w ill h e l p id e n tify, cat alo gu e, an d tra ck s e cu rity - re lat e d t e chn ical d e b t f or n e w sys tem s th at f all sh ort of re q u ire d con tro ls —e nsu rin g th e s e are rais e d to th e app rop riat e ris k re gis ters an d p rio ritiz e d a ccord in gly.
Be y on d d e liv e ry assu ran ce, t h e Se cu rity an d Id e n tit y Arc h itec t is als o re sp on s ib le f or e s tab lish in g a gov e rn an ce an d as su ran ce f ram e w ork aroun d core id e n tit y an d acce s s m an ageme n t (I AM) f un ctions, su ch as a ss e t m an ageme n t, p e n e tra tio n tes tin g, lif e cy cle m a n ageme n t, us e r acc e s s con tro l, RBA C, an d p riv ile ge d acc e s s m an age me n t (PAM). Wh ile n ot d ir e ctly e x e cu tin g th e s e tas ks, th e ro le s e ts th e s tra tegi c d ire ction, p olicie s, an d key c on tro ls to e nsu re IAM d i s ciplin e s are m an aged cons is tentl y an d s e cu re ly across IT Teams.
Direct responsibilities:
• Re v ie w s cu rren t p ro jec t as su r an ce fram ew ork w ith in Arr iv a U K, im p le me n tin g i m p rov e m e n ts, an d rollin g ou t f ramew ork a cr os s a ll op e ratin g un it s, in clud i n g t rain in g, m on ito rin g, an d me n to rin g.
• Main ta in s an d improv e s Arriv a’ s n on fun ction al re qu ireme n ts for n e w s ys tem s t o ensu re s e cu rity b y d e s ign (SbD) is em b e dd e d in ou r s y s tem s, in lin e with Arriv a’ s s tra tegi c d ire ction an d ris k ap p e tit e .
• Ensu re s cyb e r an d t e chn ology ris k is man aged in lin e with ris k app e tit e s o th a t p rodu ct s, s olu tion s a n d p lat f orms a re de s igned, bu ilt, an d d e p loy e d se cu re ly a s we ll a s b e in g a ligne d t o organ is at ion al goa ls, a n d th at techn ical d e b t aris in g from insu ff ici e n t s e cu rity con tro ls is ad e qu at e ly cap tu re d, work in g with th e H e ad – In f oSe c G RC & Awarenes s t o t rack th os e ri s ks in th e in f ormat ion s e cu rity ris k re gis ter.
• Builds re lat ionsh ip s a n d co lla b orates with s e n ior le ad e rs an d p ro fe ss ion als a cro s s th e Ar riv a to und e rs tand, co mm un icate an d en cou rage mitigat ion s for t e chn ical s e cu rity ris ks re lat in g t o
th e imple me n ta tio n o f n e w s olu tions. E n su rin g th at an y re m ain in g ris k is s igned o f f b y t h e bus in e ss .
• Stay s upd a ted o n th e la tes t s e cu rity t re nds, th re at s, v u ln e ra b ilities, an d t e chn ologie s t o p ro act iv e ly id e n tify an d add re s s eme rgin g ris ks a s we ll a s s u rf acin g th os e ris ks du rin g th e im p rov e m e n t of Arriv a’ s t e chn ical s tand ard s .
• Collab orates with in th e Grou p In f ormat ion Sec u rity t e am a n d wider Grou p In f ormat ion Te chn ology t e a m s t o a gre e p r ojec t re lat e d In f oS e c KPIs, s e t ta rge ts an d impleme n t m on ito rin g acros s th e o rgan is at ion .
• Collab orates with in tern al an d extern al p artn e rs t o ensu re th at a ll s of tware an d h ard w are ch an ge s a re s e cu re b y d e s ign, ch amp ion in g s tron g s e cu rity arch itectu re an d id e n tit y m an agem e n t acros s th e t e chn ology t e ams in th e bus in es s, an d p ro act iv e ly id e n tify an d m itigat e ris ks ; th is in clud e s re p re s e n tin g in f ormat ion s e cu ri ty o n th e ch an ge adv i s ory b oa rd an d s ta ge ga te rev iew s .
• Supp orts th e b u s in e s s in und e rs tand in g th e n e ce ss ity o f p ene tra tio n t e s ts, an aly s in g resu lt s, an d ensu rin g v e nd or s imple m e n t robus t s e cu rity improv eme n ts, work in g with th e H e ad – In f oSe c G RC & A w are n e s s t o in clud e an d t rack in th e In f oSe c ris k re gis ter.
• Supp orts in f ras tru ctu re a n d a rch itec tu re t e a m s in d ef in in g an d d e liv e rin g IT s e cu rity s e rv ice s acros s p h ys ical an d clou d in f ras tru ctu re s, ensu rin g co m p lia n ce with Arr iv a cyb e r s e cu rity s tand ard s, re gu lat ory an d o rgan is at ion al re qu ireme n ts .
• Con tribu tes t o me rge r an d a c qu is itio n p ro ce ss e s t o und e rs t an d ris ks relat e d t o cu rren t s e cu rity a rch itec tu re an d p os t u re, a s we ll a s s upp ortin g t h e onb oard in g o f n ew ly a cqu ire d e n tit ie s /f ran ch is e s /con ce ss io n s o r an y o ff b oard in g o f legal e n tit ie s .
• Driv e s th e imple me n ta tio n an d aud itin g o f I AM frame w orks, in clud in g MFA, P IM, an d
Cond ition al Acce ss, t o en f orce a z e ro - trus t s e cu rity mod e l.
• Supp orts th e w id e r Arriv a grou p in f ormat ion techn ology team in cre at in g a h olis tic Id e n ti ty an d Acce s s Man age me n t s tra tegy, supp ortin g th e im p le m e n ta tio n of In f or m at ion Se cu rity r e lat e d e le me n ts to ensu re I AM matu rity improv eme n ts a cros s Arriv a’ s k e y sys tem s a cros s th e group .
Knowledge, skills & experience:
• Dem ons trab le exp e rie n c e in d e s ignin g an d imple m e n tin g s e cu rity a rch itec tu re s olu tions, m an agin g ris k an d mon ito rin g co m p lian ce in a co m p le x organ is at ion .
• Ev id e n cab le kn ow le d ge an d e xp e rie n ce o f p ro jec t d e liv e ry an d s e cu re s of tware d e v e lop me n t life cy cl e s, p articu larly imple m e n tin g s e cu rity b y d e s ign.
• Dem ons trab le exp e rie n c e in re s e arch in g an d co mm un icatin g h ow em e rgin g te chn ologie s ca n p re s e n t opp ortun ity, ris ks, an d ch allen ge s with in In f ormat i on Sec u rity an d th e b ro ad e r t e chn ology teams .
• Know le d g e o f a ll a re as o f I T s e cu rity, in clud in g: cyb e r s e cu rity for d igita l t e chn ologie s, id e n tit y an d acce s s man agem e n t, au th e n ticat ion an d s in gle s ign - on, au t h oris at ion, lo ggin g an d mon it orin g, aud it, s e cu re co mm un ication s an d cryp to graph ic s e rv ice s, n e twork an d endp oin t p ro tection, h os tin g an d cloud, vu ln e rab ility man a ge m e n t, p lat f orm s e cu rity an d s y s tem s d e v e lop me n t lif e cy cle .
• E xp e rie n ce w ith clou d p lat f orms (Azu re, AW S), D e v Se cOps, an d in f ras tru ctu re a s cod e .
• Prov id e s cle ar v is ion an d d ire ction, insp irin g a n d en gagin g ind iv idu als a n d th e wider t e am to d e liv e r e xce l le n ce .
Writ ten an d v e rb al comm un ic at ion an d p re s e n ta tio n s kills. I n f lu e n cing an d n e got iat in g s kills. Poss e ss e s a p ro act iv e an d s ol u tio n -f ocus e d a tt itud e, b e in g cap ab le o f an alys in g bus i n e s s p rob lem s
an d d e liv e rin g real s olu tions .
• Pra ctition e r qu alification s s u ch a s CISSP, CEH, O SC P, GC IH a re b e n ef i cial bu t n ot re qu ire d .
Success criteria & indicators:
• Se cu rity n on -f un ction al re qu ir e m e n ts (N FRs ) a re cons is tently em b e dd e d a cros s a ll n e w s ys tem s an d p lat f orms, with d ocu me n ted as su ran ce re v iew s an d ris k s ign - off s p rior to go - liv e .
• G roup -w id e impl e m e n ta tio n o f a n enh an ce d p ro jec t as su ra n ce fram ew ork, in clud in g t rai n in g d e liv e ry, ad op tio n me trics, a n d me as u rab le improv e m e n ts in s e cu re s olu tio n d e s ign.
• De liv e ry o f a s tra tegi c IAM gov e rn an ce fram ew ork, with de m ons trab le improv e m e n ts in id e n tit y life cy cl e man ag e m e n t, RBAC, PAM, an d z e ro - trus t e n f orce me n t acros s k e y s ys tem s .
• Id e n tifi cat ion, d ocu me n ta tion, an d t rackin g o f s e cu rity - re lat e d t e chn ical d e b t an d ris ks, wi th cle ar e s cala tio n t o ris k re gis ters a n d ev id e n ce o f re me d iat ion o r acce p ted ris k s ign - off .
• Activ e co llab oratio n with a rch itec tu re, in f ras tru ctu re, an d de liv e ry t e ams, re su ltin g in me as u rab le im p rov e m e n ts in s e cu re a rch itec tu re p ractice s an d re du ce d s e cu rity exce p tion s a t s ta ge ga tes
This j o b d es crip tio n se ts ou t the m ain du tie s an d res p o n sib ilities o f the j o bh o ld er. It do es n o t c o n stitut e a n ex h au sti v e o r co m p rehen si v e d esc rip ti o n o f du ties an d the jo b h o l d er will b e requ ired t o c ar ry o u t an y add itio n al tas ks as an d wh en requ est ed t o d o so b y thei r m an ag er. Re sponsib ilitie s an d du ties m a y also chang e co n sid erin g fu ture bu si n ess n ee d s an d p erso n al d e v el o p m ent.
The closing date for applications is Friday 31st October 2025. Arriva Group reserves the right to close this vacancy early.