Security Architect

Application Closing Date: 17 June 2026 
Please note that in case of a high number of applications we might need to close the role ealier than the application closing date - so don't delay!

We're looking for a talented technical leader to join our newly formed Security Architecture team and drive control implementation across TUI's CISA-aligned Zero Trust programme. You'll be the primary driver of measurable security progress, converting strategy into deployed, verifiable controls that reduce real risk across our global technology estate.

ABOUT OUR OFFER

• Personal benefits: Attractive remuneration, exclusive travel perks & discounts, extensive health & wellbeing support, and more.
• Flexible working: Work is something you do, not somewhere you go. We encourage a healthy work-life balance and offer hybrid or remote working models.
• A career to shape: Opportunities to upskill, reskill and grow your career. Access the TUI Tech Learning Hub to level-up and reach your ambitions.
• Expand your horizons: Participate in our tech communities and collaborate on global projects and teams.
• Community: Get involved with incredible local charity and sustainability initiatives like the TUI Care Foundation and the Sustainable Tech Community. 

ABOUT THE JOB

• You'll drive control implementation across all five CISA Zero Trust pillars - dentity, Devices, Networks, Applications and Workloads, and Data - translating pillar OKR commitments into specific, sequenced control deployments with defined owners, timelines, and measurable success criteria.
• Owning the measurement framework for Zero Trust maturity progression will be central to your role, using Microsoft Security Exposure Management, Maester security assessments, and Microsoft Secure Score to track control status changes, maintain time-series data, and escalate stalled controls before they impact quarterly OKR targets.
• Working directly with pillar owners - Identity, Devices, Network, Applications, and Data leads - you'll convert high-priority workshop outputs into active delivery backlogs, challenging shared ownership arrangements and ensuring each control has a single named owner with budget authority.
• You'll provide technical depth across pillar-specific control areas including Conditional Access policy design, Entra ID Governance, PIM, phishing-resistant MFA deployment, trusted device strategy, Intune policy enforcement, network segmentation, secure remote access patterns, application ownership models, Entra SSO integration, API security governance, and data loss prevention aligned to the Secure Future Initiative.
• Triaging Microsoft Secure Score recommendations against pillar OKR priorities will be part of your day-to-day, as you assign each recommendation to the correct pillar owner with delivery timelines, track closure rates, and separate high-impact risk-reducing controls from low-value compliance activities.
• You'll generate evidence of risk reduction for board reporting and cyber insurance renewal, presenting Zero Trust progress in terms of attack surface change and business impact rather than framework terminology.

ABOUT YOU

• You have a demonstrable track record of delivering Zero Trust control implementation - not just designing it - across enterprise environments, with practical understanding of the CISA Zero Trust Maturity Model across all five pillars and the ability to assess current state against Traditional, Initial, Advanced, and Optimal maturity stages.
• Evidence of driving security control implementation through delivery teams in large, complex organisations is essential, as you distinguish between controls that have been deployed and verified versus those that have only been documented or recommended, actively rejecting activity-based metrics in favour of outcome-based measurement.
• Hands-on experience with Microsoft Security Exposure Management, Microsoft Secure Score, Maester, and the Microsoft Defender suite enables you to extract control status data, interpret attack path exposure metrics, and use tooling output to drive delivery prioritisation and evidence compilation.
• Your proficiency with Entra ID, Intune, Defender for Endpoint, and Defender for Office 365 as control implementation platforms means you can provide technical depth across Identity, Devices, Networks, Applications, and Data pillar-specific control areas.
• You're able to identify and challenge shared ownership arrangements that prevent control implementation, assigning single accountable owners to controls and holding them to delivery commitments, understanding that a control without a named, funded owner is an unmanaged risk.
• Experience working within an OKR framework where key results are tied to measurable security outcomes is important, as you understand that programme maturity is measured by controls implemented and attack surface reduced - not by documents produced or workshops delivered.
• Operating within or alongside a formal security architecture governance function comes naturally to you, as you contribute to quarterly reporting cadences and multi-team delivery coordination across complex enterprise environments.
• You're highly autonomous and able to identify what needs to happen next without being directed, taking ownership of blockers and working comfortably across organisational boundaries to challenge delivery teams when progress is below expectation.
• Being comfortable with ambiguity in an actively evolving programme is essential, as you adjust your approach based on what measurement data shows and stay motivated by reducing actual risk rather than achieving compliance posture.

From a workplace to a place to belong.  At TUI we embrace diversity, equity, and inclusion, encouraging everyone to come as you are, because together, our potential is limitless.

We are committed to supporting candidates with disabilities and impairments so if you require any support, please do let us know.