Job Description

About Marshmallow

We exist to make migration easy.


A systemic problem of this magnitude requires a team of curious thinkers who relentlessly pursue solutions. Those who constantly challenge the why, dismantle assumptions, and always take action to build a better way.


A Marshmallow career is built on a cycle of continuous growth, with learning at its core. You will be challenged to raise the bar on your capabilities and supported with the right tools and guidance to do so. This ensures you can deliver impactful work and drive change.


If life at Marshmallow sounds like it could be for you, explore our Culture Handbook to find out more.


Move our mission, and your career, forward.

Engineering at Marshmallow

Our engineers are at the heart of the solutions. They work on product builds from start to finish, solving lots of challenges to help us build fast and scale up! Our engineers cover a range of skills across frontend, backend, full stack, iOS, and Android, and work alongside designers, data scientists, researchers, and product managers within our product teams. Our product teams include: Pricing, Fraud Core, Ops Platform, Claims, Growth, Direct, In-Policy, Renewals, Mobile, and Core.


Information Security (InfoSec) is an enabling function within this environment. InfoSec works alongside Engineering, IT teams, and other business teams to ensure security controls are embedded pragmatically into systems, processes, and day-to-day operations, in line with regulatory and risk expectations.


Each team sets its roadmap and actively pushes our codebase forward. If you're curious about our Engineering culture and ways of working, check out the Engineering Handbook.

And check out our

Marshmallow App Demo as well here!

About the team you will be joining

You will join the InfoSec team, reporting to the Head of InfoSec & TechOps. The team operates across product engineering, cloud infrastructure, corporate IT, and other business teams to support Marshmallow's security posture in a regulated fintech environment.


This role is execution focused and operational in nature. It covers application, cloud, and corporate security, with responsibility for operating security controls, responding to security alerts, improving processes, and working directly with teams to maintain an appropriate risk posture as Marshmallow scales.

What you'll be doing

Acting as a security point of contact for Engineering and IT initiatives impacting applications, cloud infrastructure, employee devices, and internal systems Supporting application security through collaboration with development teams and embedding security into SDLC and DevOps processes Operating and improving cloud security controls, with a primary focus on AWS Monitoring, triaging, and responding to security alerts from tooling such as SIEM, DLP, and endpoint management platforms during business hours Supporting vulnerability management through analysis, prioritisation, and remediation guidance Contributing to incident response activities, including investigation support, remediation coordination, and post-incident improvements Improving information security processes and operational practices to increase consistency, effectiveness, and operational excellence Contributing to security policies, standards, and procedures, and supporting their adoption across engineering, IT, and business teams

Who you are

Pragmatic and delivery-focused, with a risk-based approach grounded in security best practice Comfortable working in a regulated environment and applying proportionate controls Confident collaborating with engineers, IT teams, and non-security stakeholders Able to operate independently on defined workstreams while escalating material risk appropriately Calm, methodical, and structured when responding to security alerts and incidents

What we're looking for from you

Experience working in an information security role within a cloud-based organisation A practical understanding of cloud security concepts (AWS preferred) Working knowledge of secure development practices and DevSecOps principles Exposure to both technical and operational security domains Hands-on experience operating or supporting security tooling (SIEM, MDM/endpoint security, DLP, or similar) Familiarity with endpoint, identity, and corporate security controls Solid understanding of network and application-level security fundamentals Familiarity with security frameworks and standards such as ISO 27001, NIST, and CIS Controls

Perks of the job

--------------------

Hybrid working

- Spend 3 days a week with your team in our collaborative London office

Competitive bonus scheme

- designed to reward and recognise high performance

Flexible benefits budget -

50 per month to spend on a Ben Mastercard meaning you get your own benefits budget to spend on things you w*ant. Whether that's subscriptions, night classes (puppy yoga, anyone?), the big shop or a forest of houseplants. Pretty much anything goes

Sabbatical Leave -

Get a 4-week fully paid sabbatical after being with us for 4 years

Work From Anywhere -

4 weeks work from anywhere to use, with no need to come to the office

Mental wellbeing support -

Access therapy and mental health sessions through Oliva

Learning and development -

Personal budgets for books and training courses to help you grow in your role. Plus 2 days a year - on us! - to further your skillset

Private health care

- Enjoy all the benefits Vitality has to offer, including reduced gym memberships and discounts on smartwatches

Medical cash plan -

To help you with the costs of dental, optical and physio (plus more!)

Tech scheme -

Get the latest tech for less
Plus all the rest; 25 days holiday (+ bank holidays), pension, cycle to work scheme, monthly team socials and company-wide socials every month!

Our Process

---------------


We break it up into 4 stages:

Initial call with a member of our Talent Acquisition team (40 mins) A past-experience interview (60 mins) A skill-based/technical interview (60 mins) A culture interview to check that your work style fits our processes and values (60 mins)

We'll let you know if you're invited to an interview or not. But, as a small team with a lot of applications to consider, we can't give individual feedback on each application

Background checks

As part of our commitment to maintaining a safe and trustworthy environment, we'll carry out standard background checks, including a DBS and a Cifas check. These help ensure there are no ongoing criminal proceedings and support the prevention of fraud and other forms of serious misconduct. If anything of concern is identified, it may affect your eligibility for certain roles or services. Feel free to ask our Talent Acquisition team if you have any questions about this!


#LI-OK1

Everyone belongs at Marshmallow

At Marshmallow, we want to hire people from all walks of life with the passion and skills needed to help us achieve our company mission. To do that, we're committed to hiring without judgement, prejudice or bias.


We encourage everyone to apply for our open roles. Gender identity, race, ethnicity, sexual orientation, age or background does not affect how we process job applications.


We're working hard to build an inclusive culture that empowers our people to do their best work, have fun and feel that they belong.

Recruitment privacy policy

We take privacy seriously here at Marshmallow. Our Recruitment privacy notice explains how we process and handle your personal data. To find out more please view it here.