Head of Product Security – CISO function - BPL

London, United Kingdom

Apply for job

Key information

Date live: 09/06/2026

Business Area: BPL - Product

Area of Expertise: Technology

Contract: Permanent

Reference Code: JR-0000116438

It’s happening at Barclays.

Be a part of a place where challenges are measured in billions, qubits and nanoseconds. Build your career in an environment where we’re advancing machine learning, leveraging blockchains, and harnessing FinTech. Working in Barclays technology, you’ll reimagine possibilities: learning and innovating to solve the challenges ahead, delivering for millions of customers.
We are shaping the future of financial technology.
Why not join us and make it happen here?

Where will you be located?

Explore location

Head of Product Security – BPL CISO

Product Security | CISO Function

Department

CISO Function — Product Security

Reports To

Chief Information Security Officer (CISO)

Role Purpose

The Head of Product Security leads the pillar responsible for ensuring everything the company builds and ships is secure by design. This is the most agile-facing pillar in the CISO function — it must embed into product squads without becoming a bottleneck, own the shift-left programme, manage the developer security toolchain, and provide assurance that releases meet the organisation’s security and compliance requirements. The role requires a blend of technical depth, developer empathy, and pragmatic risk management. The ideal candidate is someone who understands application security at a hands-on level, has run a security champions programme in an agile engineering organisation, and knows how to make security a service that engineering teams want to use rather than a gate they try to avoid. You will work more closely with engineering leadership than with regulators — this is a builder’s role, not an auditor’s role.

Key Responsibilities

Own and drive the shift-left security programme, ensuring security is integrated into the earliest stages of the software development lifecycle through threat modelling, secure design patterns, and automated tooling.
Manage the security champions programme, recruiting, training, and supporting champions across all product squads
Own the developer security toolchain (SAST, DAST, SCA, secrets scanning) and ensure it is integrated into all CI/CD pipelines with minimal developer friction and calibrated thresholds to avoid noise.
Establish and operate the vulnerability management lifecycle, including scanning orchestration, triage, prioritisation, SLA assignment, remediation tracking, and exception management.
Chair the weekly Vulnerability Review Board, making prioritisation decisions on critical and high-severity findings in collaboration with engineering leads.
Define and publish the security engagement model for product and engineering teams, including trigger points (new service, new integration, pre-release), SLAs, and escalation paths.
Oversee threat modelling for new services and major changes, ensuring threat models are completed before development progresses beyond initial design.
Own the security sign-off process for production releases, providing risk-based release decisions (approved, approved with conditions, deferred, escalated) rather than binary pass/fail gates.
Provide self-service security capabilities to product teams: threat model templates, security stories backlog, secure coding guides, and accessible tooling documentation.
Produce security assurance reporting for the CISO, including vulnerability trends, SDLC integration metrics, champion programme health, and developer satisfaction with security.
Collaborate with Security Architecture and Engineering on the “paved road” of secure defaults, patterns, and base images that product teams build upon.
Manage and develop the Product Security team, balancing deep technical capability with developer relations skills.

Key Deliverables

Security champions programme with training curriculum, monthly meetup cadence, and recognition framework.
Developer security toolchain fully operational and integrated into 100% of CI/CD pipelines.
Vulnerability management dashboard with SLA tracking, ageing analysis, and trend reporting.
Product security engagement model document (trigger points, SLAs, outputs, escalation paths).
Security release certification process with standardised decision framework.
Monthly product security report for CISO (vulnerability trends, tooling adoption, champion coverage, developer satisfaction).
Threat model register with completion tracking and findings remediation status.
Secure coding standards documentation for all primary programming languages.
Developer security training curriculum and workshop materials.

Required Skills and Experience

CSSLP, OSCP or similar certifications.
Experience with PCI Software Security Framework (SSF) and its application to payment processing software.
Previous career as a software engineer or developer before moving into security — you understand the developer experience from the inside.
Experience with bug bounty programme management.
Payments acquiring, FinTech, E-Pay - application security experience.
Contributions to open-source security tools, OWASP projects, or published security research.
Experience with security tooling for Kubernetes-native applications.
Several years of progressive experience in application security or product security, with a number of years in a leadership role managing a product security or AppSec team.
Deep understanding of modern application security: OWASP Top 10, API security (REST, gRPC, GraphQL), microservices security, container security, and secure coding practices.
Proven experience building and running a security champions programme in an agile engineering organisation
Hands-on experience with SAST, DAST, SCA, and secrets scanning tools and their integration into CI/CD pipelines (Jenkins, GitLab CI, GitHub Actions, or equivalent).
Experience managing a vulnerability management programme with defined SLAs, exception processes, and stakeholder reporting across multiple engineering teams.
Strong developer empathy — demonstrable ability to work with engineering teams as a partner, not an adversary. Ideally you have a software development background yourself.
Experience operating a security function within agile or DevOps delivery models, including sprint-aligned engagement and security backlog management.
Understanding of PCI DSS software security requirements and their practical application in a cloud-native, microservices environment.
Experience with threat modelling frameworks (STRIDE, PASTA, attack trees) and their application to modern architectures.
Strong communication skills for influencing engineering leadership, presenting to executives, and writing clear guidance for developers.

Purpose of the role

To provide specialist proactive and reactive investigative service in response to physical incidents, cyber security incidents, external fraud insider threats and criminal conduct.

Accountabilities

Implementation of governance, risk and controls principles to inform risk assessment, identifying risks by adhering to the banks Risk and Control Framework and takes accountability in mitigating risk.
Engagement with internal stakeholders and provide subject matter knowledge and expertise in investigative techniques across physical incidents, cyber security incidents, external fraud insider threats and criminal conduct.
Contribution to and enhancement of an effective control environment, ensuring that processes, risks and controls are applied in way that achieves a good outcome for the bank and its customers/clients.
Enhancement of processes, tools, and techniques for detecting, addressing and preventing fraud, using knowledge and understanding of fraud methodology and industry benchmarks.
Identification and analysis of emerging insider threats and vulnerabilities in the banking industry, including security logs, alerts and suspicious activities, though assessments to detect and prevent insider threat behaviours. .
Collaboration with external stakeholders, including law enforcement agencies, to provide technical support and guidance during investigations and legal proceedings. .
Data management systems use, support and access for searching, extracting and formatting data to support the investigative processes. .

Director Expectations

To manage a business function, providing significant input to function wide strategic initiatives. Contribute to and influence policy and procedures for the function and plan, manage and consult on multiple complex and critical strategic projects, which may be business wide..
They manage the direction of a large team or sub-function, leading other people managers and embedding a performance culture aligned to the values of the business. Or for an individual contributor, they lead organisation wide projects and act as deep technical expert and thought leader, identifying new ways of working and collaborating cross functionally. They will train, guide and coach less experienced specialists and provide information affecting long term profits, organisational risks and strategic decisions..
Provide expert advice to senior functional management and committees to influence decisions made outside of own function, offering significant input to function wide strategic initiatives.
Manage, coordinate and enable resourcing, budgeting and policy creation for a significant sub-function.
Escalates breaches of policies / procedure appropriately.
Foster and guide compliance, ensure regulations are observed that relevant processes in place to facilitate adherence.
Focus on the external environment, regulators, or advocacy groups to both monitor and influence on behalf of Barclays, when appropriate.
Demonstrate extensive knowledge of how the function integrates with the business division / Group to achieve the overall business objectives.
Maintain broad and comprehensive knowledge of industry theories and practices within own discipline alongside up-to-date relevant sector / functional knowledge, and insight into external market developments / initiatives.
Use interpretative thinking and advanced analytical skills to solve problems and design solutions in often complex/ sensitive situations.
Exercise management authority to make significant decisions and certain strategic decisions or recommendations within own area.
Negotiate with and influence stakeholders at a senior level both internally and externally.
Act as principal contact point for key clients and counterparts in other functions/ businesses divisions.
Mandated as a spokesperson for the function and business division.

All Senior Leaders are expected to demonstrate a clear set of leadership behaviours to create an environment for colleagues to thrive and deliver to a consistently excellent standard. The four LEAD behaviours are: L – Listen and be authentic, E – Energise and inspire, A – Align across the enterprise, D – Develop others.

All colleagues will be expected to demonstrate the Barclays Values of Respect, Integrity, Service, Excellence and Stewardship – our moral compass, helping us do what we believe is right. They will also be expected to demonstrate the Barclays Mindset – to Empower, Challenge and Drive – the operating manual for how we behave.

Barclays welcomes applications from all candidates and is committed to ensuring reasonable adjustments (accommodations) are put in place to allow for a fair and inclusive recruitment process. For more information and how to request one, please review Adjustments to the recruitment process.

We’re a global, vital and highly respected financial organisation with an inspiring Purpose. Operating in 39 countries and employing around 100,000 people across the world, we help communities, individuals and businesses thrive. And we’ve created financial solutions and technology that the world now takes for granted. A career with us can offer incredible variety, depth and breadth of experience, and the chance to learn from some of the best minds in technology and finance.

To find out more about Barclays' strategy please click here.

We are an equal opportunity employer and opposed to discrimination on any grounds. It is the policy of Barclays to ensure equal employment opportunity without discrimination or harassment on the basis of race, colour, creed, religion, national origin, alienage or citizenship status, age, sex, sexual orientation, gender identity or expression, marital or domestic/civil partnership status, disability, veteran status, genetic information, or any other basis protected by law.

Barclays is required by law to confirm that you have the Legal Right to Work in any role that you apply for. If you currently hold a work visa sponsored by Barclays, or you would require sponsorship from Barclays, you must declare this as part of your application. Sponsored visas are role and entity specific and any changes must be reviewed. It is important that you ensure you are working on the correct visa at all times. Failure to accurately disclose your visa status or Legal Right to Work may result in your application or any employment offer being withdrawn at any time.

Who succeeds in
Tech at Barclays?

For a career with us, you need to be prepared to take big steps forward, curious to face the challenges ahead, and driven to focus on the outcomes. We need people with the Barclays mindset to make it happen here.

What you'll get in return

Competitive holiday allowance

Life assurance

Private medical care

Pension contribution

Our technology

Supporting our 48 million customers and clients worldwide takes a lot of forward thinking. It means harnessing technology to support the economy. It means making a difference to people’s lives. And it requires the maintenance and development of a global, technological infrastructure. At Barclays, technology helps us keep transactions moving, manages data, and protects our customers. Join a world where your work creates unique moments of impact. Make it happen here.

This is Barclays London

Our global HQ is in Canary Wharf, at the heart of London’s financial district. There are over 10,000 colleagues here – a hugely diverse workforce made up of the world’s best financial and tech talent. If you love the buzz of city life, this is the place to be.

Cycle or run to work? We’ve got everything you need – from cycle hire and parking areas to new showering and changing facilities.

CoSpace is our drop-in co-working space, where networks are built, problems are solved collectively and our community is strengthened.

Our Wellness Suite includes a well-equipped gym and exercise studios, and provides personal training sessions and massage therapy.

Our new trading floors enhance communication, integrate sustainability, and support health and wellbeing through innovative design and British-sourced furniture.

This is Barclays London

Supporting active commuters

Cycle or run to work? We’ve got everything you need – from cycle hire and parking areas to new showering and changing facilities.

Time to connect

CoSpace is our drop-in co-working space, where networks are built, problems are solved collectively and our community is strengthened.

Wellbeing in focus

Our Wellness Suite includes a well-equipped gym and exercise studios, and provides personal training sessions and massage therapy.

Advanced trading floors

Our new trading floors enhance communication, integrate sustainability, and support health and wellbeing through innovative design and British-sourced furniture.

Working flexibly

We’re committed to providing a supportive and inclusive culture and environment for you to work in. This environment recognises and supports your personal needs, alongside the professional needs of our business. If you'd like to explore flexible working arrangements, please discuss this with the hiring manager. Your request will be reviewed in-line with the requirements of the role/business needs of the team.

Hybrid working

We have a structured approach to hybrid working, where colleagues work at an onsite location on fixed, ‘anchor’, days, as set by the business area. Please discuss the working pattern requirements for the role you are applying for with the hiring manager. Please note that working arrangements may be subject to change on reasonable notice to ensure we meet the needs of our business.

Barclays is built on an international scale.

Our geographic reach, our wide variety of functions, businesses, roles and locations reflect the rich diversity of our worldwide customer base. All of which means we offer incredible variety, depth and breadth of experience. And the chance to learn from a globally diverse mix of colleagues, including some of the very best minds in banking, finance, technology and business. Throughout, we’ll encourage you to embrace mobility, exploring every part of our operations as you build your career.

Find more information

Make it happen at Barclays

Our teams are always evolving - creating new solutions that make a real difference for customers and clients. Watch the video to hear how our colleagues describe their careers at Barclays and imagine where yours could take you.