Flexa
Discover companiesFind a jobResourcesSign in/up
For employers
< Back to search
Mondelēz International • United Kingdom (Remote) | United Kingdom

Head of Attack Surface Management

Employment type:  Full time
View company profile
Apply now

Job Description

Job Description

Are You Ready to Make It Happen at Mondelēz International?

Join our Mission to Lead the Future of Snacking. Make It Uniquely Yours.

You work with the information security team as a competent and experienced information security and compliance leader.

How you will contribute

You will assess information security risks in line with internal policies and external best practices and determine requirements how to secure Mondelēz International information and IT assets. In addition, you will develop security standards and policies; advise technical teams when developing relevant procedures or have operational security questions; review and consulting them on compliant and effective use of common tools. You will also keep business stakeholders apprised on the overall security and compliance roadmap, provide training on information security to appropriate teams, and develop security strategies, architectures and roadmaps across process and technologies.

What you will bring

A desire to drive your future and accelerate your career. You will bring experience and knowledge in:

  • Information security, compliance and risk management
  • Understanding security solutions and their applicability to Mondelēz International
  • Developing security strategies, awareness campaigns, policies/standards, and governance
  • Communicating effectively with technical specialists, leaders and peers
  • Commercially astute
  • Leadership and people management skills

About the Role

As a Fortune 100 global consumer packaged goods company operating across dozens of markets, our attack surface spans complex multi-cloud environments, global manufacturing and supply chain infrastructure, thousands of applications, and an increasingly interconnected OT/IoT ecosystem. The Head of Attack Surface Management is a critical senior leadership role responsible for unifying our exposure management capabilities into a single, accountable function that delivers continuous visibility, risk-based prioritization, and measurable reduction of our enterprise attack surface.

This leader will own the strategy, execution, and maturation of four integrated disciplines—Cloud Security Posture Management, Vulnerability Management, Offensive Security, and Application Security—ensuring they operate as a cohesive program. The successful candidate will combine deep technical expertise with executive presence, translating complex exposure data into business risk language that drives action at the highest levels of the organization.

This role is an exceptional opportunity to shape and lead a critical security function at one of the world's largest consumer packaged goods companies, protecting a brand portfolio trusted by billions of consumers globally.

Key Responsibilities

Strategic Leadership & Program Ownership

  • Own the end-to-end attack surface management strategy, roadmap, and operating model, aligning priorities to enterprise risk appetite and business objectives across a global CPG environment.
  • Establish unified standards for exposure scoring, risk-based prioritization, and SLA enforcement across all four disciplines.
  • Own the exposure management platform and tooling strategy, including build-vs-buy decisions, vendor consolidation, and integration architecture to deliver a single pane of glass for enterprise risk posture.
  • Build and present executive-level reporting on attack surface risk, remediation velocity, and residual exposure to the CISO, executive leadership, and Board-level audiences.

Cloud Security Posture Management (CSPM)

  • Drive cloud security posture management across multi-cloud environments (AWS, Azure, GCP), including misconfiguration detection, IAM entitlement risk analysis, and policy enforcement at scale.
  • Partner with cloud engineering and DevOps teams to embed preventive guardrails, IaC policies, and automated remediation, operating within the organization's Product and Platform model.
  • Ensure continuous compliance monitoring against regulatory frameworks across all cloud workloads, including containers, serverless, and managed services.

Vulnerability Management

  • Lead enterprise vulnerability management covering infrastructure, endpoints, network devices, and OT/IoT environments across global manufacturing and supply chain operations.
  • Establish and enforce scanning cadence, risk-based patching SLAs, exception governance, and escalation paths for aged or critical findings.
  • Own data quality, asset attribution, and integration between scanning platforms, CMDB, ticketing systems, and risk dashboards.

Offensive Security

  • Direct the offensive security function, including internal red team operations, penetration testing, purple team exercises, and adversary simulation aligned to real-world threat actor TTPs.
  • Ensure offensive findings feed directly into the vulnerability and remediation pipeline with clear SLAs, validating detection and response effectiveness with the SOC and detection engineering teams.

Application Security

  • Own application security across the entire SDLC, including SAST, DAST, SCA, secrets detection, container scanning, IaC security, and API security testing.
  • Partner with engineering and product leadership to embed security into CI/CD pipelines and shift remediation left, aligning AppSec as a platform capability for product teams.

Team Leadership & Vendor Management

  • Build, lead, and develop a high-performing team of managers and senior individual contributors across all four disciplines, including hiring, performance management, and succession planning.
  • Manage vendor relationships and commercial negotiations for scanning, ASM, CSPM, AppSec, and offensive security tooling, driving consolidation and value optimization.
  • Foster a culture of collaboration and continuous improvement, ensuring the team operates as an enabling platform service to internal product and platform partners.

Required Qualifications

  • 12+ years in cybersecurity with progressive leadership experience, including 5+ years managing multi-disciplinary security teams at a senior manager or director level.
  • Demonstrated ownership of at least two of the four core disciplines (CSPM, Vulnerability Management, Offensive Security, Application Security) at a program level—including strategy, budget, staffing, and executive reporting.
  • Experience operating within a Product and Platform operating model, delivering security capabilities as platform services that enable product teams to move fast and securely.
  • Strong working knowledge of cloud architecture and cloud-native security controls across AWS, Azure, and/or GCP in complex multi-cloud environments.
  • Hands-on experience with enterprise vulnerability management platforms (e.g., Tenable, Rapid7, Qualys), CSPM tools (e.g., Wiz, Prisma Cloud, Orca), and AppSec tooling (e.g., Snyk, Checkmarx, Veracode).
  • Familiarity with NIST CSF, MITRE ATT&CK, OWASP Top 10, CIS Controls, and CVE/CVSS/EPSS scoring methodologies.
  • Proven ability to communicate complex technical risk to non-technical executive audiences and drive cross-functional remediation accountability.
  • Bachelor's degree in Computer Science, Cybersecurity, Engineering, or related field—or equivalent professional experience.
  • Relevant certifications preferred: CISSP, OSCP, GPEN, GXPN, CISM, or equivalent.

Preferred Qualifications

  • Experience in a large, global enterprise environment, ideally within CPG, manufacturing, retail, or industries with complex supply chain and OT/IoT environments.
  • Track record of presenting cyber risk posture to executive leadership and Board of Directors, including translating exposure metrics into financial risk quantification.
  • Demonstrated success consolidating fragmented security functions into a unified exposure management program with measurable risk reduction outcomes.
  • Experience with CAASM/EASM platforms and risk-based prioritization frameworks beyond raw CVSS scoring (e.g., EPSS, business context enrichment, asset criticality weighting).
  • Experience operating in regulated environments across SOX, GDPR, FDA, PCI-DSS, or equivalent frameworks.
  • MBA or advanced degree in a relevant field is a plus.

Additional Information

  • Reports To: Chief Information Security Officer (CISO)
  • Work Schedule: standard working hours (Mon-Fri). This is a remote position; candidate must be located in the UK.
  • This is a full-time position with permanent contract.
  • Travel requirements: candidate must have availability for travelling according to business needs.

​

&#xa;&#xa;

No Relocation support available

Business Unit Summary

At Mondelēz International, our purpose is to empower people to snack right by offering the right snack, for the right moment, made the right way. That means delivering a broad range of delicious, high-quality snacks that nourish life's moments, made with sustainable ingredients and packaging that consumers can feel good about.

We have a rich portfolio of strong brands globally and locally including many household names such as Oreo, belVita and LU biscuits; Cadbury Dairy Milk, Milka and Toblerone chocolate; Sour Patch Kids candy and Trident gum. We are proud to hold the top position globally in biscuits, chocolate and candy and the second top position in gum.

Our 80,000 makers and bakers are located in more than 80 countries and we sell our products in over 150 countries around the world. Our people are energized for growth and critical to us living our purpose and values. We are a diverse community that can make things happen—and happen fast.

Mondelēz International is an equal opportunity employer and all qualified applicants will receive consideration for employment without regard to race, color, religion, gender, sexual orientation or preference, gender identity, national origin, disability status, protected veteran status, or any other characteristic protected by law.

Job Type

Regular

Information Security

Technology & Digital

Apply now

Company benefits

Open to part-time employees
Open to job sharing
Open to compressed hours
Health insurance
Mental health platform access
Enhanced maternity leave
Enhanced paternity leave
Adoption leave
Shared parental leave
Tax-free childcare
Cycle to work scheme
On-site gym
Faith rooms
Salary sacrifice
Life assurance
Annual pay rises
Annual bonus
Sabbaticals
Company car
Skilled worker visas
Volunteer days
Charity donation scheme
Lunch and learns
Enhanced pension match/contribution
Family health insurance
Religious celebration leave
Equity packages
Share options
401K
Referral bonus
Further education support
Mentoring
Open to part time work for some roles
Critical Illness Insurance
On-site catering
Secure on-site parking
Bike parking

Working at Mondelēz International

Company employees:

4500

Gender diversity (m:f):

55:45

Hiring in countries

Austria

Belgium

Brazil

Bulgaria

Croatia

Czechia

Finland

France

Georgia

Germany

Greece

Hungary

India

Awards & Accreditations

Most loved - Medium companies

Top 5 - Most loved - Medium companies

Flexa awards 2026
Most Flexible Company

Top 5 - Most Flexible Company

Flexa awards 2026
Most Family Friendly Company

Top 5 - Most Family Friendly Company

Flexa awards 2025
Best Career Progression

Top 10 - Best Career Progression

Flexa awards 2025
Most Flexible Company

Most Flexible Company

Flexa awards 2025
Most Inclusive Company

Most Inclusive Company

Flexa awards 2025
Most flexible companies

Most flexible companies

Flexa100 2024
Consumer Goods

Consumer Goods

Industry awards 2023

Other jobs you might like

  • Tesco

    Head of Platform Security

    Welwyn Garden City, UK

  • EY UK

    Manager, TPRM, Cyber Security, Financial Services

    Bristol

    #2 MOST INCLUSIVE COMPANY
  • Tesco

    Security Engineering Manager - Workplace Technology

    Welwyn Garden City, UK

Flex spring

Join the mailing list

Get the latest insights and expert guidance on job hunting, career progression, and creating thriving workplaces.

Enter your email
  • About us
  • Contact us
  • FAQs
  • Info for employers
  • Join Flexa
  • Legal
  • Live feed
  • Pioneer awards
  • Resources
  • Sign in/up
  • The Flexa awards
Flexa

Ireland

Italy

Kazakhstan

Lithuania

Netherlands

Norway

Philippines

Poland

Portugal

Romania

Serbia

Slovakia

Spain

Sweden

Switzerland

Türkiye

Ukraine

United Kingdom

Office Locations

  • Accenture UK

    Zero Trust Security Lead - London

    London | United Kingdom

  • Vodafone

    CNAPP Operations Manager

    LISBOA, Portugal

    #1 MOST LOVED - ENTERPRISE COMPANIES