Role Overview
We’re looking for an Information Security Manager to take ownership of information security across the business. You’ll be the go‑to authority on cybersecurity — managing security tooling, driving compliance programmes, leading risk assessments and communicating security posture to senior leadership.
We’ve built strong foundations and we need someone to own this domain full‑time: to keep raising the bar, strengthen what’s in place and embed security into the way the whole organisation works. This is a hands‑on role in a fast‑growing e‑commerce business where security is treated as a priority, not an afterthought.
What You’ll Do
Security Operations & Tooling
* Own and continuously strengthen our cloud security posture across AWS as our primary platform, with oversight of our Azure and GCP environments.
* Manage and optimise our WAF, bot management and DDoS protection to keep our platform secure and performant.
* Drive vulnerability management across cloud infrastructure and application code, ensuring timely prioritisation and resolution.
* Lead incident response — coordinate detection, investigation, containment and post‑incident reviews.
* Maintain and evolve security monitoring, alerting and operational runbooks to ensure consistent coverage.
Governance, Compliance & Policy
* Own and evolve the company’s information security policy framework, ensuring policies remain current, practical and enforced.
* Drive UK GDPR, DPA 2018 and PCI‑DSS compliance in partnership with the Technology Director and development team.
* Lead the security dimension of vendor and third‑party risk assessments.
* Deliver clear, confident security reporting to senior leadership and due diligence audiences.
Risk Management & Security Culture
* Maintain and develop the technology risk register, running regular risk assessments aligned to business continuity planning.
* Champion security awareness across the business through training programmes, phishing simulations and practical guidance.
* Evaluate the security implications of new tools, integrations and emerging technologies including AI‑assisted development.
* Contribute to architecture and design reviews, ensuring security is built in from the start.
Required
What We’re Looking For
* Experience in an information security role (Security Manager, Security Analyst, GRC lead or similar), ideally within a technology or e‑commerce environment.
* Working knowledge of AWS security services such as Security Hub, GuardDuty, IAM, CloudTrail and KMS. AWS is our primary cloud provider and hands‑on familiarity is important.
* Practical understanding of UK GDPR, DPA 2018 and PCI‑DSS compliance requirements.
* Experience building or maturing security governance — policies, risk registers, incident response procedures.
* Ability to communicate security risk and posture clearly to both technical teams and senior leadership.
* Hands‑on comfort with security tooling, log analysis and vulnerability triage — this isn’t a role where you only write documents.
Nice to Have
* Relevant certifications such as CompTIA Security+, CISM, AWS Security Specialty or ISO 27001 Lead Implementer.
* Experience with WAF and bot management in a production e‑commerce context.
* Familiarity with SIEM, SOAR or security automation tooling.
* Exposure to ISO 27001 implementation or SOC 2 readiness programmes.
* Experience with multi‑cloud security across Azure and GCP.
* Background in e‑commerce, retail or DTC brands.
What Success Looks Like
* Taken full ownership of our security tooling and established a clear, measurable improvement plan.
* Built a structured vulnerability management lifecycle with defined SLAs and visible progress.
* Strengthened our policy framework and set direction toward a recognised maturity framework.
* Delivered security reporting that gives senior leadership a clear and confident view of our posture.
* Launched a security awareness programme with measurable engagement across the business.
* Built strong working relationships across the technology team and the wider business.
Behaviours & Traits
* Commercially wired - you think in LTV, contribution margin, and payback periods, not just campaign metrics.
* Ownership mindset - you don't wait to be told; you identify the gap and go close it.
* Comfortable with ambiguity - the playbook doesn't fully exist yet; you'll write it.
* Bias for testing - you run experiments, read the data, and act on it quickly.
* Customer‑obsessed without being soft - you understand what makes Protein Works’ community tick and you use that commercially.
#J-18808-Ljbffr