Description

The Application Security Team Lead owns and evolves MO’s application security capability, embedding security into engineering practices, platforms, and delivery pipelines while leading a small team of specialists. Reporting to the Cyber Security Technical Manager, the role drives secure-by-design principles across the software development lifecycle, including the implementation of tooling, standards, and security controls within CI/CD.

Alongside team leadership, the role acts as the hands-on security lead for a key development area, taking end-to-end ownership of its security posture. Working closely with engineering, product, and platform teams, you provide deep technical expertise across design, implementation, and vulnerability management, ensuring security is pragmatic, scalable, and supports effective delivery at pace.

Key Responsibilities:

• Lead and develop the application security team, setting clear priorities, building capability, and ensuring effective delivery of AppSec services.
• Own and operate our application security tooling, including SCA & SAST, ensuring effective coverage across all in-scope applications.
• Integrate security controls into CI/CD pipelines, working with platform and engineering teams to embed automated security testing and guardrails into development workflows.
• Define, implement, and maintain secure development standards, including secure coding guidelines, threat modelling practices, and minimum-security requirements for applications and APIs.
• Partner with engineering, platform, and product teams to embed secure-by-design principles into new and existing systems, providing practical, risk-based guidance.
• Working with our Vulnerability Lead, champion the identification, triage, and remediation prioritisation of application vulnerabilities, ensuring delivery aligns with risk appetite and agreed service levels.
• Establish and track application security metrics, including vulnerability remediation timelines, tooling coverage, and overall risk reduction.
• Support secure architecture and design reviews, particularly for cloud-native and API-driven systems.
• Stay informed on emerging threats, technologies, and development practices (including software supply chain and AI-assisted development), applying this knowledge to continuously improve our security posture.
• Act as the primary application security engineer for a key development team, providing hands-on technical leadership across design, development, and operation.
• Perform deep-dive security activities for the team, including threat modelling, code-level reviews, and vulnerability triage/remediation support.
• Oversee and coordinate third-party application security reviews, ensuring consistent assessment standards and effective risk management across externally developed or supplied applications.
• Plan and organise application security coverage across the team, allocating engineers to priority domains and initiatives to ensure balanced workload, clear ownership, and effective delivery of AppSec services.

Qualifications

You are an experienced application security professional with strong technical depth and a pragmatic, delivery-focused mindset. You operate as a player-coach, comfortable working hands-on while leading and developing a small team. You take end-to-end ownership of critical applications or domains, acting as the go-to expert while enabling your team to deliver effectively at scale.

You have a solid understanding of modern software development practices and know how to embed security into engineering workflows without slowing delivery. You are confident working with developers, architects, product, and platform teams, translating security requirements into practical, implementable solutions.

You take ownership of outcomes, not just delivering advice, driving improvements in tooling, processes, and developer practices to measurably reduce risk. You are comfortable making risk-based decisions and prioritising work in line with business objectives.

You communicate clearly and effectively, able to explain complex security concepts in a way that resonates with both technical and non-technical stakeholders. You build strong relationships and are able to influence engineering teams to adopt secure-by-design principles.

You are naturally curious and keep pace with evolving technologies and threats, particularly in areas such as cloud-native development, software supply chain risk, and emerging development practices including AI.

Minimum criteria

• Considerable experience in software engineering, application security, or a related security role, with experience focused on application security.
• Experience leading, mentoring, or coaching engineers or security professionals, with the ability to build capability within a team.
• Hands-on experience implementing and operating application security tooling, such as SAST, DAST, SCA, and secrets management.
• Experience integrating security controls into CI/CD pipelines (e.g. GitHub, AWS DevOps), including automated testing and policy enforcement.
• Strong understanding of modern software development practices, including Agile delivery, DevOps, and cloud-native architectures.
• Practical experience with secure coding practices, threat modelling, and vulnerability management in a production environment.
• Ability to assess and prioritise security risks, balancing security requirements with business and delivery needs.
• Strong problem-solving skills, with a track record of identifying issues and driving them through to resolution.

Who you’ll be working with
The Application Security team is responsible for enabling the secure delivery of software across MO by embedding security into engineering practices, platforms, and pipelines.

The team focuses on building scalable, developer-friendly security capabilities, including automated security testing, secure development standards, and vulnerability management. Working closely with engineering, architecture, and platform teams, it ensures that security is integrated into the software development lifecycle from design through to deployment and operation.

Adopting a pragmatic, risk-based approach, the team provides clear, actionable guidance and tooling that supports delivery while improving our overall security posture. It also plays a key role in building security capability across engineering through initiatives such as security champions and developer engagement.

Benefits

Motability Operations is a unique organisation, virtually one of a kind. We combine a strong sense of purpose with a real commercial edge to ensure we provide the best possible worry-free mobility solutions to over 800,000 customers and their families across the UK. Customers exchange their higher rate mobility allowance to lease a range of affordable vehicles (cars, wheelchair accessible vehicles, scooters, and powered wheelchairs) with insurance, maintenance and breakdown assistance included. We are the largest car fleet operator in the UK (purchasing around 10% of all the new cars sold in the UK) and work with a network of around 5,000 car dealers and all the major manufacturers. We pride ourselves on delivering outstanding customer service, achieving an independently verified customer satisfaction rating of 9.8 out of 10.

Our values are at the heart of everything we do. They represent ambition, and we look for our people to live and breathe them every day:

• We find solutions
• We drive change
• We care

We operate hybrid working across the organisation where we split our time between working on-site at our offices, and at home, remotely within the UK. We believe hybrid working achieves a good work/life balance for our colleagues, allowing us to connect with each other, collaborate on important work, and perform together to deliver for our customers. It allows us to have the flexibility to work remotely up to 2-days per week whilst also using the great office spaces we have available.

As a Motability Operations team member, the benefits you can expect are:

• Competitive reward package including an annual discretionary bonus
• 15% non-contributory pension (9% non-contributory pension during probation period)
• 28 days annual leave with option to purchase and sell days
• Free fresh fruit and snacks in the office
• 1 day for volunteering
• Funded Private Medical Insurance cover
• Electric/Hybrid Car Salary Sacrifice Scheme and Cycle to Work Scheme
• Life assurance at 4 times your basic salary to give you a peace of mind that your loved ones will receive some financial help
• Funded health screening for over 50s
• Voluntary benefits: charitable giving, critical illness insurance, dental insurance, health and cancer screenings for you and your partner, discounted gym memberships and season ticket loans
• Employee Discount Scheme with an app to save on the go
• Free access to healthcare apps such as Peppy, Unmind, Aviva Digital GP and volunteering app on Hand for all employees
• Generous family leave policies

At Motability Operations, we believe in building a diverse workforce, where our people are empowered to attend work as their true selves, and we encourage people from all backgrounds to apply. We want to sustain a culture that nurtures, where employees are free to flourish and where they’re rewarded equally, regardless of race, nationality or ethnic origin, sexual orientation, age, disability, or gender.

We pride ourselves on being an inclusive employer and as such, all our offices provide first rate disability access. With our hybrid working environment, we do our best to accommodate part-time and flexible working requests where possible, building on our culture of trust, empowerment, and flexibility.