Capital Markets Gateway
Senior Security Engineer

How your CV stacks up
Upload your CV to see how well it fits this job role
?%
The Company
Capital Markets Gateway LLC (CMG) is a financial technology firm, uniquely focused on the equity capital markets (ECM), connecting investors and underwriters via a neutral platform. CMG delivers integrated ECM data and analytics, unrivaled transparency into deal flow, and workflow efficiencies for an otherwise fragmented and inefficient process. Providing a digital system of record for firm-wide deal activity, CMG helps clients make more timely, better-informed decisions. Launched in 2017 by a team of ECM practitioners, CMG has completed two successful fundraising rounds and is backed by a group of the world’s most prestigious financial institutions. The CMG platform is currently relied upon by nearly 150 buy-side firms representing $40 trillion in AUM and 22 global investment banks.
For more information, please visit www.cmgx.io.
The Role
We are hiring a Senior Security Engineer to lead our security risk management and governance work. This is a senior individual-contributor role for someone who thrives on owning large, ambiguous initiatives end-to-end and turning them into shipped, operationalized programs. You will report directly to the CISO, own cross-program initiatives, and collaborate closely with senior leadership across the firm.
The core of the role is hands-on security risk management, threat modeling, security risk assessments, and security design and architecture reviews, paired with the governance and process work that scales the program. You will partner on customer due-diligence and SOC 2 evidence and turn security controls into repeatable workflows that fit how the business already works. You will apply that lens across the full control landscape: cloud security, supply-chain and vulnerability management, endpoint and identity, detection and response, and AI security.
CMG operates in a highly regulated, client-facing market, so scope and impact here are unusually large for the level. We value strong collaboration and a deep sense of ownership: you will be trusted to take initiatives and run with them, often without an established process or a big team behind you. The defining shift for the program is moving from reactive to proactive, and this role is central to it. This is a high-growth-potential role: we expect the right person to start as a senior individual-contributor and grow into broader leadership, including people's leadership, as the function scales.
Responsibilities
Security Risk Management
- Lead threat modeling across products, infrastructure, and new initiatives, identifying and prioritizing risks, attack surfaces, and vulnerabilities.
- Conduct security risk assessments and translate findings into pragmatic, risk-based remediation prioritized by impact and blast radius.
- Run security design and architecture reviews, partnering with Engineering and DevOps to reduce risk through secure design and simplicity, not just added controls.
Reasons to use Rodeo
I’m in my final year doing Economics and I don’t know whether to apply for grad schemes now or do a masters first. What do you think?
Honest answer — it depends on where you want to end up. A lot of top grad schemes (Big 4, civil service, banking) don’t need a masters. Let’s look at the ones you’d be competitive for now, and we can decide if a masters actually adds anything.
Also worth knowing: most autumn 2026 applications are open now. Timing matters more than you think.
Start with a chat, not a search bar
Grad scheme, placement, apprenticeship? Not sure what you want yet — that's fine. Your agent talks it through with you and turns "I have no idea" into a shortlist.
Graduate Consultant — 2026 Scheme
Why you're a good match
StrongYour economics background and your summer at a regional bank line up with what PwC looks for on the consulting scheme. Applications close in four weeks.
See breakdownIt searches the market for you
Every day your agent scans the market matching roles against what actually matters to you, not just keywords on a CV.
Why you're a good match
You’ve got the grades and the economics background, and your bank internship is exactly the experience this scheme looks for. Apply soon — deadlines close within the month.
Experience fit
Your summer at the bank plus your econometrics coursework map directly to the day-one responsibilities on this scheme — client modelling, market briefings, and deal support.
Only hits
No noise. No "maybe this fits." Just roles with a clear explanation of why they're right — and where to focus when applying.
Governance, Risk & Compliance
- Partner on customer due-diligence (DDQ) and SOC 2 Type II evidence gathering, keeping compliance sustainable rather than fire-drilled.
- Build repeatable security workflows that embed controls into existing engineering processes instead of creating parallel ones.
- Develop and maintain clear, role-relevant security policies, standards, and procedures, and drive consensus without direct authority.
Security Controls and Technical Program Execution
- Understand and implement controls for supply-chain risk and vulnerability management, including CI/CD enforcement and dependency hygiene, and build vulnerability triage workflows that score real risk by exploitability, reachability, and compensating controls rather than raw CVSS.
- Harden and secure our cloud environment (Azure), partnering with platform engineering on secure configuration, reviewing and remediating vulnerabilities, identity and network controls, posture management, and logging and detection.
- Strengthen endpoint and identity controls across a global, remote workforce: least privilege, phishing-resistant MFA, and privileged access controls.
- Support detection and response, partnering with our DFIR and MDR relationships and helping mature toward a proactive posture.
- Address AI security risks (prompt injection, data poisoning, model and agent governance) and help keep AI controls ahead of adoption.
Cross-functional Leadership and Program Ownership
- Take ownership of large, loosely defined initiatives and drive them from problem framing to operationalized program.
- Work closely with senior leadership across the firm, bringing structure to ambiguity and sequencing work against risk.
- Surface risk early, challenge assumptions, and communicate clearly to both technical teams and senior stakeholders.
Qualifications
- Have 6+ years of hands-on security experience, with real depth in security risk management: threat modeling, risk assessments, and security design and architecture review.
- Have run governance, risk, and compliance work in practice, including audit and customer due-diligence support (SOC 2 or similar), and made it operational rather than just documented.
- Have thrived in a startup or other small, fast-paced environment, owning large, ambiguous initiatives end-to-end with little scaffolding and shipping them.
- Have working breadth across the control landscape: cloud security, supply-chain and vulnerability management, endpoint and identity, and detection and response.
- Are genuinely technical: comfortable in cloud environments (Azure preferred), CI/CD, and at least one scripting language (e.g. Python, Bash, PowerShell), so your controls hold up in engineering reality.
- Lead with empathy and influence, and distill complex security concepts into clear, actionable guidance for technical and non-technical audiences alike.
- Thrive navigating ambiguity and make sound, risk-based calls with incomplete information.
- Work effectively in a remote-first setup: most of the team is remote, with a small London in-office presence, so you communicate crisply and operate well asynchronously.
- Navigate an organization to get things done you know who to pull in for information or alignment, and you drive that alignment without formal authority.


Get help with your application
Your very own career expert that helps elevate your application to the next level.
Nice to have
- Have banking, fintech, or other regulated industry experience.
- Use AI tooling fluently in your own day-to-day work and are eager to integrate it into security workflows as a force multiplier.
- Have a bias toward automating repeatable security work — scripting, tooling, and process — to scale your impact.
- Be familiar with AI and agentic security risks (prompt injection, data poisoning, model and agent governance).
- Have experience mapping security frameworks (NIST CSF, ISO 27001, OWASP, NIST AI RMF).
- Have hands-on exposure to detection and response, red-team, or pen-test work.
- Have experience with our stack: Azure / Entra ID, GitHub Enterprise Cloud (GHAS, Actions, Dependabot), Sentinel, Zscaler, Intune, Vanta, and the Atlassian suite.
- Hold relevant certifications (e.g. CISSP, CRISC, OSCP) — valued but not required.
Our Values
- We innovate with purpose
- We focus on outcomes vs. output
- We believe diverse and inclusive teams fuel innovation
- We are humble yet candid
- We do right by the customer
What We Offer
- Equity
- Unlimited PTO (28 days including bank holidays + unlimited additional paid leave)
- Comprehensive benefits program managed by Globalization Partners
- Premium life and income protection
- Top private medical and dental insurance
- Employee Assistance Program (EAP)
- Pension contributions
- Hybrid work environment (initially remote until office setup is complete)
- Education reimbursement
- Continuous learning opportunities
- Employee referral bonus
- Parental leave
CMG embraces our ongoing commitment to building a culture reflecting the people, perspectives, and passions it represents. We will accept nothing less than equity, inclusion, and belonging for all. With the only constant in life being change, we will always listen, learn, and improve for the betterment of our teams, customers, and communities. CMG is proud to be an Equal Opportunity Employer.
“It took my CV and asked me questions relevant to understanding what kind of jobs to suggest for me. Suggestions were almost perfect. Jobs were exactly what I’ve been looking for.”
Jessica, London
Skills
Location