Principal Security Engineer

Principal Security Engineer

Orgvue is an organizational design and planning platform that empowers your business to transform its workforce by understanding the work people do and the skills they have. Our platform connects strategy to structure, providing clarity of vision, so you can build a more adaptable, better performing organization that thrives in a constantly changing world of work.

The company is headquartered in London, with offices in Philadelphia, The Hague, Toronto, and Sydney.

The Principal Security Engineer is a strategic, hands-on leader responsible for evaluating, evolving, and executing Orgvue's security engineering strategy across our entire application development and cloud-hosting estate. Partnering closely with Information Security, Engineering, and Product teams, you will embed secure-by-design principles throughout the software-development lifecycle (SDLC), champion modern DevSecOps practices, and ensure that security is a first-class citizen in everything we build and operate.

This role reports directly to the Chief Technology Officer (CTO) and maintains a dotted-line relationship with the VP of TechOps.

Responsibilities

• Security Strategy & Governance – Define and continuously refine the technical security roadmap that aligns with business objectives, industry best practice (e.g., NIST CSF, OWASP SAMM), and compliance frameworks (SOC 2, ISO 27001, GDPR).
• Secure SDLC & DevSecOps – Build and maintain guardrails for static/dynamic analysis, container and IaC scanning, SBOM management, and supply-chain security; automate enforcement through CI/CD pipelines.
• Cloud & Infrastructure Security – Design and implement robust controls for AWS (primary) and Azure/GCP (secondary): IAM, network segmentation, KMS, secrets management, WAF, EDR, and zero-trust patterns.
• Identity & Access Management (IAM) – Own enterprise IAM strategy, including RBAC, least-privilege provisioning, SSO, federation (OIDC/SAML), and privileged-access workflows.
• Monitoring, Detection & Response – Define audit logging, metrics, and telemetry requirements; integrate with SIEM/SOAR to deliver actionable alerts and playbooks for engineering-led incident response.
• Threat Modeling & Risk Assessment – Conduct regular architecture and code-level reviews, drive remediation plans, and present risk posture to leadership.
• Tooling & Automation – Evaluate, select, and integrate security tooling (SAST, DAST, SCA, container scanners, CSPM, CWPP) and champion IaC/Terraform modules for reusable controls.
• Collaboration & Mentorship – Act as a trusted advisor to engineering squads, provide security training, and mentor senior engineers on emerging attack vectors and defensive techniques.
• Compliance & Audits – Partner with InfoSec and Legal to prepare evidence, manage technical controls, and remediate audit findings.
• InfoSec Partnership – Collaborate proactively with the Information Security team on policy development, threat intelligence sharing, incident response, and compliance initiatives, ensuring organization-wide alignment.
• Engineering Partnership & Enablement – Work hand-in-hand with engineering squads to raise security awareness, improve secure coding practices, and foster a culture of shared security ownership.
• Architecture Alignment – Partner closely with Orgvue's Principal Architect to ensure security patterns, controls, and roadmaps align with overall system architecture and future technical strategy.