Job Description

This role is within the Security Consultancy sub-team who provide specialist technical security advice collaborating with technical and business teams throughout the entire or part of a digital solution’s life cycle. The team owns and develops Security Patterns, Security Specifications, and the Threat Modelling Framework, to support secure technology innovation in a changing threat landscape. The purpose of this role is to advise on the technical security aspects of digital solutions to be evaluated or developed and implemented by technology teams across KPMG Group for internal use, or as a service or product to KPMG clients.

The Technical Security Consultant’s responsibilities will vary based on business alignment and will include:

• Lead as an internal consultant at Manager level to an assigned Platform/Product/Capability/Practice Management area as part of our Centre of Excellence function providing technical security direction, stakeholder management, and driving improvements to our ways of working.

• Collaborate with programmes and projects, product and engineering teams to help deliver digital solutions that meet the business need, by supporting and contributing to design reviews. Ensuring that the proposed design, build and run are compliant with the KPMG and client security requirements – ensuring all applicable security controls and patterns are implemented.

• Work alongside internal Design Authorities and Change Management functions to ensure all change initiatives are reviewed, supported, and aligned with KPMG security requirements.

• Using threat modelling to provide risk and threat-based advice to programme stakeholders along with actionable recommendations where necessary in the design and implementation of digital solutions.

• Advise on secure-by-design adoption of AI/GenAI capabilities (e.g. Microsoft 365 Copilot/Copilot Studio and LLM integrations) including prompt and data protection, model/service selection considerations, misuse and abuse cases, and appropriate technical guardrails.

• Manage the scoping of security testing requirements for new systems and products working closely with our Security Testing function.

• Undertake Post Deployment Security Architecture reviews of existing digital solutions. • Support the creation of secure development guidance documentation and eLearning, security patterns and specifications in collaboration with Engineering/Development teams and Enterprise Security Architecture.

• Provide solution architecture support (i.e. PoC, design creation, roadmap support) for security solutions (e.g. AI, IAM).

• Work towards and achieve or extend professional certifications as part of personal development (e.g. security or cloud vendor certifications).

• Share experiences with others to assist their learning and understanding, and promote good security hygiene and its benefits. Prior experience Essential

Skills/Experience:

• Have worked in at least one of:

- Infrastructure/Solution Architect

- Technical Security Architect/Consultant

- Security Operations o Secure application development

• A good understanding of concepts and their application across several key areas including application, cloud, and SaaS security, best practices, and industry standards (and where relevant, AI/GenAI security concepts).

• You will bring hands on experience and knowledge in securing digital products/solutions in at least one or more of the following areas:

- Artificial intelligence (e.g. AWS Bedrock, CoPilot, CoPilot Studio, Google Gemini, Azure OpenAI, Google Vertex)

- Cloud (e.g. AWS, Azure/M365, Google, ServiceNow, SAP)

- Networks (e.g. firewalls, routers, switches, WIFI, LAN/WAN, SDN)

- Operating Systems and hardware (e.g. Microsoft, Linux, Apple, Android)

- Security Solutions (e.g. Entra ID, CyberArk, SailPoint, Threat Modeler)

• Good experience of working in an Agile/DevOps software development environment using Threat Modelling.

• Be able to demonstrate the ability to adapt communication style to explain technical concepts to different people within an organisation whether advising stakeholders, directing teams, or sharing experience.

• Experience prioritising and delivering in an environment with competing demands and evolving requirements.

• Able to navigate through complex security problems to find the root cause and a balanced outcome, taking ownership of activities.

It would be desirable if you can demonstrate some, or all of the following: • Container/serverless platforms.

• Infrastructure/network security.

• Modern application development processes and testing.

• AI/GenAI security (e.g. threat modelling for AI solutions, prompt injection and data exfiltration risks, data poisoning/model integrity risks, model/service supply chain considerations, and applying appropriate guardrails and monitoring).

• Have or working towards technical security certifications (e.g. CISSP, CCSP, Microsoft/Google/AWS technologies).

• Having worked in customer service/regulated environments, delivering high quality information security services.