Job Description

Are you a cyber security engineer who gets genuine satisfaction from closing vulnerabilities, not just finding them?

DNV Energy Systems is seeking a Senior Cyber Security Engineer to take ownership of the hands-on delivery of security across a portfolio of digital products. In this role, you will work closely with product and engineering teams to actively reduce risk, meet compliance requirements, and embed secure, sustainable practices that last.

OUR OPPORTUNITY

Reporting to the Digital Portfolio Manager, you will be the primary security engineering resource for the UK&I digital product portfolio. You will own the security posture of the portfolio end-to-end, from tooling and triage through to remediation support, assessment execution, and audit preparation.

This is an individual contributor role with substantial scope. You'll be the one closest to the work, with direct influence over how security is practised across the portfolio. There is genuine opportunity for the function to grow around you as the team expands.

You will work across multiple products and engineering teams simultaneously, acting as the technical security authority for the region. You’ll be joining teams that value security and want to get it right, giving you the platform to drive meaningful, lasting improvements.

What you’ll do:

Vulnerability Management & Tooling

• Maintain and operate SAST/DAST tooling (including Veracode) across the digital portfolio

• Lead CVE triage, assessing severity, exploitability and remediation priority across all products

• Track and manage vulnerability remediation to closure, working directly with engineering teams

• Maintain the portfolio security risk register, ensuring visibility of open issues and remediation status

Security Assessment & Audit

• Plan and execute security assessments across the product portfolio against DNV standards and industry frameworks (eg OWASP ASVS)

• Support audit preparation and evidence gathering for internal and external audit cycles

• Maintain assessment documentation, findings registers and remediation tracking artefacts

Secure Development Practice

• Embed security into the software development lifecycle (SDL/SSDLC) across product teams

• Conduct threat modelling and architecture review for new and materially changed products

• Advise development teams on secure coding practices, dependency management and secrets handling

• Act as technical security subject matter expert, the first point of contact for engineering and product teams when security questions arise

We value all our people and the contributions they make to our business, so it’s important that our rewards make us all feel valued here. That’s why we offer a flexible reward and benefits package, allowing you to choose the things that matter most to you, including;

• Exceptional Development and career progression opportunities with regular development discussions with your manager

• Non-contractual Profit Share Scheme

• Lifestyle benefits: 26 days annual leave + bank holidays, opportunity for up to 10 days unpaid leave, sabbatical leave, flexible working options

• Wellbeing benefits: (including Private Medical, Dental Insurance, Health Assessments, Gym allowance). Company contribution towards eye tests and glasses (for computer/laptop users), and Flu Vaccinations. Also, our Employee Assistance Programme (EAP) provides free and confidential support for issues including work, family, relationships, money and health and we provide free fruit in our offices

• Financial Benefits: including a Pension Scheme with employer pension contributions up to 9%, Life Assurance and Income Protection

• Travel benefits: Season Ticket Loan, Cycle to Work Scheme, Electric Vehicle Salary Sacrifice Scheme (for personal use)

• Re-imbursement of relevant Professional Membership Fees (up to £570)

• Access to employee retail discount site for high street and on-line shopping

DNV is an Equal Opportunity Employer and gives consideration for employment to qualified applicants without regard to gender, religion, race, national or ethnic origin, cultural background, social group, disability, sexual orientation, gender identity, marital status, age or political opinion. Diversity is fundamental to our culture and we invite you to be part of this diversity.

We’re looking for a Cyber Security Engineer who is focused on practical outcomes and understand that lasting remediation comes from a combination of strong technical fixes, clear communication, good documentation, and solid process.

Our colleagues come from a vast range of different backgrounds, and we value the diversity of experience, knowledge and thought that this brings to our approach. We therefore try to keep our mandatory requirements to a minimum. As a Senior Cyber Security Engineer, there are a few typical traits that we’d love you to bring, to complement the more specific role requirements.

Essential

• Experience with application security tooling (SAST, DAST, SCA) including commercial platforms such as Veracode

• CVE triage and vulnerability management capability across multi-product environments

• Working knowledge of OWASP Top 10, ASVS, and common web application attack vectors

• Experience executing or supporting security assessments and audit preparation

• Ability to communicate technical security risk clearly to non-security audiences, including product and senior stakeholders

• Comfortable working as an individual contributor across multiple products simultaneously

Desirable

• Experience with cloud-hosted applications and infrastructure security (AWS, Azure or GCP)

• Familiarity with ISO 27005, ISO 27001 or equivalent risk management frameworks

• Exposure to threat modelling methodologies (STRIDE, PASTA or similar)

• Relevant security certifications (CEH, OSCP, CISSP, CompTIA Security+, or equivalent)

• Experience in energy, infrastructure, engineering consultancy, or other regulated technical environments

We recognise that equivalent tools and frameworks exist across the industry. If your experience is with comparable tooling or your background doesn't map neatly to our list, we’d still like to hear from you, we’re interested in your underlying capability and the value you’d bring to the role.