Salary:                 up to £60k per annum
Location:             Speke (Liverpool)- hybrid (3 days onsite Mon- Wed)
Duration:            permanent, full-time
  
What You’ll Do
  
Security Operations & Tooling

•   Own and continuously strengthen our cloud security posture across AWS as our primary platform, with oversight of our Azure and GCP environments.
•   Manage and optimise our WAF, bot management and DDoS protection to keep our platform secure and performant.
•   Drive vulnerability management across cloud infrastructure and application code, ensuring timely prioritisation and resolution.
•   Lead incident response — coordinate detection, investigation, containment and post-incident reviews.
•   Maintain and evolve security monitoring, alerting and operational runbooks to ensure consistent coverage.

  
Governance, Compliance & Policy

•   Own and evolve the company’s information security policy framework, ensuring policies remain current, practical and enforced.
•   Drive UK GDPR, DPA 2018 and PCI-DSS compliance in partnership with the Technology Director and development team.
•   Lead the security dimension of vendor and third-party risk assessments.
•   Deliver clear, confident security reporting to senior leadership and due diligence audiences.

Risk Management & Security Culture

•   Maintain and develop the technology risk register, running regular risk assessments aligned to business continuity planning.
•   Champion security awareness across the business through training programmes, phishing simulations and practical guidance.
•   Evaluate the security implications of new tools, integrations and emerging technologies including AI-assisted development.
•   Contribute to architecture and design reviews, ensuring security is built in from the start.

What The Client is Looking For
 
Required

• Experience in an information security role (Security Manager, Security Analyst, GRC lead or similar), ideally within a technology or e-commerce environment.
• Working knowledge of AWS security services such as Security Hub, GuardDuty, IAM, CloudTrail and KMS. AWS is our Client’s primary cloud provider and hands-on familiarity is important.
•  Practical understanding of UK GDPR, DPA 2018 and PCI-DSS compliance requirements.
• Experience building or maturing security governance — policies, risk registers, incident response procedures.
• Ability to communicate security risk and posture clearly to both technical teams and senior leadership.
• Hands-on comfort with security tooling, log analysis and vulnerability triage — this isn’t a role where you only write documents.

Nice to Have

•  Relevant certifications such as CompTIA Security+, CISM, AWS Security Specialty or ISO 27001 Lead Implementer.
• Experience with WAF and bot management in a production e-commerce context.
•  Familiarity with SIEM, SOAR or security automation tooling.
• Exposure to ISO 27001 implementation or SOC 2 readiness programmes.
• Experience with multi-cloud security across Azure and GCP.
• Background in e-commerce, retail or DTC brands.

What Success Looks Like
In your first six months you’ll have:

• Taken full ownership of our security tooling and established a clear, measurable improvement plan.
• Built a structured vulnerability management lifecycle with defined SLAs and visible progress.
• Strengthened our policy framework and set direction toward a recognised maturity framework.
• Delivered security reporting that gives senior leadership a clear and confident view of our posture.
• Launched a security awareness programme with measurable engagement across the business.
• Built strong working relationships across the technology team and the wider business.

  
Behaviours & Traits

• Commercially wired – you think in LTV, contribution margin, and payback periods, not just campaign metrics
• Ownership mindset – you don’t wait to be told; you identify the gap and go close it
• Comfortable with ambiguity – the playbook doesn’t fully exist yet; you’ll write it
• Bias for testing – you run experiments, read the data, and act on it quickly
• Customer-obsessed without being soft – you understand what makes The Company  community tick and you use that commercially