Application Security Engineer

Spotlight Sports Group is a global media and technology company specialising in content and data within sports betting, horse racing and fantasy sports. With over 400 employees, the group operates multiple award-winning brands, including Racing Post, the world’s largest horse racing affiliate, Pickswise, myracing and Free Super Tips. We partner with leading operators across the betting industry to produce and build multilingual, best-in-class digital products and content to engage and educate customers. ICS-digital, an international marketing agency including ICS-translate, also operates under the group.

Job purpose:

To ensure that new and current software development projects protect the confidentiality, integrity and privacy of our data by leveraging industry best practices, innovative approaches, and specialist knowledge.

To help further embed and normalise security practices in tech and engineering, build relationships within all teams and work with them to deliver robust, reasonable and proportional security governance.

Accountabilities:

The Application Security Engineer will:

• Act as the first point of contact and consultation for Tech and business teams launching new efforts, providing innovative thinking on the best ways to protect privacy and security during the planning, researching, and designing phases. 
• Review new systems designs and major infrastructure modifications for security implications and recommend for sign-off or improvements prior to implementation.
• Review and understand existing architectures and platforms (including cloud solutions) to identify and remediate integration challenges. 
• Collaborate with cross-functional teams to integrate security measures into the Software Development Life Cycle (SDLC) and CI/CD pipelines, ensuring early detection of vulnerabilities and adherence to secure coding practices.
• Perform security reviews of core applications, services, and systems and recommend security enhancements.
• Conduct internal and external penetration testing to identify vulnerabilities, assess security controls, and ensure compliance with industry standards and best practices.
• Partner with the engineering teams on new development and application models and consult with development teams during sprint efforts to ensure they make the right decisions when handling large volumes of guest and colleague data. 
• Advocate for security best practices by implementing security policies, raising awareness, and fostering a culture of proactive security compliance and continuous improvement.
• Review and improve Secure Software Development Life Cycle (SDLC), update the documentation to ensure the latest code quality, identity management, and security best practices are captured and followed.
• Assist as required with specialist knowledge during security investigations.
• Oversee the vulnerability management lifecycle, including the identification, prioritisation, and remediation of security vulnerabilities to safeguard critical systems and data.
• Manage relationships with third-party vendors to ensure timely delivery of services, cost-effectiveness, and alignment with company goals.

Requirements

Essential:

• Experience in Cyber Security is preferred; however, any combination of experience, education, or certification that demonstrates the candidate can be successful in information security and/or IT risk management with a focus on security, performance and reliability, is acceptable.
• Solid understanding of information security principles, security protocols, cryptography, authentication, authorisation and risk management.
• Application development experience with programming languages and/or scripting languages: Java, C++, Ruby, Python, Perl, PHP, Node.js, Bash, or others.
• Adequate knowledge of web related technologies (Web applications, Web Services and Service Oriented Architectures) and of network/web related protocols.
• Adequate knowledge of mobile related technologies (native mobile applications, services, frameworks, APIs).
• Experience securing any of these cloud services platforms: GCP, AWS or Azure
• Good working knowledge/experience working with infrastructure and development teams to embed security into new infrastructure and applications.
• Good working knowledge of common web and mobile vulnerabilities, current IT risks and experience implementing security solutions.
• Ability to interact with a broad cross-section of personnel to explain and enforce security measures.
• Excellent written and verbal communication skills as well as business acumen and a commercial outlook.

Desirable:

• Strong experience in Information Security, Governance, Risk & Compliance
• Previous experience in ISO 27001/27002, ITIL and COBIT environments
• Relevant certification such as CSSLP, CISSP

Benefits

We offer a range of well-being initiatives, including private medical insurance, excellent parental leave, a working globally policy, mental health support, assistance programs, and social gatherings. We also provide a pension scheme and various other benefit schemes. Plus, we all get our birthdays off work and enjoy 25 days of holiday per year.

We’ve also got you covered with life assurance and exclusive perks like the Star card and our Step Further Awards (our employee recognition program) to recognise your dedication. For those working via the hybrid model (in the office and at home) we’ve made commuting easier with our Season Ticket Loan and Cycle to Work Scheme.

You can also take advantage of complimentary access to our Racing Post Members Club, complete with an Ultimate Membership. We believe in making a positive impact beyond the workplace, and you'll have the chance to volunteer two days per year with our charity partner, Autism in Racing.