Cloud Security Engineer - Manchester (Hybrid 3 Days Office)

About Finova 

Finova is the UK’s largest financial services technology provider, supporting one in every five mortgages nationwide. Our agile, cloud-native solutions enable over 60 banks, building societies, specialist lenders, equity release providers and a network of 2,400+ brokers to stay ahead in a competitive market.

Built on open architecture and backed by deep industry expertise, our platform is designed to scale. Each year, we process over £50 billion in loans, manage nearly £50 billion in savings, and support the digital servicing of more than 650,000 UK borrower accounts.

Be part of a team that’s driving innovation, enabling growth and shaping the future of UK lending.

For Lenders 

Finova offers a flexible, modular technology suite designed to help lenders move faster, scale efficiently and deliver standout digital experiences.

Financial Institutions use Finova to launch products faster, process applications up to 50% more efficiently and reduce operational costs — all while staying fully compliant in a fast-moving market. 

About the Role:

We’re looking for a Cloud Security Engineer to own the security posture of our multi-cloud SaaS fintech platform across AWS, Azure, and GCP. This is a hands-on, hybrid role. You’ll find yourself reviewing a Terraform pull request before stand-up, tuning CSPM rules at midday, and tracing a misconfigured storage bucket across three accounts before the end of the day.

About you:

Must-Have Experience

• Professional Experience: 4–6 years in cloud security, security engineering, or security-focused platform engineering, with hands-on production experience in regulated environments.

• Multi-Cloud Mastery: Hands-on experience securing at least two of AWS, Azure, and GCP in production, and working familiarity with all three. You can navigate the consoles and APIs of all three without a tutorial open.

• Infrastructure-as-Code: Deep experience with IaC security, primarily utilizing Terraform, plus at least one of Bicep, ARM, CloudFormation, or Pulumi, alongside their associated policy-as-code tooling.

• Cloud-Native Security Services: Practical knowledge of tools like Defender for Cloud, AWS Security Hub / GuardDuty / Macie / Inspector, and GCP Security Command Center / Chronicle—including their failure modes, not just their marketing.

• Container Security: Practical experience with Kubernetes security (admission control, pod security, network policy, service mesh) and container supply-chain security (image signing, SBOMs, SLSA).

• Guardrails as Code: Experience defining and operating cloud guardrails as code (AWS SCPs, Azure Policy, GCP Org Policies), including safe rollout strategies that avoid production disruption.

• Network & Core Security: Solid understanding of cloud network security patterns (VPC/VNet design, private connectivity, egress filtering, DNS security) and secrets management (KMS, Key Vault, Secrets Manager, HashiCorp Vault).

• SecOps & Multi-Tenancy: Familiarity with cloud detection engineering (CloudTrail, Activity/Audit Logs) and an understanding of how cloud-layer choices (account structure, networking, KMS keys, storage layout) dictate real SaaS tenant isolation.

• Consultative Delivery: Experience working as a delivery engineer or consultant for a vendor or consultancy. You have shipped cloud security into customer environments under tight deadlines, navigated diverse stakeholder landscapes, and learned to be effective without direct platform ownership.

• Communication: Clear communicator capable of explaining a cloud risk to a developer, a CFO, and an auditor—adjusting technical depth and language appropriately without compromising facts.

Nice-to-Have Experience

• Experience working within fintech, payments, banking, or insurance environments.

• Hands-on experience securing AI/ML cloud infrastructure (training clusters, GPU workloads, vector databases, model registries).

• Experience with CNAPP / CIEM platforms (Wiz, Prisma Cloud, Orca, Microsoft Defender CNAPP, etc.) and an understanding of their trade-offs.

• Familiarity with eBPF-based runtime security tooling (Falco, Tetragon, or commercial equivalents).

• Experience with FedRAMP, ISO 27001, or other formal compliance regimes beyond SOC 2 / PCI-DSS.

• Relevant industry certifications: AWS Security Specialty, AZ-500, GCP Professional Cloud Security Engineer, CCSP, CKS, or CISSP.

• Strong scripting skills (Python, PowerShell, Go) for automation, custom tooling, and detection engineering.

• Background in offensive cloud security, known cloud attack patterns, red team experience, or contributions to cloud security research.

What will you be doing?

1. Multi-Cloud Posture & CSPM

• Tooling & Baselines: Own and tune CSPM tooling across AWS, Azure, and GCP to ensure continuous drift detection and accurate, prioritized findings aligned with CIS Benchmarks.

• Remediation & Inventory: Partner with platform teams to fix underlying misconfiguration patterns and template defaults; maintain a real-time, accurate cloud asset inventory.

2. Infrastructure-as-Code (IaC) Security & "Shift-Left"

• Pipeline Integration: Embed security scanners (Checkov, tfsec, KICS) into IaC pipelines and build secure-by-default, reusable infrastructure modules.

• Guardrails & Design: Define production-grade guardrails as code (SCPs, Azure/GCP Policies) and partner early with developers/SREs to architect secure cloud environments.

3. Network, Workload Security & Data Protection

• Network & Edge: Design secure multi-cloud architectures utilizing private connectivity, segmentation, and edge protection (WAF, DDoS).

• Containers & Serverless: Harden Kubernetes, container supply chains, and serverless workloads from admission to runtime using policy engines, scanning, and strict event/permission controls.

• Data & Secrets: Enforce cross-cloud encryption, key management (KMS/BYOK), and hardened secrets infrastructure (Vault) with automated rotation and access logging.

• Standards: Establish cryptographic baselines and implement continuous discovery controls to detect public exposure and sensitive data leaks.

Detection, Response & Cloud SecOps

• Detection Engineering: Build and tune detections using cloud audit logs and runtime telemetry integrated directly with the SIEM.

• Incident Response: Own the cloud IR lifecycle—from writing runbooks and running live tablestops to leading active containment, eviction, and root-cause analysis.

AI & ML Infrastructure Security

• Asset Hardening: Define the cloud security model for AI/ML pipelines, inventorying assets and hardening GPU/compute paths.

• Isolation & Standards: Design strict multi-tenant isolation for training data and embeddings while translating emerging AI frameworks (NIST AI RMF) into engineering standards.

Compliance, Evidence & Enablement

• Continuous Compliance: Automate continuous evidence collection for SOC 2 Type II and PCI-DSS to streamline audits and customer reviews.

• Engineering Enablement: Provide clear standards, office hours, and deep cloud expertise (e.g., IMDS, SSRF mitigation) to help engineering teams safely self-serve.

What We Offer:

• Hybrid working 🕰️
  Work in a hybrid way that suits you. Our model is primarily office-based, with flexibility to work remotely as needed. We’re committed to supporting a healthy balance between work and life.

• Private medical insurance 👩‍⚕️
  Comprehensive health cover, with the option to add your family to your plan, because your well-being matters to us.

• Life assurance & income protection 💰
  We provide life assurance and income protection to give you peace of mind for the future

• Family friendly policies 👶
  Our enhanced family-friendly policy goes beyond maternity and paternity leave, offering paid time off for when plans change or alternative paths to parenthood are needed.

• Work from anywhere 🌴
  Some thrive in the office, others at home — and many do best with choice. With approval, Finova employees can work abroad for up to 4 weeks each year.

• Flexible holiday package 🗓️
  Enjoy 25 days paid holiday allowance, plus all public holidays. And, you can rebook any public holidays for a day that aligns with your personal beliefs or celebration calendar. We also offer holiday trading allowing you to purchase or sell your holiday allowance.

• Company pension scheme 🏦
  With salary exchange, you save on tax and can build a secure future.

• Employee assistance programme 💞
  We understand that mental health is just as important as physical health. Access to a 24/7 confidential counselling helpline ensures you have support when you need it.

• Electric car scheme 🚗
  Get a brand-new electric vehicle with salary sacrifice as a benefit, paid for through your gross monthly pay, saving on Income Tax and National Insurance.

• Health cash plan 🏥
  Our Health Cash Plan empowers you to prioritise your wellbeing by providing effortless reimbursement for everyday healthcare costs, from dental and optical visits to physiotherapy.

• Gym discounts 🏋️
  Achieve your fitness goals for less with GymFlex, which offers significant savings on annual memberships at over 3,000 gyms and leisure centers nationwide.

• Perks that matter 🎁
  We fuel your day with a fully stocked pantry of fresh fruit and snacks and keep the team spirit high with weekly socials and events.

Equal Opportunity Statement

We value diversity and are committed to creating an inclusive environment for all employees. If you’re passionate about this role but don’t meet all the criteria, please reach out, we’d love to discuss how your skills and experiences align with our needs.