About Unicard
As the leading provider of software solutions for public and private sector transport management and smart ticketing, for 20 years Unicard has been trusted by millions of passengers to get them where they need to be. Today, our solutions can be found throughout the UK, processing approximately 4 billion transactions a year. We estimate that 1 in 4 public transport journeys in the UK are powered by a Unicard system at some point.
Since we started in 2003, a wide range of local authorities, transport operators and hardware manufacturers have depended on our capabilities in strategy, design, development, testing and delivery. We support a variety of customers, from simple single-user and concessionary travel programmes, to complex multi-modal and multi operator configurations. Examples include:
We enable cEMV tap and go on rail for Transport for Wales
We provide the ticketing back office for all UK smartcard rail travel
Our technology powers Transport for West Midlands trailblazing Swift integrated ticketing system, one of the most well-respected schemes in the UK, and the largest after Oyster in London
We are trusted by 75+ local authorities to deliver their vital elderly, disabled and social concessionary travel programmes for disadvantaged passengers more than 40% of the market. This recently included enabling free travel for 300,000 young people in Scotland
•We are the smart ticketing provider to two Future Transport Zones, which are the Department for Transports dedicated innovation zones• Over 30% of all smartcard terminals in the UK run on Unicard software
We have approximately 4.5 million cardholders currently under management
We have received two R\&D grants from Innovate UK to develop game changing and disruptive technologies
We are a product-led business using a range of development technologies (primarily Java or full-stack Javascript) to deliver a variety of frontend products for web, mobile and native apps and a range of enterprise backend data collection and management systems.
Employing approximately 115 people across England, Scotland, and Bulgaria, our in-house research, strategy and development capabilities give us an affordable, well-managed ability to develop market leading technologies and affordably maintain existing products. As a small-to-medium-sized enterprise, we pride ourselves on our reputation for outstanding products, technical support, delivery capability and high levels of customer service.
About the Role
The Security Engineer plays a critical role in safeguarding Unicard's products, infrastructure, customer data and physical security. The successful candidate will be designing, implementing, and maintaining robust security processes and measures to protect Unicards systems and data against constant evolving cyber threats and breaches. The Security Engineer will work closely with the engineering, dev-ops and IT teams to ensure that systems are compliant with industry security standards and best practices.
The role requires management and control of physical security across the three locations, including CCTV management, entry access control and building security management.
The Security Engineer is required to work closely with the Unicard Compliance Manager to own all relevant policies and processes, ensuring best practice and governance is always maintained. The role will require responsibility for any security compliance related audits and frameworks including but not limited to:
ISO 27001
ISO 22301
Cyber Essentials +
AWS Well Architected Framework / Cloud Operating Model
NIST Cyber Security Framework
PCI-DSS v4
GDPR/ Data Protection
A key requirement of the role is to provide a weekly report on all security related activities, risks, vulnerabilities and challenges, along with; a monthly executive summary of the aforementioned reports, including the current security landscape. The reports should include professional recommendations and timelines to remedy any risk/vulnerability that has been identified.
The Security Engineer will report directly to the Head of Operations, ensuring a direct route of escalation to the CEO and Senior management team.
Technical Responsibilities
Review and govern infrastructure security controls Both on premise and cloud environments, oversee best security practices are being applied and audit when necessary.
Manage security incidents Work with the Support and Technical teams to manage any security related incidents. This includes communications with customers/stakeholders to resolve quickly and effectively. Provide a post incident report to senior management summarising the incident, reason and mitigation steps taken.
Regular vulnerability assessments and penetration testing Monitor, identify and remediate weaknesses in Unicard's infrastructure, applications, and systems. Work with third party penetration testers to periodically scan and resolve vulnerabilities.
Manage identity and access controls Maintain and manage identity based systems such as Keycloak, Keeper, Multifactor authentication (MFA) services, and secure user provisioning.
Maintain and audit physical security systems Oversee and audit access control systems to ensure security best practices. Maintain and manage CCTV and alarm systems, working closely with building/facility management and third-party security companies
Data Protection Oversee the management of Data Protection processes and standards. Ensure Unicard have a robust Data Protection Policy that is audited frequently. Provide training to ensure staff have full understanding of Data Protection Regulations. Ensure effective completion of required DPIAs and compliance with Data Retention Schedules.
Develop and enforce robust security policies and procedures Align with regulatory and compliance frameworks (e.g., ISO 27001, GDPR, CE+, PCI DSS), ensuring failure to comply is immediately managed and resolved.
Perform security awareness training and simulations Educate staff on phishing, secure practices, Data Protection and physical security requirements.
Support Change Management and CAB Provide a strict security control process for all changes due for release. Ensure all security aspects have been factored into the release and system is compliant with security controls (penetration tested/PCI compliant)
Support Product Engineering teams Provide security input into design reviews to ensure security is included at all stages of the Secure Software Development Lifecycle.
Provide threat modelling input Work closely with the Platform and Development teams and associated partners when conducting threat modelling workshops and review and support the output reports to ensure products remain at the forefront of security.
Reporting Provide weekly progress/status reports to the Head of Operations and monthly executive reports to the Senior Leadership Team on the security posture. These should be categorised using a RAG status with mitigation, remedial actions, and timelines.
Customer/project communications Attend ad hoc meetings with customers/partners to provide technical security expertise for either project workflows or BAU.
Essential Personal Skills
Strong analytical and problem-solving skills to assess complex security issues and develop effective solutions quickly.
High attention to detail crucial for identifying subtle vulnerabilities or irregularities in systems and processes.
Excellent communication skills to clearly explain security concepts to both technical and non-technical stakeholders and customers
Integrity and trustworthiness to handle sensitive information responsibly and maintain confidentiality.
Proactive mindset able to anticipate security risks and take preventative action before issues arise.
Strong organisational skills capable of managing multiple tasks, audits, and documentation requirements efficiently.
Collaborative team player able to work across departments, including IT, Engineering, Service, Compliance, and Senior Leadership.
Adaptability and willingness to learn to stay up to date with evolving threats, technologies, and industry best practices.
Critical thinking and decision-making skills to evaluate situations quickly and make educated judgments in time-sensitive scenarios.
Required Professional Skills/Experience
Proven experience in cybersecurity minimum 3 years in a security-focused role, ideally in a hybrid (physical and digital) security environment.
Hands-on experience with security tools such as SIEM systems, vulnerability scanners endpoint protection platforms, and access control systems.
Knowledge of cloud security principles across platforms like AWS, Azure, or Google Cloud, including IAM, encryption, and compliance controls.
Experience with Secure Software Development Lifecycles - experience working with development and platform teams to embed security into the design and development process.
Experience with physical security technologies including access control systems, CCTV/surveillance, and alarm systems.
Familiarity with regulatory compliance standards such as ISO 27001, GDPR, NIST and PCI-DSS.
Security incident response and risk management ability to lead security incident handling and root cause analysis.
Scripting and automation skills familiarity with Python, PowerShell, or Bash to automate security tasks and monitoring.
Technical documentation and reporting skills to produce risk assessments, incident reports, and compliance documentation. Provide quality reports suitable for the intended audience.
Desirable Professional Skills/Experience
Experience working with a development-based organisation ability to understand development lifecycles and modern technologies
Experience with Keeper Enterprise, KeyCloak and AWS IAM ability to take responsibility of governing access management and security based BAU processes
Experience with known security tools - specialising in security testing, reporting and monitoring
Benefits of working for Unicard
Competitive remuneration package
Company funded Healthcare plan
Life Assurance
Company pension
Hybrid working (minimum 3 days office attendance)
2 days per annum paid volunteer days
Modern working environment and friendly atmosphere
Knowledge sharing (working with experienced professionals)
Autonomy and trust in decision-making
Office in a central location
Regular team building and office events
Career development
Charitable organisation
The role may require additional activities and/or responsibilities deemed appropriate as per the business needs.
The position requires candidates to hold right to work in the UK.
Privacy Policy