This job’s not for everyone.

If you’re looking for a comfy role where you just push policies around like paperweights and copy-paste NIST quotes into Word docs, this isn’t it.

But if you’re the type who actually enjoys making sure systems don’t get wrecked by lazy code, forgotten misconfigs, or someone plugging a rogue USB stick into prod - keep reading.

Because here’s the deal...

The job in plain English:

You’ll work with business and IT teams on a daily basis, embedding security into everything from app design through to deployment. You’ll be the person who gets called before something goes live - not after it’s blown up.

You’ll be threat modelling, defining security requirements, scanning code and infra, and giving the thumbs-up (or thumbs-down) before anything hits production. You’ll also get to mentor teams on how not to create the next massive security incident.

This is the intersection of cybersecurity, project delivery, and diplomacy. One foot in the tech, the other in the room with people who don’t speak acronyms.

What you’ll actually be doing:

• Embedding security into projects from start to finish.
• Performing threat modelling and risk assessments.
• Validating controls. Rejecting nonsense.
• Working with tools like SAST, DAST, SCA, CSPM - the usual suspects.
• Making risk-based go/no-go calls. And owning them.
• Mentoring delivery teams to think “secure by design” instead of “hope for the best.”
• Reporting stuff that matters: risks, gaps, and actual progress - not just dashboards that look pretty in PowerPoint.

What we’re looking for:

Let’s cut to the chase. You should know your stuff.

We’re not looking for someone who’s just watched a few OWASP videos and memorised the ISO 27001 preamble.

You’ll need:

• 5+ years in cybersecurity - ideally embedded in delivery or project teams.
• Threat modelling experience (STRIDE, etc).
• Hands-on with security tooling (SAST, DAST, vuln scanners, etc).
• Solid understanding of cloud (AWS and/or M365), network security, and secure SDLC.
• One or more of: CISM, CISSP, CISA, or something similar and not-forged.
• Comfortable speaking risk in both tech and business dialects.

• Bonus points if you know DORA, GDPR, and the joys of working with Legal and DPOs.

The people side:

You’ll be working with:

• Architects who don’t always want to hear "no", but might need to.
• Project managers who are terrified of delays but secretly grateful when you prevent a breach.
• Business stakeholders who speak in revenue, not risk.
• The Group CISO, the DPO, and some folks who’ve been around the block more than once.

So yes - technical skills matter. But so do your people skills. If you can’t handle a bit of conflict, or you sulk when someone doesn’t immediately agree with you, this probably isn’t for you.

Perks, expectations, and reality:

• You’ll be supported. But you’ll also be expected to deliver.
• You won’t be micro-managed. But don’t mistake that for not being accountable.
• There’s no team to manage - just your own output.
• Occasional travel required (domestic and international). Nothing wild.
• Offices in Warsaw, Prague, Bucharest or Budapest. Ideally you’re close to one.

In summary:

You’ll be the person standing between a solid security posture and a future post-mortem.

You’ll need backbone, brains, and a genuine interest in doing security right - not just ticking the box.

Sound like your kind of challenge?

Apply now. Or don’t - but if someone breaches a system you could’ve secured, don’t come crying to us.