Job description | •Role: DevSecOps Engineer: Azure Cloud
•Location: London or Newcastle
•Salary: London: Up to £85,000 per annum, Newcastle: Up to £74,000 per annum
•Type of contract: Full Time, permanent
•Location: Hybrid working. On-site at our London or Newcastle office 2 days per week minimum
Nationality Requirement:
• UK Nationals
• Nationals of Commonwealth countries who have the right to work in the UK
• Nationals from the EU, EEA or Switzerland with (or eligible for) status under the European Union Settlement Scheme (EUSS)
Please note, we are not able to sponsor work visas or accept temporary visas as we are looking to hire on a permanent basis. Please contact the HR Service desk (hrservicedesk@nao.org.uk) should you have any questions on your nationality eligibility.
Why are we recruiting?
In a world where cyber challenges and opportunities are constantly evolving, we are committed to staying ahead of the curve. With new investment aimed at enhancing the NAO’s security maturity our Information Security team is expanding. This is your chance to join a dynamic organisation with clear strategic objectives and help advance our data use and embrace new technologies securely.
We’re not just growing—we’re evolving. As part of a forward-thinking organisation with a strong mandate to harness data and embrace cutting-edge technologies, our InfoSec team is central to enabling and securing the NAO’s digital future.
We’re on the lookout for passionate, curious, and collaborative security professionals across a wide range of specialisms. Whether your expertise lies in governance, engineering, threat detection, or cloud security, you’ll find real scope to make an impact—both within InfoSec and across the wider organisation.
Be part of a diverse and expanding team that thrives on challenge and innovation.
-Work in a complex, data-rich environment where your insights will shape national-level outcomes.
-Help embed security into every layer of our digital transformation—from strategy to code.
This is more than a job. It’s a chance to help define the future of security at the NAO and be part of a high performing, and fun team.
Context and main purpose of the job:
Why are we recruiting for this role?
The InfoSec DevSecOps Engineer is an additional role within the NAO’s Information Security function. Working within the Cyber Security function they will have the responsibility for ensuring the security of our applications by implementing robust security controls, supporting the delivery of a DevSecOps approach and collaborating closely with our development teams. As one of our security engineers, you will be at the forefront of driving continuous improvement across a range of software applications, secure coding practices, and supporting the organization’s digital transformation initiatives.
Who are the team?
The role sits within an inclusive, diverse, respectful, and agile team of information security professionals responsible for enabling the business to better understand, identify and manage the threats and risks that could impact the NAO’s ability to deliver on its vision and strategy.
What are the main responsibilities of this role?
The DevSecOps Engineer will play a crucial role in protecting the NAOs information and application assets. This position involves representing the Information Security function’s risk appetite into the implementation of new application capabilities and the development of existing tools and services.
The Cyber Security team will lead on establishing, implementing, and maturing the NAO’s operational AppSec functions and controls, harden the Azure platforms, and work with the Secure Software Development Lifecycle processes.
It is a function critical to the success of the NAO’s strategy, ensuring that application security controls are effectively implemented and adhered to, in line with our policies and procedures, identifying and mitigating risks, and ensuring compliance with policies and regulations, enabling the security, digital and data objectives.
This role requires strong cyber security knowledge, excellent stakeholder management skills, an ability to maintain currency with emerging technologies and trends in the application development and AppSec fields; a good understanding of both the definition and application of strong information security best practice and working closely with the Director of Information Security and Head of InfoSec to help elevate the NAO's security maturity and embed an information security culture across the organisation.
About the National Audit Office
The National Audit Office (NAO) is the UK’s main public sector audit body. Independent of government, we have responsibility for auditing the accounts of various public sector bodies, examining the propriety of government spending, assessing risks to financial control and accountability, and reviewing the economy, efficiency and effectiveness of programmes, projects and activities. We report directly to Parliament, through the Committee of Public Accounts of the House of Commons which uses our reports as the basis of its own investigations. We employ some 800 staff, most of whom are qualified accountants, trainees or technicians. They work in one of two main areas, financial audit or value for money (VFM) audit.
The NAO welcomes applications from everyone. We value diversity in all its forms and the difference it makes to our organisation. By removing barriers and creating an inclusive culture all our people have the opportunity to develop and maximise their full potential. As members of the Business Disability Forum and the Disability Confident Scheme we guarantee to interview all disabled applicants who meet the minimum criteria.
The NAO supports flexible working and is happy to discuss this with you at application stage.
Relationships:
Reporting to: Director Information Security
Internal: Close working relationships with Info Sec peers, and Digital Services and application development teams.
External: Microsoft and other key suppliers, vendors, and peers in similar organisations.
Resources Managed: None
How to apply
1. Apply online and create a profile on our careers page
2. Submit an up-to-date CV
3. Submit a cover letter setting out briefly why your suitable for the based on the key skills/competencies required (maximum 1,000 words)
Selection process
1. Wednesday 13 and Friday 29 August - Longlisted candidates will be invited to an initial telephone interview with either the Director or Head of Information Security
2. Wednesday 3 and Thursday 4 September- Following the initial telephone interview, shortlisted candidates will be invited to a panel interview |
---|
Responsibilities | Responsibilities:
In this role level, you will:
•Be responsible for proactively integrating security first and continuously throughout a secure application development lifecycle, while reacting to find and fix vulnerabilities in applications.
•Conduct regular security assessments and support penetration testing and their outputs, to identify vulnerabilities in applications.
•Transform technical requirements into an effective application development lifecycle, incorporated into a wider DevSecOps toolchain to enable secure product delivery across all technology pillars (identity, endpoint, data, apps, infrastructure, network).
•Ensure that secure deployment strategies for applications are repeatable, scalable, and highly available.
•Support technical and security teams and suppliers to maintain, sustain, and secure the organization’s digital cloud estate, including providing coaching and mentoring.
•Ensure continuous improvement and change capabilities, thoroughly understanding service requirements, and optimizing resources, services, and tools within a cloud service context.
•Conduct investigative work into problems and opportunities in existing processes, managing information collection, and creating recommendations for process optimization.
•Develop and implement integrated and secure cloud service solutions, leveraging advanced knowledge in cloud computing, data analytics, and enterprise architecture.
•Utilize delivery management, agile methodologies, and Azure DevOps capabilities to ensure project success.
•Maintain a keen awareness of security and digital standards, methods, principles, tools, and applications, making informed choices supported by a strong understanding of the security, digital, AI industries, government digital trends and emerging technologies.
•Azure Cloud security and Governance: Automate security baselines and configuration management using IaC Biceps/Terraform and enforce with Azure policy.
•Continually improve the Secure Software Development Lifecycle (SSDLC) ensuring that the organisation adopts good practices and standards commensurate with identified risks.
•Support risk assessments and identify and implement effective mitigation strategies.
•Ensure that all cloud services integrate effectively with Information Security’s governance, risk, and compliance controls. |
---|
Skills required | Key skills/competencies required:
The skill sets listed also include the corresponding skill level (awareness, working, practitioner, expert):
•Information/Application Security: You can design applications, solutions and services with security controls included, specifically engineered to mitigate security threats. (Skill level: Practitioner)
•Service Support: You can identify, locate, and fix complex application faults. You can advise others on different methodologies and types of application security support. (Skill level: Expert)
•Development process optimisation: You can analyse current processes, identify, and implement opportunities to optimiser processes. You help to evaluate and establish requirements for the implementation of changes by setting policy and standards. (Skill level: Practitioner)
•Enabling and informing risk-based decisions: You can work with risk owners to advise and give feedback. You advise on risk impact and whether it is within risk tolerance. You can describe different risk methodologies and how these are applied, as well as the proportionality of risk. (Skill level: Working)
•Modern development standards: You can apply modern development standards and support others in applying them. (Skill level: Practitioner)
•Programming and build (software engineering): You can collaborate with others when necessary to review specifications. You use the agreed specifications to design, code, test and document programs or scripts of medium-to-high complexity, using the right standards and tools. (Skill level: Practitioner)
•Prototyping: You can approach prototyping as a team activity, actively soliciting prototypes and testing with others. You establish design patterns and iterate them, using a variety of prototyping methods and choose the most appropriate. (Skill level: Practitioner)
•Research and innovation: You can advise on developments to security properties in technology. You identify new technologies and design their use in a business context. (Skill level: Working)
•Systems Design: You can design systems characterised by medium levels of risk, impact and business or technical complexity. You select appropriate design standards, methods, and tools, and ensure they are applied effectively. You can review the system designs of others to ensure the selection of appropriate technology, efficient use of resources and integration of multiple systems and technology. (Skill level: Practitioner)
•Systems integration: You can define the integration build; co-ordinate build activities across systems and understand how to undertake and support integration testing activities. (Skill level: Practitioner)
• Security technology: You can explain the effect of vulnerabilities on current and future designs, sharing information on a range of systems. (Skill level: Practitioner)
• Understanding security implications of transformation: You can interpret and apply an understanding of policy and process, business architecture, and legal and political implications to assist the development of technical solutions or controls. (Skill level: Working)
Experience
• Demonstrated background in integrating security practices into the DevOps lifecycle, including automated security testing, secure code reviews, and vulnerability management.
• Experience with continuous integration and continuous deployment (CI/CD) pipelines, infrastructure as code (IaC), and the use of security automation tools to embed security throughout the development process.
• Track record of implementing Zero Trust security models, such as identity verification, least privilege access, and continuous monitoring; experience with micro-segmentation, multi-factor authentication (MFA), and adaptive access controls to provide secure, granular resource access.
• Knowledge of industry standards and regulations (e.g. GDPR/Data Protection Act 2018, ISO 27001, NIST), including conducting security audits, risk assessments, and achieving compliance with relevant legal and regulatory frameworks.
• Experience leading investigative work on process optimisation, including identifying problems in current processes, gathering information, and making recommendations for improvements.
Essential
• Analytical and problem-solving abilities, with attention to detail.
• Ability to delegate effectively, facilitate knowledge sharing, and work collaboratively within multi-disciplinary teams, including audit and technology colleagues.
• Initiative and motivation to promote secure practices, continuous improvement, and organisational change.
• Extensive experience as a DevOps professional.
• Working towards, or able to obtain within the first year, a relevant professional certification such as CISSP, CISM, or CRISC.
• Eligibility for SC Security Clearance, or ability to achieve SC clearance promptly.
• Current technical knowledge including:
• ISO 27001
• Risk Management
• Data Protection Act 2018/GDPR
• Awareness of current application security and AI/Gen AI issues, particularly those relevant to government. |
---|
Educational requirements | |
---|