| Job description | Role: DevSecOps Engineer: Azure Cloud
Location: London or Newcastle
Salary: London: Up to £85,000 per annum, Newcastle: Up to £74,000 per annum
Type of contract: Full Time, permanent
Location: Hybrid working. On-site at our London or Newcastle office 2 days per week minimum
Nationality Requirement
UK Nationals
Nationals of Commonwealth countries who have the right to work in the UK
Nationals from the EU, EEA or Switzerland with (or eligible for) status under the European Union Settlement Scheme (EUSS)
Please note, we are not able to sponsor work visas or accept temporary visas as we are looking to hire on a permanent basis. Please contact the HR Service desk (hrservicedesk@nao.org.uk) should you have any questions on your nationality eligibility.
The deadline for applications is 11.55pm 5th October 2025. Please do not wait until the deadline as we will be reviewing applications throughout the campaign.
Secure the Future. Shape the Cloud. Drive Innovation.
In a world where cyber challenges and opportunities are constantly evolving, we are committed to staying ahead of the curve. With new investments aimed at enhancing the NAO’s security maturity, our Information Security team is expanding. This is your chance to join a dynamic organization with clear strategic objectives and help advance our data use and embrace new technologies securely.
We’re not just growing—we’re evolving. As part of a forward-thinking organisation with a strong mandate to harness data and embrace cutting-edge technologies, our InfoSec team is central to enabling and securing the NAO’s digital future.
We’re on the lookout for passionate, curious, and collaborative security professionals across a wide range of specialisms. Whether your expertise lies in governance, engineering, threat detection, or cloud security, you’ll find real scope to make an impact—both within InfoSec and across the wider organisation.
•Be part of a diverse and expanding team that thrives on challenge and innovation.
•Work in a complex, data-rich environment where your insights will shape national-level outcomes.
•Help embed security into every layer of our digital transformation—from strategy to code.
This is more than a job. It’s a chance to help define the future of security at the NAO and be part of a high performing, collaborative, and innovative team.
Who are the team?
The role sits within an inclusive, diverse, respectful, and agile team of information security professionals responsible for enabling the business to better understand, identify and manage the threats and risks that could impact the NAO’s ability to deliver on its vision and strategy.
Why are we recruiting for this role?
The DevSecOps Engineer is an additional role within the NAO’s Information Security team. Working within the Cyber Security function they will have the responsibility for ensuring the security of our applications by implementing robust security controls, supporting the delivery of a DevSecOps approach and collaborating closely with our development teams.
As one of our security engineers, you will be at the forefront of driving continuous improvement across a range of software applications, secure coding practices, supporting the organization’s digital transformation initiatives, working on Gen-AI Security, apply zero trust architecture, and help build a transformational security development environment.
What are the main responsibilities of this role?
The DevSecOps Engineer will play a crucial role in protecting the NAOs information and application assets. This position involves representing the Information Security function’s risk appetite into the implementation of new application security capabilities and the development of existing tools and services.
The Cyber Security team will lead on establishing, implementing, and maturing the NAO’s operational AppSec functions and controls, harden the Azure platforms, and work with the Secure Software Development Lifecycle processes.
It is a function critical to the success of the NAO’s strategy, ensuring that our controls are effectively implemented and adhered to, in line with our policies and procedures, identifying and mitigating risks, and ensuring compliance with policies and regulations, enabling the security, digital and data objectives.
We welcome candidates with strong experience or transferable skills, broad security knowledge, excellent stakeholder management skills, and an ability to maintain currency with emerging technologies and trends in the application development and AppSec fields.
This opportunity would suit someone with a good understanding of both the definition and application of information security best practice who will work closely with Information Security leadership to help elevate the NAO's security maturity and embed an information security culture across the organisation.
Why You’ll Love This Role
•Make a Real Impact: Your work will help protect the NAO’s data and systems and enable secure digital transformation.
•Work on Cutting-Edge Tech: From Zero Trust architectures to Gen-AI security, you’ll be at the forefront of modern security engineering.
•Collaborate and Innovate: Join a diverse, inclusive team that values curiosity, creativity, and knowledge sharing.
•Flexibility That Works for You: Enjoy hybrid working (at least 2 days in the London or Newcastle office) and flexible arrangements to support your work-life balance.
•Grow Your Career: We’ll support your growth with access to certifications, hands-on experience with AI security, and opportunities to shape our Zero Trust strategy.
About the National Audit Office
The National Audit Office (NAO) is the UK’s main public sector audit body. Independent of government, we have responsibility for auditing the accounts of various public sector bodies, examining the propriety of government spending, assessing risks to financial control and accountability, and reviewing the economy, efficiency and effectiveness of programmes, projects and activities. We report directly to Parliament, through the Committee of Public Accounts of the House of Commons which uses our reports as the basis of its own investigations. We employ some 800 staff, most of whom are qualified accountants, trainees or technicians. They work in one of two main areas, financial audit or value for money (VFM) audit.
The NAO welcomes applications from everyone. We value diversity in all its forms and the difference it makes to our organisation. By removing barriers and creating an inclusive culture all our people have the opportunity to develop and maximise their full potential. As members of the Business Disability Forum and the Disability Confident Scheme we guarantee to interview all disabled applicants who meet the minimum criteria.
The NAO supports flexible working and is happy to discuss this with you at application stage.
Relationships:
Reporting to: Director Information Security
Internal: Close working relationships with Info Sec peers, and Digital Services and application development teams.
External: Microsoft and other key suppliers, vendors, and peers in similar organisations.
Resources Managed: None
Responsibilities:
What You’ll Do
As a DevSecOps Engineer, you’ll play a hands-on role in shaping the security of our cloud platforms and applications. Here’s how you’ll make a difference:
Secure Development & Vulnerability Management
•Embed security throughout the software development lifecycle, ensuring vulnerabilities are identified and resolved quickly.
•Conduct security assessments and support penetration testing to strengthen application resilience.
•Continuously improve the Secure Software Development Lifecycle (SSDLC) and promote best practices.
You’ll help ensure our applications are resilient and trusted by our colleagues and clients.
DevSecOps & Automation
•Transform security requirements into automated, scalable solutions within a modern DevSecOps toolchain.
•Design and implement repeatable, secure deployment strategies for applications across identity, data, apps, and infrastructure.
•Automate security baselines and configuration management using IaC (Bicep/Terraform) and enforce with Azure Policy.
You’ll have the freedom to experiment with new tools and approaches to keep us ahead of evolving threats.
Cloud Security & Governance
•Develop and maintain secure cloud service solutions, leveraging Azure security capabilities with cloud computing, data analytics, and enterprise architecture.
•Ensure all cloud services align with governance, risk, and compliance controls.
•Support the broader InfoSec functions with delivery, configuration and optimisation of new and existing cloud security tools and services.
You’ll ensure our cloud platforms are secure, compliant, and resilient—so the NAO can innovate with confidence
Continuous Improvement & Collaboration
•Lead investigations into process, resource and tool improvements and implement optimizations.
•Coach and mentor technical teams, fostering a culture of security-first thinking and continuous learning.
•Stay ahead of emerging technologies, AI trends, and government digital standards to inform security strategy.
You’ll help us work smarter, optimize processes, and foster a culture where security is everyone’s responsibility.
Risk & Compliance
•Support risk assessments, advise on and implement effective mitigation strategies.
•Ensure compliance with security and regulatory requirements across all services.
You’ll protect the NAO from evolving threats and regulatory risks, safeguarding public trust and accountability.
Key skills/competencies required:
The skill sets listed also include the corresponding skill level (awareness, working, practitioner, expert):
•Information/Application Security: You can design applications, solutions and services with security controls included, specifically engineered to mitigate security threats. (Skill level: Practitioner)
•Service Support: You can identify, locate, and fix complex application faults. You can advise others on different methodologies and typers of application security support. (Skill level: Practitioner)
•Development process optimisation: You can analyse current processes, identify, and implement opportunities to optimiser processes. You help to evaluate and establish requirements for the implementation of changes by setting policy and standards. (Skill level: Practitioner)
•Enabling and informing risk-based decisions: You can work with risk owners to advise and give feedback. You advise on risk impact and whether it is within risk tolerance. You can describe different risk methodologies and how these are applied, as well as the proportionality of risk. (Skill level: Working)
•Modern development standards: You can apply modern development standards and support others in applying them. (Skill level: Practitioner)
•Programming and build (software engineering): You can collaborate with others when necessary to review specifications. You use the agreed specifications to design, code, test and document programs or scripts of medium-to-high complexity, using the right standards and tools. (Skill level: Practitioner)
•Prototyping: You can approach prototyping as a team activity, actively soliciting prototypes and testing with others. You establish design patterns and iterate them, using a variety of prototyping methods and choose the most appropriate. (Skill level: Practitioner)
•Research and innovation: You can advise on developments to security properties in technology. You identify new technologies and design their use in a business context. (Skill level: Working)
•Systems Design: You can design systems characterised by medium levels of risk, impact and business or technical complexity. You select appropriate design standards, methods, and tools, and ensure they are applied effectively. You can review the system designs of others to ensure the selection of appropriate technology, efficient use of resources and integration of multiple systems and technology. (Skill level: Practitioner)
•Systems integration: You can define the integration build; co-ordinate build activities across systems and understand how to undertake and support integration testing activities. (Skill level: Practitioner)
•Security technology: You can explain the effect of vulnerabilities on current and future designs, sharing information on a range of systems. (Skill level: Practitioner)
•Understanding security implications of transformation: You can interpret and apply an understanding of policy and process, business architecture, and legal and political implications to assist the development of technical solutions or controls. (Skill level: Working)
Experience
Strong background in DevSecOps/ AppSec practices:
•Proficient in integrating Security into the DevOps lifecycle, including automated security testing, secure code reviews, and vulnerability management. The candidate should have experience with CI/CD pipelines, infrastructure as code (IaC), and security automation tools to ensure security is embedded throughout the development process.
Leading continuous improvement & problem management:
•Strong experience of leading investigative work into problems and opportunities in existing processes for optimisation. Experience in managing and leading the collection of information and creation of recommendations for improvements.
Extensive experience in implementing Zero Trust security models:
•A track record of deploying Zero Trust architectures, including identity verification, least privilege access, and continuous monitoring. This includes experience with micro-segmentation, multi-factor authentication (MFA), and adaptive access controls to ensure secure and granular access to resources.
Knowledge of compliance and regulatory requirements:
•Familiarity with industry standards and regulations (e.g., GDPR/DPA2018, ISO27001, NIST) and experience ensuring that security implementations meet these requirements. The candidate should be adept at conducting security audits, risk assessments, and ensuring compliance with relevant legal and regulatory frameworks.
Essential
•Analytical and problem-solving skills, with an attention to detail.
•Collaborate confidently—share knowledge, delegate effectively, and work seamlessly with multidisciplinary teams.
•Curious, adaptable, and committed to advancing security practices and continuous improvement.
•Broad experience as an DevOps or AppSec professional in an Azure environment.
•Working towards, and able to achieve within the first year, or holding a relevant professional certification, such as,
CISSP, CISM, CRISC, etc.
•SC Security Clearance, or able to achieve SC clearance quickly.
Preferred
•In-depth technical knowledge:
ISO27001
Risk Management
Data Protection Act 2018 /GDPR |
|---|
