Senior Security Engineer – Identity & Access Management (IAM)

Rothesay is the UK’s largest pensions insurance specialist, purpose-built to protect pension schemes and their members’ pensions. With over £70 billion of assets under management, we secure the pensions of more than one million people and pay out, on average, approximately £300 million in pension payments each month.

Rothesay is dedicated to providing excellence in customer service alongside prudent underwriting, a conservative investment strategy and the careful management of risk. We are trusted by the pension schemes of some of the UK’s best known companies to provide pension solutions, including British Airways, Cadbury, the Civil Aviation Authority, the Co-Operative, Morrisons, Smiths Industries and Telent.

At Rothesay, we are striving to transform our industry. We believe deeply in creating real security for the future and our leadership in finding new and better ways to do that is the key to our success. To do that, we need the very brightest original thinkers to bring creativity as well as rigour. Rothesay is a rewarding place to work, where quality people can thrive and prosper. We pride ourselves on the connections our people build, many of whom have been with us for over ten years.

Rothesay is investing heavily in a modern, secure, cloud-native technology stack, backed by executive sponsorship and a multi-year strategic transformation. As part of this journey, we’re expanding our Information Security team to embed security into every phase of our software delivery lifecycle. 

This is an opportunity to join a high-impact Security Engineering team helping drive a culture of secure-by-design development across our AWS-first environments. If you are passionate about developer enablement, automation, and modernising how security is integrated into engineering, we want to hear from you. 

What you’ll do: 

You’ll be a hands-on member of the Security Engineering team, driving the adoption of security capabilities across Desktop & Communications, Identity & Access Management, SDLC, and Security Architecture practices.  

Your primary focus will be delivering DevSecOps best practices and automation across Rothesay’s engineering landscape. Your responsibilities will include: 

• Partner with developers and platform engineers to embed security into the SDLC — from threat modelling and design reviews to secure coding guidance and CI/CD security controls. 
• Build and integrate scalable security tooling into AWS-native pipelines and developer workflows (e.g. SAST, DAST, secrets scanning, dependency management). 
• Advocate for and implement "security as code" practices – automated guardrails, pre-approved templates, and policy-as-code for infrastructure and application security. 
• Enable teams to take ownership of security outcomes by driving education, tooling, and cultural alignment. 
• Contribute to Security Engineering’s broader capabilities across Desktop & Communications, Identity & Access Management, SDLC, and Security Architecture.  
• Identify and remove friction in user experiences without compromising on security. Helping to ensure security is treated as a first-class citizen. 
• Monitor for emerging threats and continuously improve controls, patterns, and organisational guidance. 

 What we’re looking for: 

Required: 

• 5+ years of technical experience in Security Engineering, DevSecOps, or Software Engineering. 
• Deep understanding of secure development principles and DevSecOps practices. 
• Proven experience securing CI/CD pipelines, infrastructure-as-code, and cloud-native application development – ideally in AWS. 
• Strong hands-on experience with at least some of the following: Terraform, GitLab, AWS Security Hub, Wiz, or similar. 
• Clear, confident communicator – able to work across engineering teams and influence positive security culture change. 
• Solid knowledge of security principles, modern software delivery, and cloud-native architecture (containers, serverless, APIs). 

Desirable: 

• Experience driving security culture or maturity improvements within engineering-led teams. 
• Familiarity with industry frameworks like NIST, OWASP ASVS, CIS Benchmarks. 
• Exposure to Zero Trust concepts and cloud-native security architectures. 
• Prior experience in regulated industries, especially financial services. 
• Certifications such as AWS Security Specialty, CSSLP, or GIAC DevSecOps. 

We’re not just looking for someone to implement controls — we’re looking for someone who wants to influence how we build securely, empower engineers to own security outcomes, and help shift security left in a meaningful, pragmatic way. 

Rothesay competencies

• Dedication to role – Motivated to provide an effective support service across all facets of role
• Team Player – Demonstrates evidence of being a strong team player, collaborates well with others and encourages other team members
• Communication – Ability to communicate what is relevant and important in a clear, constructive and concise manner
• Organised - Ability to work under pressure and prioritise workload in a fast paced environment. Ability to work autonomously with limited supervision
• Creative and innovative – Looks for ways to improve current processes and help develop creative solutions that have practical value for the team
• Judgement and Problem Solving – Proactive, sees the big picture and willing to be flexible to solve issues as they arise

Disclaimer This position description is intended to describe the duties most frequently performed by an individual in this position. It is not intended to be a complete list of assigned duties, but to describe a position level.  The role shall be performed within a professional office environment. Rothesay Life has health and safety polices that are available for all workers upon request.  There are no specific health risks associated with the role.

Inclusion Rothesay actively promotes diversity and inclusivity. We know that our success depends on our people and that by nurturing a culture that values difference, we create a stronger, more dynamic business. We welcome applications from all qualified candidates, regardless of race, colour, religion, gender, gender identity or expression, sexual orientation, national origin, genetics, disability or age.