| Job description | •Role: Cyber Security Engineer: Identity and Infrastructure
•Location: London or Newcastle
•Salary: London: Up to £80,000 per annum, Newcastle: Up to £70,000 per annum.
•Type of contract: Full Time, permanent
•Location: Hybrid working. On-site at our London or Newcastle office 2 days per week minimum
Nationality Requirement:
• UK Nationals
• Nationals of Commonwealth countries who have the right to work in the UK
• Nationals from the EU, EEA or Switzerland with (or eligible for) status under the European Union Settlement Scheme (EUSS)
Please note, we are not able to sponsor work visas or accept temporary visas as we are looking to hire on a permanent basis. Please contact the HR Service desk (hrservicedesk@nao.org.uk) should you have any questions on your nationality eligibility.
Why are we recruiting?
In a world where cyber challenges and opportunities are constantly evolving, we are committed to staying ahead of the curve. With new investment aimed at enhancing the NAO’s security maturity our Information Security team is expanding. This is your chance to join a dynamic organisation with clear strategic objectives and help advance our data use and embrace new technologies securely.
We’re not just growing—we’re evolving. As part of a forward-thinking organisation with a strong mandate to harness data and embrace cutting-edge technologies, our InfoSec team is central to enabling and securing the NAO’s digital future.
We’re on the lookout for passionate, curious, and collaborative security professionals across a wide range of specialisms. Whether your expertise lies in governance, engineering, threat detection, or cloud security, you’ll find real scope to make an impact—both within InfoSec and across the wider organisation.
-Be part of a diverse and expanding team that thrives on challenge and innovation.
-Work in a complex, data-rich environment where your insights will shape national-level outcomes.
-Help embed security into every layer of our digital transformation—from strategy to code.
This is more than a job. It’s a chance to help define the future of security at the NAO and be part of a high performing, and fun team.
Context and main purpose of the job:
Why are we recruiting for this role?
Supporting the NAO’s strategic objective to improve our digital and data capabilities and enabling innovation, our expanded Information Security team requires a skilled cyber security engineer with broad capabilities, dedicated to delivering new and developing existing cyber security capabilities.
The Cyber Security Engineer will lead on the development of our critical cyber security systems, tools, and processes, maintaining and improving the NAO’s security posture and risk profile in support of our ambition of being an exemplar organisation.
Who are the team?
The role sits within an inclusive, diverse, respectful, and agile team of information security professionals responsible for enabling the business to better understand, identify and manage the threats and risks that could impact the NAO’s ability to deliver on its vision and strategy.
What are the main responsibilities of this role?
The Cyber Security Engineer will lead on the development and optimisation of identity and authentication, secure build and infrastructure security, securing our use of endpoint technologies, and public, private and hybrid cloud technologies, across various SaaS, PaaS, and IaaS services.
The successful candidate will have an excellent knowledge of how to deliver secure-by-design and an understanding of how to develop and enhance these capabilities.
The Cyber Security Engineer will advise on, support, and implement best practice controls within the Microsoft Defender, Azure and Intune suite of security and technology management services. They will maintain currency with the evolving Microsoft security and data privacy tools available to the NAO, optimising the controls and identifying any gaps.
They will be able to communicate effectively with all levels of users, demonstrate competence, instil confidence, and deliver a high level of internal customer service. They will coach team members, helping them to develop their skills. They will also educate and advise colleagues on information security best practice.
They will be required to use their experience, initiative, research, and problem-solving skills to resolve issues and create written documentation.
The “hands-on” role requires a thorough understanding of the Microsoft’s Azure and Defender tools at an expert level, as well as the ability to adapt to new technologies, learn new procedures, determine the source of problems, and advise on both tactical and strategic solutions. You’ll bring a proactive and security-first mindset and an ability to bridge between technical engineering and strategic security objectives.
About the National Audit Office
The National Audit Office (NAO) is the UK’s main public sector audit body. Independent of government, we have responsibility for auditing the accounts of various public sector bodies, examining the propriety of government spending, assessing risks to financial control and accountability, and reviewing the economy, efficiency and effectiveness of programmes, projects and activities. We report directly to Parliament, through the Committee of Public Accounts of the House of Commons which uses our reports as the basis of its own investigations. We employ some 800 staff, most of whom are qualified accountants, trainees or technicians. They work in one of two main areas, financial audit or value for money (VFM) audit.
The NAO welcomes applications from everyone. We value diversity in all its forms and the difference it makes to our organisation. By removing barriers and creating an inclusive culture all our people have the opportunity to develop and maximise their full potential. As members of the Business Disability Forum and the Disability Confident Scheme we guarantee to interview all disabled applicants who meet the minimum criteria.
The NAO supports flexible working and is happy to discuss this with you at application stage.
Relationships:
Reporting to: Director Information Security
Internal: Close working relationships with Info Sec peers, and Digital Services and application development teams.
External: Microsoft and other key suppliers, vendors, and peers in similar organisations.
Resources Managed: None
How to apply
1. Apply online and create a profile on our careers page
2. Submit an up-to-date CV
3. Submit a cover letter setting out briefly why your suitable for the based on the key skills/competencies required (maximum 1,000 words)
Selection process
1. Friday 8 and Friday 15 August - Longlisted candidates will be invited to an initial telephone interview with either the Director or Head of Information Security
2. Monday 1 and Tuesday 2 September- Following the initial telephone interview, shortlisted candidates will be invited to a panel interview |
|---|
| Responsibilities | Responsibilities:
While the role will be broad and varied the early priorities will include:
Vulnerability Management & Hardening
•Expand and optimise vulnerability scanning tools and processes
•Maintain the Vulnerability Management processes and co-ordinating the response to vulnerability remediation
•Oversee remediation plans and ensure secure configurations (CIS, Microsoft baselines) across all environments
•Build and maintain secure images for endpoints, VMs, and servers (Intune, Azure)
Identity & Access Security
•Design, implement and maintain Conditional Access policies aligned to Zero Trust principles
•Lead privileged identity management (PIM/PAM) efforts using Microsoft Entra and Defender tools
•Maintain and configure password vaulting solutions for service and privileged accounts
Infrastructure & Cloud Security
•Harden Azure resources and services in line with industry standards (e.g., Microsoft Defender for Cloud recommendations)
•Manage and fine-tune Web Application Firewall (WAF) configurations and network security control
•Contribute to security architecture and secure design reviews of infrastructure projects
Testing & Assurance
•Support insider threat simulations and light internal red-teaming (e.g., phishing, credential testing, lateral movement)
•Collaborate with SecOps services to tune detection rules and response playbooks
Stakeholder Engagement
•Evangelising information security, as an SME, across the NAO.
•Collaborate with and build relationships with key stakeholder groups, such as Information Security and Digital Services.
•Build strong relationships with stakeholder groups outside of the team to establish a strong understanding of the organisation and its needs.
Risk Management
•Proactively identify, evaluate, and assess threats and risks that may impact the NAO’s ability to deliver on its vision and strategy.
•Contribute to the management and maintenance of the Information Security Risk Register.
•Manage and coordinate the delivery of appropriate and proportionate risk treatments in line with the NAO’s risk appetite.
Continuous Improvement
•Maintain awareness of security industry best practice to drive continuous improvement within the organisation.
•Identify, develop, implement, and continuously improve appropriate and proportionate cloud security controls in response to an evolving threat landscape.
•Provide technical expertise in support of internal security designs, projects, and activities.
•Work in collaboration with the wider Information Security and Digital Services teams in the continuous improvement of cloud controls, policies, and standards; as part of our ISO27001 certified Information Security. |
|---|
| Skills required | Key skills/competencies required:
Essential
• Substantial experience in cyber security with a particular focus on infrastructure, cloud security, and identity access management.
• Relevant professional certifications (for example, AZ-500, SC-300, CISSP, CEH, CompTIA Security+).
• Practical experience with Microsoft Entra ID, Conditional Access, Defender for Endpoint/Cloud, and Intune.
• Applied knowledge of configuring web application firewalls (e.g., Azure Front Door, AWS WAF, Cloudflare).
• Experience in establishing and maintaining vulnerability management programmes and patch governance.
• Understanding of Zero Trust Architecture and principles of identity-driven security.
• Experience with Privileged Access Management (PAM) tools such as Entra PIM, CyberArk, BeyondTrust, or Thycotic.
• Familiarity with password vault solutions (for example, HashiCorp Vault, KeePass, 1Password Teams).
Desirable
• Experience in working within, or implementing, an ISO 27001 Information Security Management System (ISMS).
• Knowledge of scripting and automation tools and languages (e.g., PowerShell, Terraform, Python, RegEx).
• Exposure to insider threat detection or internal penetration testing methodologies.
• Experience working in regulated sectors or security-focused environments. |
|---|
