The Company
Capital Markets Gateway LLC (CMG) is a financial technology firm, uniquely focused on the equity capital markets (ECM), connecting investors and underwriters via a neutral platform. CMG delivers integrated ECM data and analytics, unrivaled transparency into deal flow, and workflow efficiencies for an otherwise fragmented and inefficient process. Providing a digital system of record for firm-wide deal activity, CMG helps clients make more timely, better-informed decisions. Launched in 2017 by a team of ECM practitioners, CMG has completed two successful fundraising rounds and is backed by a group of the world’s most prestigious financial institutions. The CMG platform is currently relied upon by nearly 150 buy-side firms representing $40 trillion in AUM and 22 global investment banks. For more information, please visit www.cmgx.io.
The Role
We are hiring a Senior Security Engineer to lead our security risk management and governance work. This is a senior individual-contributor role for someone who thrives on owning large, ambiguous initiatives end-to-end and turning them into shipped, operationalized programs. You will report directly to the CISO, own cross-program initiatives, and collaborate closely with senior leadership across the firm.
The core of the role is hands-on security risk management, threat modeling, security risk assessments, and security design and architecture reviews, paired with the governance and process work that scales the program. You will partner on customer due-diligence and SOC 2 evidence and turn security controls into repeatable workflows that fit how the business already works. You will apply that lens across the full control landscape: cloud security, supply-chain and vulnerability management, endpoint and identity, detection and response, and AI security.
CMG operates in a highly regulated, client-facing market, so scope and impact here are unusually large for the level. We value strong collaboration and a deep sense of ownership: you will be trusted to take initiatives and run with them, often without an established process or a big team behind you. The defining shift for the program is moving from reactive to proactive, and this role is central to it. This is a high-growth-potential role: we expect the right person to start as a senior individual-contributor and grow into broader leadership, including people's leadership, as the function scales.
Responsibilities
Security Risk Management
Lead threat modeling across products, infrastructure, and new initiatives, identifying and prioritizing risks, attack surfaces, and vulnerabilities.
Conduct security risk assessments and translate findings into pragmatic, risk-based remediation prioritized by impact and blast radius.
Run security design and architecture reviews, partnering with Engineering and DevOps to reduce risk through secure design and simplicity, not just added controls.
Governance, Risk & Compliance
Partner on customer due-diligence (DDQ) and SOC 2 Type II evidence gathering, keeping compliance sustainable rather than fire-drilled.
Build repeatable security workflows that embed controls into existing engineering processes instead of creating parallel ones.
Develop and maintain clear, role-relevant security policies, standards, and procedures, and drive consensus without direct authority.
Security Controls and Technical Program Execution
Understand and implement controls for supply-chain risk and vulnerability management, including CI/CD enforcement and dependency hygiene, and build vulnerability triage workflows that score real risk by exploitability, reachability, and compensating controls rather than raw CVSS.
Harden and secure our cloud environment (Azure), partnering with platform engineering on secure configuration, reviewing and remediating vulnerabilities, identity and network controls, posture management, and logging and detection.
Strengthen endpoint and identity controls across a global, remote workforce: least privilege, phishing-resistant MFA, and privileged access controls.
Support detection and response, partnering with our DFIR and MDR relationships and helping mature toward a proactive posture.
Address AI security risks (prompt injection, data poisoning, model and agent governance) and help keep AI controls ahead of adoption.
Cross-functional Leadership and Program Ownership
Take ownership of large, loosely defined initiatives and drive them from problem framing to operationalized program.
Work closely with senior leadership across the firm, bringing structure to ambiguity and sequencing work against risk.
Surface risk early, challenge assumptions, and communicate clearly to both technical teams and senior stakeholders.
Qualifications
Have 6+ years of hands-on security experience, with real depth in security risk management: threat modeling, risk assessments, and security design and architecture review.
Have run governance, risk, and compliance work in practice, including audit and customer due-diligence support (SOC 2 or similar), and made it operational rather than just documented.
Have thrived in a startup or other small, fast-paced environment, owning large, ambiguous initiatives end-to-end with little scaffolding and shipping them.
Have working breadth across the control landscape: cloud security, supply-chain and vulnerability management, endpoint and identity, and detection and response.
Are genuinely technical: comfortable in cloud environments (Azure preferred), CI/CD, and at least one scripting language (e.g. Python, Bash, PowerShell), so your controls hold up in engineering reality.
Lead with empathy and influence, and distill complex security concepts into clear, actionable guidance for technical and non-technical audiences alike.
Thrive navigating ambiguity and make sound, risk-based calls with incomplete information.
Work effectively in a remote-first setup: most of the team is remote, with a small London in-office presence, so you communicate crisply and operate well asynchronously.
Navigate an organization to get things done you know who to pull in for information or alignment, and you drive that alignment without formal authority.
Nice to have
Have banking, fintech, or other regulated industry experience.
Use AI tooling fluently in your own day-to-day work and are eager to integrate it into security workflows as a force multiplier.
Have a bias toward automating repeatable security work — scripting, tooling, and process — to scale your impact.
Be familiar with AI and agentic security risks (prompt injection, data poisoning, model and agent governance).
Have experience mapping security frameworks (NIST CSF, ISO 27001, OWASP, NIST AI RMF).
Have hands-on exposure to detection and response, red-team, or pen-test work.
Have experience with our stack: Azure / Entra ID, GitHub Enterprise Cloud (GHAS, Actions, Dependabot), Sentinel, Zscaler, Intune, Vanta, and the Atlassian suite.
Hold relevant certifications (e.g. CISSP, CRISC, OSCP) — valued but not required.
Our Values
We innovate with purpose
We focus on outcomes vs. output
We believe diverse and inclusive teams fuel innovation
We are humble yet candid
We do right by the customer
What We Offer
CMG embraces our ongoing commitment to building a culture reflecting the people, perspectives, and passions it represents. We will accept nothing less than equity, inclusion, and belonging for all. With the only constant in life being change, we will always listen, learn, and improve for the betterment of our teams, customers, and communities. CMG is proud to be an Equal Opportunity Employer.