Head of Application Security

Date: 21-Jun-2022

Location: GB, EC1A 1AA

Company: Royal Mail Group

Job reference number 265003


Head of Application Security


Full time




Job title – Head of Application Security


We’re passionate about harnessing technology to deliver the best possible results for customers. The business is in an exciting period of transformation and here, within security, we are influencing and helping drive that change as new services and ways of working are defined and delivered. 

With a proud history of serving the UK, Royal Mail has been able to thrive by continuously adapting and adopting advanced technology and, with over 30 million customer touch points per day, 25,000 end user computers, 70,000 PDA’s supported by both on premise and Cloud platforms - we operate at scale. At Royal Mail Security, we have a leading role in taking the next steps. Our customer and workplace vision for the future is ‘Anytime, Anywhere, Any Device’ and security are a key enabler to accelerating that change and providing safe and secure services – this is the future for our workplace and not just a pandemic response.

With so much growth in parcels and e-commerce and the technology used to deliver our services, we need talented, change focussed people, like you, to help us get there. We know how to support business and communities - and we need to be agile to enable the business to achieve our goals. We’re focusing on investing in the security, technology, processes and people that are going to help us achieve great things together. By joining the RMG Security team, you will be driving meaningful change, pushing forward our transformation as an agile and customer focused team. We face new challenges every day. But we overcome them together, which brings incredible satisfaction and reward as we deliver more innovation, products and essential services for the UK and our customers.


Job Purpose


Royal Mail customers trust that their transactions and private information are secure because of the high standards of security enforced for Royal Mail technology. The Application Security Team is responsible for ensuring that any software developed or acquired meets these stringent standards, while enabling rapid innovation to meet customers’ ever-changing needs.


In this role, your key accountabilities will be:


  • Defining and managing the application security framework. 
  • Integrating security tools, standards, and processes into the product/software development lifecycle.
  • Defining developer secure coding practices and ensuring that developers and QA/test personnel are trained with the appropriate level of security knowledge to perform their daily activities.
  • Improving and supporting application security tool deployments including code analysis testing (*AST), SCA, container and runtime testing tools and integrating them into CI/CD pipelines.
  • Improving and maintaining secure development standards.
  • Supporting the incident response and architecture review processes whenever application security expertise is needed.
  • Managing penetration testing services, including delivering a continuous penetration testing programme.
  • Supporting vendor security activities to ensure third-party software development meets Royal Mail security standards.
  • Integrating threat modelling practices into the product/software development lifecycle.
  • Producing metrics and reporting on the state of application security initiatives, and the performance of development teams against security development standards.


Key Dimensions


  • People Management. Drives and undertakes effective recruitment, coaching, and development, motivation and evaluation of staff within the team, and creates an environment where the team excels, and drives change and the effective management of application security activities to address Cyber Security risk. 
  • Matrix structure. The role holder must be able to work with and influence developers, QA/test, and Project/Programme delivery colleagues across the whole Royal Mail eco system. Strong leadership skills and effective management of highly technical individuals is critical.
  • Team Management. Direct management of a team of 3-5 perm and flex resources, and matrix management of other resources where appropriate in support of the cyber security strategy. 
  • Influencing Skills and judgement. The role holder will be a security evangelist who can translate security concepts into language that is meaningful to many audiences including business and technical leaders and individual contributors (e.g. developers, QA/test, Portfolio/Programme/Project Managers). The ability to influence decision making at all levels of application/software development will be critical to success.
  • Risk-based and practical. The role holder must be able to approach application security from the perspective of risk management and avoid purely academic thinking about software security.
  • Analytical Skills. Strong analytical skills and the ability to see the big picture and apply the relevant detail to it. Ability to cut through the noise and provide clear and appropriate recommendations and direction. 
  • Communications Skills. Excellent verbal and written communication skills, including experience speaking to leadership and technical colleagues, and writing technical documents.


Qualifications and experience required:


  • Experience in developing and leading high performing small teams in application security.
  • Expert knowledge of application security management and practices. 
  • Expert knowledge and understanding of application security assessment and management methodologies.
  • Familiarity with waterfall and agile development processes, and experience of integrating secure development practices into both methods.
  • Ability to work at senior level and ensure that tactical activity supports the strategic picture.
  • Commercial experience from product selection through to vendor relationship and service management. 
  • Agility of thought and comfort with complexity, together with the patience and resilience to overcome change inertia. 
  • The will to succeed in support of the business’ goals and to align potentially competing agendas to effectively manage cyber security risk within the business risk appetite. 
  • Familiarity with; writing and/or testing applications and web services in any of the following programming languages; C#, .NET, Java, PHP or JavaScript.
  • Familiarity with a variety of development and testing tools, for example; Visual Studio, IntelliJ, Git, Azure DevOps Pipelines & Deploy, Jenkins, SonarQube.
  • Ability to explain vulnerabilities and weaknesses described in commonly used frameworks, for example; OWASP Top 10, WASC TCv2, and/or CWE 25 to any audience, and to discuss effective defensive techniques.
  • Familiarity with industry standards and regulations e.g.; PCI, ISO27001, NIST, etc
  • Preferred or willing to work towards recognised security related qualifications (e.g. CISM, CISSP).
  • Relevant application security development, management or testing certifications (e.g. CASE, CASS, CSSLP, GWEB).



We are an inclusive employer with equality, diversity and fairness at the heart of our values and we’re proud to be recognised in The Times Top 50 Employers for Women 2021 for a 8th consecutive year. We welcome applications from individuals from diverse backgrounds and are committed to promoting fair participation and equality of opportunity for all our job applicants. 


We are happy to support flexible working and would welcome having a conversation with you about how we could support your needs


For more information on Royal Mail Group click here


Job Segment: Testing, Cyber Security, .NET, Cloud, QA, Technology, Security, Quality