Senior DevSecOps - Cyber Security (Consulting), London, London, United Kingdom

The Company

Cognizant (NASDAQ:CTSH) is a leading provider of information technology, consulting, and business process outsourcing services, dedicated to helping the world's leading companies build stronger businesses. Headquartered in Teaneck, New Jersey (U.S.), Cognizant has over 340,000 employees as of January 2025. Cognizant is a member of the NASDAQ-100, the S&P 500, the Forbes Global 1000, and the Fortune 500 and is ranked among the top performing and fastest growing companies in the world.

About Cognizant Consulting

To be digital, companies today must have organizational velocity approaching speed of light while providing individualized offerings that result in fanatical levels of customer satisfaction—all with laser-focused cost control. And from applications to infrastructure, processes to operational models and interfaces to experiences—there are digital forces driving change in every part of our clients’ organization. At Cognizant, our consultants orchestrate the capabilities to truly change the game—across strategy, design, technology and industry/functional knowledge to deliver insight at speed and solutions at scale. Our approach is built around elevating business understanding of the aspirations and unique abilities of customers and employees and by building these relationships based on trust and value.

More information? Please visit https://www.cognizant.com/consulting

About the Role

We are seeking a Senior DevSecOps / Security Consultant to assess, embed and uplift security practices across our client’s software delivery lifecycle. This is a security-first role. You come from a cyber security background, not a developer who has pivoted into security, and you will spend your time advising and coaching engineering squads to help them design, build and operate platforms securely by default.

The role is not about deploying a new security toolchain from scratch. The client already has tooling in flight; your job is to make it land. That means running a structured maturity assessment, prioritizing what matters, embedding existing tools properly into developer workflows, and coaching teams to use them well. You will be the bridge between Information Security and Engineering, moving the client beyond point-in-time audits towards a continuous, automated, “shift-left” model.

What You’ll Do - Run the DevSecOps Maturity Assessment

Conduct a comprehensive, evidence-based audit of the client’s current DevSecOps capabilities against recognised industry frameworks. Primarily OWASP SAMM and NIST SSDF, supported where relevant by OWASP ASVS, the NIST Cybersecurity Framework and MITRE ATT&CK for attacker-perspective coverage.
Assess the adoption, configuration and effectiveness of existing controls across SAST, SCA, DAST, IaC scanning, container security and secrets management. The assessment should distinguish between tools that are deployed, tools that are actually running, and tools that are genuinely influencing developer behaviour.
Engage stakeholders across engineering, platform, InfoSec and product to gather both qualitative inputs (interviews, workshops) and quantitative evidence (pipeline telemetry, scan coverage, finding-to-fix data).
Score each product line against SAMM business functions (Governance, Design, Implementation, Verification, Operations) and produce a clear maturity scorecard that highlights where the organisation sits today and what “good” looks like in 12 months.
Produce a prioritised 12-month roadmap, sequenced by risk reduction, delivery effort and developer impact, partnering with Kuan (InfoSec) to align the roadmap with broader security strategy.
Re-baseline maturity periodically through the engagement so progress is measurable and defensible to senior stakeholders.

Embed Existing Security Tooling into Developer Workflows

Take the tools the client has already invested in (such as Snyk, SonarQube and CI/CD platforms like GitHub Actions, Azure DevOps or GitLab) and make them genuinely useful: properly integrated, sensibly configured, and well understood by the engineers using them.
Tune signal-to-noise ratio aggressively. Triage backlogs, suppress false positives with documented rationale, calibrate severity thresholds, and ensure that what reaches a developer is genuinely actionable.
Refine CI/CD security gates so that they block what truly matters and stay out of the way of everything else, protecting both security outcomes and developer flow.
Improve the developer experience of existing controls: clearer failure messages, faster feedback, IDE and pre-commit integrations where they add value, and golden-path templates that make the secure route the easy route.
Curate and maintain a library of secure CI/CD reference patterns built on the client’s current stack, so squads can adopt proven, opinionated guardrails rather than reinventing them.

Coach and Enable Engineering Teams

Embed with developer squads as their trusted security partner, attending stand-ups, sprint planning and design reviews to bring a security lens to day-to-day delivery.
Run secure-coding clinics, brown-bag sessions and pairing sessions to lift the security capability of engineers across multiple product lines.
Translate vulnerability findings into clear, contextualised remediation guidance that developers can act on without hand-holding.
Champion a “security as an enabler, not a blocker” culture, building credibility with engineering by being pragmatic, hands-on and delivery-aware.
Develop enablement materials such as playbooks, cheat sheets and onboarding guides that scale your impact beyond the squads you work with directly.

Lead Threat Modelling and Secure Design

Facilitate threat-modelling sessions at the design phase of new services, features and platform changes, using STRIDE for systematic decomposition and MITRE ATT&CK to ground the conversation in real-world attacker techniques.
Produce lightweight, developer-friendly threat models and secure design patterns that teams can reuse across the estate.
Identify abuse cases, trust boundaries and data-flow risks early, and translate these into concrete acceptance criteria, controls and tests, mapped to MITRE ATT&CK techniques where it helps prioritisation.
Advise on secure-by-default choices for cloud-native workloads: authentication, secrets handling, network segmentation, data protection and least privilege.

Track Metrics, Governance and Progress

Define and track meaningful KPIs such as vulnerability burn-down, mean time to remediate, pipeline coverage and gate effectiveness, and report progress to both engineering and InfoSec leadership.
Use metrics to evidence movement against the maturity roadmap and to guide where to invest coaching and embedding effort next.
Ensure controls remain aligned with internal security standards, OWASP guidance, MITRE ATT&CK coverage objectives and relevant compliance obligations.

What We’re Looking For - Background and Mindset

A security professional first. Your career has been built in cyber security, application security or DevSecOps, rather than as a developer who has moved into security.
Comfortable in code: you read pipelines, IaC and application code fluently enough to have credible technical conversations with senior engineers, even if you are not a full-time developer yourself.
Pragmatic, collaborative and delivery-minded. You understand that security only works when engineering teams want to use it.

Essential Skills and Experience

Demonstrable experience running DevSecOps or AppSec maturity assessments using OWASP SAMM and / or NIST SSDF, and translating findings into prioritised, achievable roadmaps.
A track record of embedding security tooling into existing developer workflows. Not just deploying tools, but driving real adoption, tuning signal-to-noise, and lifting the developer experience.
Working knowledge of CI/CD security tooling (SAST, SCA, DAST, IaC scanning and secrets detection) and platforms such as GitHub Actions, Azure DevOps or GitLab.
Solid grounding in container and cloud workload security: Docker, Kubernetes and at least one major cloud provider (Azure, AWS or GCP).
Experience facilitating threat-modelling and secure design workshops with mixed audiences of developers, architects and product owners, including practical use of STRIDE and MITRE ATT&CK.
Familiarity with OWASP (ASVS, Top 10, SAMM), NIST (SSDF, CSF) and MITRE ATT&CK, with the ability to apply them practically rather than as a checklist.
Strong communication skills. You can explain a complex risk to a developer, a delivery lead and a CISO, and adjust your register for each.

Desirable

Industry certifications such as CISSP, CCSP, CSSLP, CCSK or equivalent.
Exposure to policy-as-code (e.g. OPA / Conftest, Checkov, tfsec) and supply-chain tooling (e.g. SBOMs, Sigstore). Useful for advising clients but not the primary focus of the role.
Awareness of AI / LLM application security concerns (e.g. OWASP Top 10 for LLMs, MITRE ATLAS) and how they reshape secure-design conversations.
Prior consulting experience and the ability to navigate client environments, manage stakeholders and contribute to bid or proposal work where appropriate.

Expected Deliverables

A formal DevSecOps Maturity Assessment Report, including scorecard against OWASP SAMM and NIST SSDF, with attacker-perspective coverage informed by MITRE ATT&CK.
A prioritised 12-month Shift-Left Implementation Roadmap, sequenced by risk and effort.
A library of Secure CI/CD Reference Patterns built on the client’s existing tooling.
Developer enablement materials including playbooks, secure design patterns and training collateral.
A live Security Metrics view evidencing progress against the maturity roadmap.

Engagement Details

Hybrid working, with on-site presence at the client location as required by the engagement.
Initial engagement length and rate / package will be confirmed during the screening conversation, dependent on contractor or FTE preference.
Reporting into the Engagement Lead, working alongside the client’s Head of InfoSec who leads the security workstream.

Quem somos:

Cognizant (NASDAQ: CTSH) é uma construtora de IA e fornecedora de serviços de tecnologia, criando a ponte entre o investimento em IA e o valor para as empresas por meio do desenvolvimento de soluções de IA completas para nossos clientes. Nossa profunda experiência em setores, processos e engenharia nos permite incorporar o contexto único de cada organização em sistemas tecnológicos que potencializam a capacidade humana, geram retornos concretos e mantêm empresas globais à frente em um mundo em rápida transformação. Saiba mais em www.cognizant.com ou @cognizant.

A Cognizant é uma empregadora que investe em equidade. Sua candidatura não será pautada em raça, cor, gênero, sexualidade, credo, origem, deficiência, gravidez ou qualquer outra característica protegida pelas leis brasileiras.

Informações adicionais de emprego

Os candidatos podem ser obrigados a comparecer a entrevistas presenciais ou por videoconferência. Além disso, os candidatos podem ser obrigados a apresentar seu documento de identificação emitido pelo estado ou governo atual durante cada entrevista.

Embora nosso sistema permita a candidatura em todos os idiomas, o(s) idioma(s) e o(s) nível(is) de proficiência exigidos para o trabalho variam. No entanto, é necessário um nível básico de inglês para fins de comunicação em toda a empresa.

Se você tem uma deficiência que requer adaptações razoáveis para procurar uma vaga de emprego ou enviar uma candidatura, envie um e-mail para [email protected] com sua solicitação e informações de contato.