Product Security Architect
Leeds, UK, United Kingdom
Flutter
Flutter is the world’s leading online sports betting and iGaming operator, with a market leading position in the US and across the world. Our ambition is to leverage our significant scale and our challenger mindset to change our industry for...Product Security Architect
Location – Leeds/Dublin
Hybrid - 2 days per week
At Flutter, Product Security encompasses not just application code, but also infrastructure as code, APIs, CI/CD pipelines, containers and third-party dependencies.
The Senior Product Security Architect is responsible for defining, evolving, and championing a group-wide Product Security strategy across all regions and brands. Operating in a federated environment, this role provides strategic guidance, technical direction, and hands-on expertise to help security and engineering teams across the enterprise embed security into the product development lifecycles.
This role is the key advisor on AppSec standards, secure development practices, threat modelling, and security tooling (e.g. SAST, DAST, SCA, IaC scanning, container security, etc.), ensuring consistency and maturity in how applications are built and maintained. By aligning teams with modern DevSecOps principles, developer enablement, and security automation, the role plays a critical part in improving the overall security posture of Flutter’s software estate.
Overall, the Senior Product Security Architect is expected to be a seasoned application security professional who combines technical expertise with strategic vision and leadership. This person has demonstrated success in building or maturing a similar programme and possesses the communication skills to unite both technical teams and business leaders around a common product security vision. They will drive Flutter’s brands towards an advanced security posture – one that not only protects critical assets and meets compliance obligations but also enables business objectives across Flutter’s diverse and dynamic environment.
About Division/Function
Flutter consists of two commercial divisions (Fanduel and International) and our central Flutter Functions; COO, Finance & Legal. Here in Flutter Functions we work with colleagues across all our divisions and regions to deliver something we call the Flutter Edge. It’s what differentiates us, our ‘secret sauce’ which plays a key part in our ongoing success and powers our brands and divisions, through Product, Tech, Expertise and Scale. In Flutter COO we work with experts across Flutter to build, deploy and communicate the Flutter Edge. Together we cover Product & Payments, Technology, Sportsbook Product & Trading, People, Property, Corporate Communications and Strategic Partnerships & Transformation.
What you’ll do
Strategic Leadership & Roadmap: Define and lead the enterprise-wide Application Security and SSDLC strategy, including short, mid, and long-term goals aligned with the group’s security posture and digital transformation initiatives. Develop and maintain AppSec maturity models (e.g. based on OWASP SAMM, NIST SSDF, BSIMM) and work with business units to assess current state and define realistic improvement plans. Drive the development of a global secure development policy, including approved tools, practices, and coding standards.
Technology & Tooling Strategy: Evaluate, recommend, and support the rollout of AppSec tools such as SAST, DAST, SCA, container and IaC scanners, runtime protections, and CI/CD pipeline integrations. Collaborate with platform and DevOps teams to ensure tool integration and automation into developer workflows across brands. Provide architecture guidance on secure design patterns and security tool architecture in cloud-native and hybrid environments.
Global Collaboration: Work closely with the Associate Director of Group Enterprise Security and other domain leads to align strategies and ensure cross-cutting coverage. Define and monitor key AppSec KPIs and metrics (e.g. vulnerability MTTR, scan coverage, risk acceptance trends) and report findings to leadership and the Global Cyber Council. Coordinate secure architecture reviews for critical application initiatives and provide consultative threat modelling support to large cross brand projects.
Continuous Improvement & Innovation: Know the latest on emerging application security technologies, industry best practices, and threat trends. Evaluate new tools or features and where beneficial incorporate them into the strategy. Find opportunities to reduce friction for developers/brands while maintaining security. Continuously assess the program’s maturity across brands and implement improvements to process or technology to elevate weaker areas. The role also entails planning for product-related incident response and disaster recovery – ensuring that teams are prepared to handle a security incident.
Project and Vendor Management: Oversee Secure by Design project execution and coordinate with project managers to ensure results (system implementations, migrations, integrations) are completed on time. Manage relationships with product vendors and service providers (Remaining vendor neutral) – e.g. oversee any integration partners/consultants and ensure we leverage vendor support. Evaluate and select products or upgrades in line with the strategic roadmap. Ensure that vendor solutions are configured to meet our requirements and that any services used governed under group policies.
How you’ll do it
Several years of experience in software development and application security, with recent experience in an AppSec leadership or Security Architecture role.
A track record of designing and implementing enterprise-scale secure development programs and embedding security into engineering culture.
Broad experience integrating with various systems and tools such as: SonarCloud, Checkmarx, GitHub Advanced Security, Snyk, Aqua, Prisma Cloud, Semgrep, etc.
Strong understanding and use of CI/CD ecosystems (e.g. GitLab, Jenkins, Azure DevOps, GitHub Actions) and how to embed security in build and deploy processes.
Experience working in or with regulated industries or large enterprises is highly desirable.
Mergers and Acquisitions integration experience is a plus
Familiarity with industry frameworks and standards: OWASP SAMM, OWASP ASVS, BSIMM, NIST SSDF, ISO 27034.
Lead teams and projects. This could be as an DevSecOps team lead, security architect, or manager for SSDLC initiatives.
Professional certifications in security are highly valued, such as CISSP/CSSLP, CISM, and/or other AppSec-specific certifications.
What’s in it for you
We are a flexible employer; whether you have personal commitments or a hobby that brings you joy, we want you to bring your best self to work and feel empowered to do so. We also like to share our success; after all you make it happen. We have an excellent benefits package that can be personalised to you:
Bonus scheme
Uncapped holiday allowance
Enhanced pension scheme
Private healthcare
Life assurance
Income protection
Hybrid working
£1,000 annual self-development learning fund
Invest via the Flutters Sharesave Scheme
Paid volunteering days
Enhanced parental leave
Wellbeing fund (£/€250 a year)
Recognition programs
Electric car scheme, gym membership, discounts, vouchers and much more!
About Flutter
We are a world leader in online sports betting and iGaming, with a market leading position in the US and across the world.
We have an unparalleled portfolio of the most innovative, diverse and distinctive brands including FanDuel, Sky Betting & Gaming, Sportsbet, PokerStars, Paddy Power, Sisal, tombola, Betfair, MaxBet, Junglee Games and Adjarabet.
With our global scale and challenger mentality, through which we excite and entertain our customers, in a safe and sustainable way. Using our collective power, the Flutter Edge, we aim to disrupt the sector, learning from the past to create a better future for our customers, colleagues and communities.
We’re working to be an inclusive employer, and we encourage people from all backgrounds, ways of thinking and working to apply. Everyone brings different perspectives and experiences; you don't have to meet all the requirements listed to apply for this role.
If you need any adjustments to make this role work for you let us know, and we’ll see how we can accommodate them.
* Salary range is an estimate based on our InfoSec / Cybersecurity Salary Index 💰
Tags: APIs Application security Automation Azure BSIMM Checkmarx CI/CD CISM CISSP Cloud Compliance CSSLP DAST DevOps DevSecOps Finance GitHub GitLab Incident response Jenkins KPIs NIST OWASP Product security SAMM SAST Security strategy SSDLC Strategy Vendor management
Perks/benefits: Career development Fitness / gym Flex hours Parental leave Salary bonus
More jobs like this
Explore more career opportunities
Find even more open roles below ordered by popularity of job title or skills/products/technologies used.