Security & Identity Architect

Arriva is a leading European passenger transport partner, operating in 11 countries across the UK and Europe. The company employs around 35,000 people, delivering more than 1.5 billion passenger journeys connecting people and communities safely, reliably and sustainably.

We have strong roots dating back to 1938, an ambitious growth and sustainability agenda, and a continuously developing relationship with I Squared Capital – a global infrastructure investment fund manager - who acquired Arriva in 2024.

We are looking for a Security & Identity Architect to join our Information Security Team on a full time, permanent basis. This role will be based from either our Sunderland, London, Derby or Thurmaston office.

Reporting to the Group Head of Security Operations, the Security and Identity Architect is a strategic and technical leader responsible for embedding group wide Security by Design principles. This role ensures that security is systematically integrated throughout the solution development lifecycle, working closely with architecture, project, and delivery teams to influence and assure the secure design of systems, platforms, and digital services.

A key responsibility of this position is to enhance and implement Arriva's project assurance framework that evaluates initiatives for adherence to non-functional security requirements. This framework will be tailored to assess risk posture, identify misconfigurations or deficiencies, and support operational teams in mitigating exposure before systems are deployed or go live. The Architect will provide ongoing guidance and oversight to ensure alignment with enterprise security standards.

The role will lead a focused effort on maintaining and implementing non-functional security requirements (NFRs) across the organisation. This includes defining minimum acceptable criteria for identity, access, confidentiality, integrity, availability, and auditability in all technical designs. Additionally, the role will help identify, catalogue, and track security-related technical debt for new systems that fall short of required controls—ensuring these are raised to the appropriate risk registers and prioritized accordingly.

Beyond delivery assurance, the Security and Identity Architect is also responsible for establishing a governance and assurance framework around core identity and access management (IAM) functions, such as asset management, penetration testing, lifecycle management, user access control, RBAC, and privileged access management (PAM). While not directly executing these tasks, the role sets the strategic direction, policies, and key controls to ensure IAM disciplines are managed consistently and securely across IT Teams.

Direct responsibilities:

• Reviews current project assurance framework within Arriva UK, implementing improvements, and rolling out framework across all operating units, including training, monitoring, and mentoring.

• Maintains and improves Arriva's non functional requirements for new systems to ensure security by design (SbD) is embedded in our systems, in line with Arriva's strategic direction and risk appetite.

• Ensures cyber and technology risk is managed in line with risk appetite so that products, solutions and platforms are designed, built, and deployed securely as well as being aligned to organisational goals, and that technical debt arising from insufficient security controls is adequately captured, working with the Head – InfoSec GRC & Awareness to track those risks in the information security risk register.
• Builds relationships and collaborates with senior leaders and professionals across the Arriva to understand, communicate and encourage mitigations for technical security risks relating to

the implementation of new solutions. Ensuring that any remaining risk is signed off by the business.

• Stays updated on the latest security trends, threats, vulnerabilities, and technologies to proactively identify and address emerging risks as well as surfacing those risks during the improvement of Arriva's technical standards.
• Collaborates within the Group Information Security team and wider Group Information Technology teams to agree project related InfoSec KPIs, set targets and implement monitoring across the organisation.
• Collaborates with internal and external partners to ensure that all software and hardware changes are secure by design, championing strong security architecture and identity management across the technology teams in the business, and proactively identify and mitigate risks; this includes representing information security on the change advisory board and stage gate reviews.
• Supports the business in understanding the necessity of penetration tests, analysing results, and ensuring vendors implement robust security improvements, working with the Head – InfoSec GRC & Awareness to include and track in the InfoSec risk register.
• Supports infrastructure and architecture teams in defining and delivering IT security services across physical and cloud infrastructures, ensuring compliance with Arriva cyber security standards, regulatory and organisational requirements.
• Contributes to merger and acquisition processes to understand risks related to current security architecture and posture, as well as supporting the onboarding of newly acquired entities/franchises/concessions or any offboarding of legal entities.
• Drives the implementation and auditing of IAM frameworks, including MFA, PIM, and

Conditional Access, to enforce a zero-trust security model.

• Supports the wider Arriva group information technology team in creating a holistic Identity and Access Management strategy, supporting the implementation of Information Security related elements to ensure IAM maturity improvements across Arriva's key systems across the group.

Knowledge, skills & experience:

• Demonstrable experience in designing and implementing security architecture solutions, managing risk and monitoring compliance in a complex organisation.
• Evidencable knowledge and experience of project delivery and secure software development lifecycles, particularly implementing security by design.

• Demonstrable experience in researching and communicating how emerging technologies can present opportunity, risks, and challenges within Information Security and the broader technology teams.

• Knowledge of all areas of IT security, including: cyber security for digital technologies, identity and access management, authentication and single sign-on, authorisation, logging and monitoring, audit, secure communications and cryptographic services, network and endpoint protection, hosting and cloud, vulnerability management, platform security and systems development lifecycle.

• Experience with cloud platforms (Azure, AWS), DevSecOps, and infrastructure as code.

• Provides clear vision and direction, inspiring and engaging individuals and the wider team to deliver excellence.

Written and verbal communication and presentation skills. Influencing and negotiating skills. Possesses a proactive and solution-focused attitude, being capable of analysing business problems

and delivering real solutions.

• Practitioner qualifications such as CISSP, CEH, OSCP, GCIH are beneficial but not required.

Success criteria & indicators:

• Security non-functional requirements (NFRs) are consistently embedded across all new systems and platforms, with documented assurance reviews and risk sign-offs prior to go-live.
• Group-wide implementation of an enhanced project assurance framework, including training delivery, adoption metrics, and measurable improvements in secure solution design.
• Delivery of a strategic IAM governance framework, with demonstrable improvements in identity lifecycle management, RBAC, PAM, and zero-trust enforcement across key systems.
• Identification, documentation, and tracking of security-related technical debt and risks, with clear escalation to risk registers and evidence of remediation or accepted risk sign-off.
• Active collaboration with architecture, infrastructure, and delivery teams, resulting in measurable improvements in secure architecture practices and reduced security exceptions at stage gates

This job description sets out the main duties and responsibilities of the jobholder. It does not constitute an exhaustive or comprehensive description of duties and the job holder will be required to carry out any additional tasks as and when requested to do so by their manager. Responsibilities and duties may also change considering future business needs and personal development.

The closing date for applications is Friday 31stOctober 2025. Arriva Group reserves the right to close this vacancy early.