Lead Cloud Security Engineer

As the living, growing home of our national story, The National Archives is already a special place to work. We’re an institution nearly 200 years old with a collection spanning 1,000 years of history. But it’s where we go next that makes things really interesting. In our strategic vision: Archives for Everyone, we set ourselves the challenge of becoming the 21st Century national archive – a different kind of cultural and heritage institution: Inclusive, Entrepreneurial, Disruptive. We won’t become this overnight. It will take time, focus, effort and daring. That’s where you come in. Because we can’t do this without you.

Salary: £60,000 – £64,500 per annum

Contract type: permanent

Band: G / Grade 7

Closing date: Sunday 25th January at midnight

Our digital services support preservation and access at scale – and securing our systems means protecting history itself. We are seeking cyber professionals with hands‑on technical skills and a passion for protecting data and infrastructure that underpins national memory. Join us and be part of a unique, purposeful mission.

As the Lead Cloud Security Engineer, you will lead TNA wide initiatives to protect digital assets, data and cloud infrastructure from ever evolving threats. The role demands deep technical expertise, leadership in secure by design implementation and architecture governance, and the ability to influence decisions across departments and external suppliers. You will be accountable for the design, implementation and continuous improvement of multi‑cloud security frameworks (AWS, Azure and other environments), aligned with government standards and resilient to emerging risks. Your work protects critical information from malicious attacks, accidental loss and unauthorised access.

Reporting to the IT Security & Information Assurance Manager, you will own the “how” of secure cloud delivery across TNA – translating policy objectives into actionable technical standards, guardrails and patterns, and making the implementation decisions that ensure they are adopted effectively.

You will chair a virtual Technical Design Authority (TDA) to embed secure by design practices across AWS, Azure and other cloud environments, define technical standards and roadmaps to reflect the desired cyber security posture and remain hands‑on engineering solutions, codifying controls and leading complex investigations. Through the TDA you hold decision rights to set guardrails and approve exceptions across directorates, combining technical authority, governance leadership and practical delivery to keep TNA’s systems secure, compliant and cost‑efficient.

As Lead Cloud Security Engineer, you will spearhead strategic decision‑making and shape the overall security posture of our cloud infrastructure. You’ll collaborate closely with cross‑functional teams across The National Archives to define security architecture, evaluate emerging technologies, and establish work practices and technologies that align with business objectives and regulatory requirements. Leveraging deep expertise in cloud platforms and threat landscapes, you’ll guide the selection and implementation of security controls, drive risk assessments, and lead incident response planning. Your leadership will ensure that security is embedded into every stage of cloud adoption and operations, fostering a culture of proactive defence and continuous improvement.

This is a full‑time post. However, requests for part‑time working, flexible working and job share will be considered, taking into account at all times the operational needs of the Department. A combination of onsite and home working is available and applicants should be able to regularly travel to our Kew site for a minimum of 60% of their work time.

• Interview: Interviews will be held on‑site at The National Archives in Kew
• Personal Statement: We ask all applicants to submit work history details and a personal statement, not exceeding 1200 words

Selection for interview will be based on the ‘essential’ requirements in the job description below so please ensure that your statement demonstrates in detail how you meet these requirements.

Artificial Intelligence can be a useful tool to support your application, however, all examples and statements provided must be truthful, factually accurate and taken directly from your own experience. Where plagiarism has been identified (presenting the ideas and experiences of others, or generated by artificial intelligence, as your own) applications may be withdrawn and internal candidates may be subject to disciplinary action. Please visit the Civil Service Careers website where you can find further information on the use of AI in the application guidance section.

SC clearance/willingness to obtain SC clearance will be required for this role. This requires candidates to have been resident in the UK for at least the past three years. Please do not apply if you have been resident in the UK for less than three years as your application will be rejected.

• Define and enforce technical standards, roadmaps and guardrails, reference architectures and patterns for secure cloud delivery across AWS, Azure, on‑premises systems and SaaS platforms.
• Implement and maintain policy as code and IaC controls (e.g., Terraform); integrate security into CI/CD pipelines.
• Harden IAM, tune CSPM policies, develop Sentinel and Wiz queries, and lead complex incident response, automation and root cause remediation.
• Software supply chain security: Own patterns for SBOMs, dependency risk management, build provenance/signing, and secrets management integrated into CI/CD.

• Chair the virtual TDA – approve guardrails and exceptions; standardise threat‑modeling and design review processes.
• Influence architectural decisions across directorates; advise senior stakeholders on risk and technical trade‑offs.
• Define method, artefacts and cadence for threat modelling across services; measure and report adoption through the TDA.

• Drive cost efficiencies across the security tooling portfolio (e.g., Wiz, Microsoft Defender/Sentinel, CI/CD security tools): optimise licensing, remove duplication, benchmark value and recommend investment/disinvestment options to the Head of IT Operations (budget holder).

• Provide technical and thought leadership to both internal and external stakeholders and mentoring across teams; build security engineering communities of practice. Influence and negotiate with technical and business stakeholders and drive adoption of good security practices across the organisation and suppliers.
• Represent TNA externally (e.g., Secure by Design forums, conferences) and share thought leadership.

• Normal office environment
• Display Screen Equipment user

• Significant expert knowledge of cloud security in either AWS or Azure, with proven experience leading cross‑organisation security initiatives.
• Demonstrable experience in architecture governance (guardrails, patterns, exceptions) and standardising threat modelling.
• Strong hands‑on engineering skills: IaC, CI/CD security, IAM hardening, CSPM tuning, incident response.
• Ability to drive cost efficiencies and make evidence‑based recommendations.
• Technical expertise in the following tech stack: AWS, Azure, Microsoft 365, GitHub, Kubernetes, Terraform, Linux, JAMF, Sentinel and Defender for Endpoint.
• Experienced in excellent communication and able to influence up to senior leadership, delivering complex technical concepts and summarising complicated events to senior stakeholders up to and including board level.

• Relevant certifications (AWS/Azure Security, CISSP, CCSP).
• Experience of external engagement in security communities.

This post maps to the Government Digital & Data capability framework across Security architect (Senior/Lead) and Development operations (DevOps) engineer (Senior/Lead):

• Security architect (Senior/Lead): designs and governs secure solutions, sets patterns and guardrails, and enables risk‑based decisions across teams.
• DevOps engineer (Senior/Lead): automates and integrates security within build/deploy pipelines, manages tooling and environments, and writes software to enforce standards.

Core skills at practitioner/expert level include designing secure systems, enabling risk‑based decisions, information security, systems design, modern standards approach, programming & build, incident management and problem management (as defined in the Government Digital & Data skills A‑Z).

The Civil Service is committed to attract, retain and invest in talent wherever it is found. To learn more please see the Civil Service People Plan and the Civil Service D&I Strategy.

Generous benefits package, including pension, sports and social club facilities, onsite gym, discounted rates at our on‑site cafe and opportunities for training and development. Annual leave entitlement of 25 days per calendar year (rising to 26 days after 2 years’ service, and incrementally to 30 days after six years) and 10½ days public and privilege holidays per annum.

Any move to The National Archives from another employer will mean you can no longer access childcare vouchers. This includes moves between government departments. You may however be eligible for other government schemes, including Tax‑Free Childcare. Determine your eligibility at https://www.childcarechoices.gov.uk.

If a person with disabilities is put at a substantial disadvantage compared to a non‑disabled person, we have a duty to make reasonable changes to our processes.

If you need a change to be made so that you can make your application, you should:

• Contact The National Archives via careers@nationalarchives.gov.uk as soon as possible before the closing date to discuss your needs.
• Complete the ‘Reasonable Adjustments’ section of your application form to tell us what changes or help you might need further on in the recruitment process. For instance, you may need wheelchair access at interview, or if you’re deaf, a Language Service Professional.

Feedback will only be provided if you attend an interview or assessment.

Successful candidates must pass a disclosure and barring security check.

People working with government assets must complete basic personnel security standard checks.

This job is broadly open to the following groups:

• UK nationals
• Nationals of Commonwealth countries who have the right to work in the UK
• Nationals of the Republic of Ireland
• Nationals from the EU, EEA or Switzerland with settled or pre‑settled status or who apply for either status by the deadline of the European Union Settlement Scheme (EUSS).
• Relevant EU, EEA, Swiss or Turkish nationals working in the Civil Service
• Relevant EU, EEA, Swiss or Turkish nationals who have built up the right to work in the Civil Service
• Certain family members of the relevant EU, EEA, Swiss or Turkish nationals

Further information on nationality requirements.

The Civil Service Code sets out the standards of behaviour expected of civil servants.

We recruit by merit on the basis of fair and open competition, as outlined in the Civil Service Commission's recruitment principles.

The Civil Service embraces diversity and promotes equal opportunities. As such, we run a Disability Confident Scheme (DCS) for candidates with disabilities who meet the minimum selection criteria.

The Civil Service also offers a Redeployment Interview Scheme to civil servants who are at risk of redundancy, and who meet the minimum requirements for the advertised vacancy.

This vacancy is part of the Great Place to Work for Veterans initiative.

• Name: The National Archives Recruitment Team
• Email: careers@nationalarchives.gov.uk

If you feel your application has not been treated in accordance with the Recruitment Principles and you wish to make a complaint, in the first instance, you should contact The National Archives via email: careers@nationalarchives.gov.uk. If you are not satisfied with the response you receive from the Department, you can contact the Civil Service Commission at https://civilservicecommission.independent.gov.uk/recruitment/recruitment-complaints/.