Head of Security Strategy & Architecture

The Head of Security Strategy & Architecture is a senior leadership role responsible for setting the security architecture direction across the organisation and ensuring security controls and capabilities are designed, governed and adopted effectively. You will translate Information Security strategy into clear architectural principles, standards, patterns and roadmaps, and provide the oversight and assurance needed to embed security into change at pace.

You will operate as a trusted senior partner to Technology and the wider business, enabling secure innovation, meeting regulatory expectations, and strengthening security posture through pragmatic, risk-based decision-making.

Key responsibilities

Security strategy, architecture direction and roadmap

  • Define and maintain a security architecture strategy aligned to business objectives, risk appetite and regulatory requirements.
  • Develop and own a multi-year security capability roadmap, working closely with governance, risk and compliance teams to identify control gaps, prioritise improvements and track delivery.
  • Establish architecture principles and reference architectures to guide consistent decision-making across platforms, applications, infrastructure and data.

Security standards and patterns (definition, adoption and governance)

  • Own the organisation’s security standards, ensuring they are clear, implementable and aligned to industry good practice.
  • Define and curate a catalogue of reusable security patterns and blueprints to accelerate secure delivery.
  • Partner with engineering and architecture teams to embed standards and patterns into delivery workflows, assurance checkpoints and technical documentation.

Technical design authority & architectural review

  • Lead (or chair) a security-focused Technical Design Authority, providing governance over key design decisions that have security impact.
  • Define and operate an architectural review process for technology change, ensuring security requirements are addressed early and proportionately.
  • Provide design oversight, challenge and direction for material technology initiatives, balancing security, delivery pace, customer outcomes and operational resilience.
  • Manage exceptions and risk acceptance in line with policy, ensuring clear ownership, time-bound remediation plans and appropriate senior approval.

Security-by-design assurance and business partnering

  • Establish an effective engagement model with Product, Engineering and Delivery to ensure security is integrated into organisational, process and technical change.
  • Provide security assurance across projects and programmes, ensuring risks, issues and decisions are recorded, tracked and transparent.
  • Deliver meaningful management information (MI) for senior stakeholders, covering change demand, security posture themes, key risks and remediation progress.
  • Promote a culture of accountability where security findings are resolved before go-live, with controlled, governed exceptions where required.

Security requirements and control outcomes

  • Define and maintain a structured library of security requirements to support consistent delivery across projects and teams.
  • Ensure requirements are outcome-focused, testable and aligned to architecture standards, enabling repeatability and reducing rework.
  • Support teams in translating requirements into designs that are implementable, operable and auditable.

Third-party security architecture and assurance

  • Set minimum security expectations for third parties and technology suppliers, aligned to regulatory and contractual requirements.
  • Oversee technical assurance activities for suppliers and externally hosted services, ensuring findings are tracked to closure and risk is managed appropriately.
  • Partner with procurement, vendor management and technology owners to improve supplier security outcomes and build proportionate control frameworks.

Platform and application security oversight

  • Provide senior oversight of security capabilities across cloud and application environments, ensuring visibility of risk and consistent remediation.
  • Drive maturity in secure software delivery practices, including secure engineering standards, training, testing/validation approaches and vulnerability management.
  • Ensure application and platform risk is assessed consistently, including support for threat modelling and design-time security reviews.
  • Establish governance for security testing and assurance activities, ensuring coverage is risk-based and outcomes are measured.

Emerging technology and innovation

  • Provide security leadership and architectural guidance for emerging technologies (e.g., AI-enabled products and services), ensuring appropriate governance, risk controls, data protections and assurance are in place.
  • Maintain awareness of external threat trends and industry best practice, translating insight into pragmatic improvements.

Stakeholder management & leadership expectations

  • Act as a senior advisor to the CISO, CIO/CTO and engineering leadership on security architecture decisions, investment and prioritisation.
  • Lead and develop a high-performing security architecture function, setting clear direction, ways of working and quality standards.
  • Influence outcomes through partnership and constructive challenge, building strong relationships across Technology, Risk and the business.

Skills, knowledge and experience

Essential

  • Demonstrable senior experience in security leadership, security architecture, or security engineering within a complex regulated environment (financial services strongly preferred).
  • Strong understanding of enterprise security architecture, control design, and security governance operating models.
  • Proven ability to define and embed security standards and reusable patterns, driving adoption across multiple delivery teams.
  • Experience operating architectural review forums / design authorities, including managing exceptions and risk acceptance workflows.
  • Strong knowledge of cloud and application security concepts, secure software delivery practices, and vulnerability management approaches.
  • Ability to translate risk and security requirements into pragmatic architecture decisions that enable delivery at pace.
  • Excellent communication skills: able to influence at executive level and produce clear, professional written artefacts (standards, design guidance, decision records, MI).

Desirable

  • Familiarity with UK financial services regulatory expectations and operational resilience considerations.
  • Experience shaping security capability roadmaps, control maturity assessments, and investment cases.
  • Experience in third-party assurance models for SaaS, cloud-hosted services, and strategic suppliers.
  • Awareness of security considerations for AI-enabled systems, data processing and model risk.

What success looks like

  • A clear, adopted security architecture strategy and roadmap aligned to business priorities and risk.
  • Standards and patterns that are actively used by engineering teams, improving consistency and reducing delivery friction.
  • Effective architectural review and design authority processes that enable secure change with transparent decision-making.
  • Measurable improvement in platform and application security posture, vulnerability remediation outcomes and assurance quality.
  • Strong governance of third-party security risk and well-managed exceptions.

About us: 

AJ Bell is one of the fastest-growing investment platform businesses in the UK offering an award-winning range of solutions that caters for everyone, from professional financial advisers to DIY investors with little to no experience. We have over 644,000 customers using our award-winning platform propositions to manage assets totalling more than £103.3 billion. Our customers trust us with their investments, and by continuously striving to make investing easier, we aim to help even more people take control of their financial futures.

Having listed on the Main Market of the London Stock Exchange in December 2018, AJ Bell is now a FTSE 250 company.

Headquartered in Manchester with offices in central London and Bristol, we now have over 1,500 employees and have been named one of the UK's 'Best 100 Companies to Work For’ for six consecutive years and in 2025 named a Great Place to Work®.

At AJ Bell you can expect a friendly working environment with a strong sense of teamwork, we have a great sense of pride in what we do, and this is reflected in our guiding principles.

Our perks and benefits:

  • Starting holiday entitlement of 27 days, increasing up to 31 days with length of service and a holiday buy and sell scheme
  • A choice of pension schemes with matched contributions up to 8%
  • Discretionary bonus scheme
  • Annual free share awards scheme
  • Buy As You Earn (BAYE) Scheme
  • Health Cash Plan – provided by SimplyHealth
  • Discounted private healthcare scheme and dental plan
  • Free on-site gym providing a wide range of free classes
  • Employee Assistance Programme
  • Bike loan scheme
  • Sick pay+ pledge
  • Enhanced maternity, paternity, and shared parental leave
  • Discounted nursery fees at Kids Planet on Exchange Quay
  • Loans for travel season tickets
  • Death in service scheme
  • Paid time off for volunteer work
  • Charitable giving opportunities through salary sacrifice
  • Calendar of social events, including monthly payday drinks, annual Christmas party, summer party and much more
  • Parking at Exchange Quay (Subject to availability)
  • Personal development programmes built around you and your career goals, including access to personal skills workshops
  • Ongoing technical training
  • Professional qualification support
  • Talent development programmes
  • Peer recognition scheme, with rewards including restaurant and shopping vouchers or time off
  • Monthly leadership breakfasts and lunches
  • Casual dress code
  • Access to a range of benefits from our sponsorship deals

Hybrid working:

At AJ Bell, our people are the heart of our culture. We believe in building strong connections by working together. That's why we offer a hybrid working model, where you'll spend a minimum of 50% of the month in the office. For new team members, the first 3 months will be spent full-time in the office to help you immerse yourself in our business and build valuable relationships with your colleagues.

AJ Bell is committed to providing an environment of mutual respect where equal employment opportunities are available to all applicants and all employees are empowered to bring their whole self to work.

We do not discriminate on the basis of race, sex, gender identity, sexual orientation, age, pregnancy, religion, physical and mental disability, marital status and any other characteristics protected by the Equality Act 2010. All decisions to hire are based on qualifications, merit and business need.

If you like the sound of the above, or just want to know more about the company and the role, we'd love to speak to you.

Apply Now