TUI Group • Matosinhos Municipality, Portugal; Lisbon, Portugal; Flexible

Security Architect

Employment type: Full time

Job Description

Application Closing Date: 17 June 2026
Please note that in case of a high number of applications we might need to close the role ealier than the application closing date - so don't delay!

We're looking for a talented technical leader to join our newly formed Security Architecture team and drive control implementation across TUI's CISA-aligned Zero Trust programme. You'll be the primary driver of measurable security progress, converting strategy into deployed, verifiable controls that reduce real risk across our global technology estate.

ABOUT OUR OFFER

Personal benefits: Attractive remuneration, exclusive travel perks & discounts, extensive health & wellbeing support, and more.
Flexible working: Work is something you do, not somewhere you go. We encourage a healthy work-life balance and offer hybrid or remote working models.
A career to shape: Opportunities to upskill, reskill and grow your career. Access the TUI Tech Learning Hub to level-up and reach your ambitions.
Expand your horizons: Participate in our tech communities and collaborate on global projects and teams.
Community: Get involved with incredible local charity and sustainability initiatives like the TUI Care Foundation and the Sustainable Tech Community.

ABOUT THE JOB

You'll drive control implementation across all five CISA Zero Trust pillars - dentity, Devices, Networks, Applications and Workloads, and Data - translating pillar OKR commitments into specific, sequenced control deployments with defined owners, timelines, and measurable success criteria.
Owning the measurement framework for Zero Trust maturity progression will be central to your role, using Microsoft Security Exposure Management, Maester security assessments, and Microsoft Secure Score to track control status changes, maintain time-series data, and escalate stalled controls before they impact quarterly OKR targets.
Working directly with pillar owners - Identity, Devices, Network, Applications, and Data leads - you'll convert high-priority workshop outputs into active delivery backlogs, challenging shared ownership arrangements and ensuring each control has a single named owner with budget authority.
You'll provide technical depth across pillar-specific control areas including Conditional Access policy design, Entra ID Governance, PIM, phishing-resistant MFA deployment, trusted device strategy, Intune policy enforcement, network segmentation, secure remote access patterns, application ownership models, Entra SSO integration, API security governance, and data loss prevention aligned to the Secure Future Initiative.
Triaging Microsoft Secure Score recommendations against pillar OKR priorities will be part of your day-to-day, as you assign each recommendation to the correct pillar owner with delivery timelines, track closure rates, and separate high-impact risk-reducing controls from low-value compliance activities.
You'll generate evidence of risk reduction for board reporting and cyber insurance renewal, presenting Zero Trust progress in terms of attack surface change and business impact rather than framework terminology.

ABOUT YOU

You have a demonstrable track record of delivering Zero Trust control implementation - not just designing it - across enterprise environments, with practical understanding of the CISA Zero Trust Maturity Model across all five pillars and the ability to assess current state against Traditional, Initial, Advanced, and Optimal maturity stages.
Evidence of driving security control implementation through delivery teams in large, complex organisations is essential, as you distinguish between controls that have been deployed and verified versus those that have only been documented or recommended, actively rejecting activity-based metrics in favour of outcome-based measurement.
Hands-on experience with Microsoft Security Exposure Management, Microsoft Secure Score, Maester, and the Microsoft Defender suite enables you to extract control status data, interpret attack path exposure metrics, and use tooling output to drive delivery prioritisation and evidence compilation.
Your proficiency with Entra ID, Intune, Defender for Endpoint, and Defender for Office 365 as control implementation platforms means you can provide technical depth across Identity, Devices, Networks, Applications, and Data pillar-specific control areas.
You're able to identify and challenge shared ownership arrangements that prevent control implementation, assigning single accountable owners to controls and holding them to delivery commitments, understanding that a control without a named, funded owner is an unmanaged risk.
Experience working within an OKR framework where key results are tied to measurable security outcomes is important, as you understand that programme maturity is measured by controls implemented and attack surface reduced - not by documents produced or workshops delivered.
Operating within or alongside a formal security architecture governance function comes naturally to you, as you contribute to quarterly reporting cadences and multi-team delivery coordination across complex enterprise environments.
You're highly autonomous and able to identify what needs to happen next without being directed, taking ownership of blockers and working comfortably across organisational boundaries to challenge delivery teams when progress is below expectation.
Being comfortable with ambiguity in an actively evolving programme is essential, as you adjust your approach based on what measurement data shows and stay motivated by reducing actual risk rather than achieving compliance posture.

From a workplace to a place to belong. At TUI we embrace diversity, equity, and inclusion, encouraging everyone to come as you are, because together, our potential is limitless.

We are committed to supporting candidates with disabilities and impairments so if you require any support, please do let us know.

Apply now

Company benefits

Accrued annual leave

Adoption leave – In the UK, an enhanced pay scheme if you’re on maternity, adoption, partner or shared parental leave along with additional support as you begin your new family adventure.

Annual bonus

Annual pay rises

Bank holiday swaps

Neurodiversity assessment – As part of our private medical cover (available to eligible colleagues), you'll get access to Neurodiversity Assessment and Support for you and eligible family members aged 7 and over

Buy or sell annual leave

Car allowance

Career and family coaching

Carer’s leave

Charity donation scheme

Chill out zone

Cinema discounts

Coaching

Coffee discounts – Subsidised Costa coffee in our Luton, UK office.

Collaboration spaces – In Luton - Brand-new games area with a pool table which doubles as a ping pong table, a darts board, an air hockey table and sofa seats

Company freebies

Compassionate leave

Complimentary Medical Services

Cycle to work scheme

Dental coverage

Eldercare services

Electric Car Salary Sacrifice

Emergency leave

Employee assistance programme

Employee discounts

Employee recognition scheme – Regular recognition across the year.

Enhanced maternity leave

Enhanced paternity leave

Enhanced pension match/contribution

Eye Care Support

Faith rooms

Financial advice

Financial coaching

Further education support

Gym membership

Hackathons

Health insurance

In house training – Whole host of global learning opportunities available to all colleagues to sign up to monthly.

L&D budget

Language lessons

Learning platform

Life assurance – We provide a Life Assurance benefit which means that in the event of your death, while employed by TUI, a lump sum would be payable to your beneficiaries.

Life insurance

Lunch and learns

Meditation space

Menopause support

Mental health platform access

Mentoring

Neo-natal leave

On-site catering

On-site wellness room – In Luton - wellbeing room dedicated to physical and mind wellbeing which complements our existing male and female faith and reflection rooms

Open to part time work for some roles

Personal development days

Physiotherapy

Pregnancy loss leave

Pregnancy support

Private GP service – 24/7 virtual GP available as part of our EAP in the UK&I.

Religious celebration leave

Restaurant discounts

Sabbaticals

Salary sacrifice

Share options

Shared parental leave

Teambuilding days

Travel credit

Travel insurance

Volunteer days

Will writing

Work from anywhere scheme – TUI WORKWIDE means colleagues can work from abroad for up to 30 working days a year

Work from home budget – For our remote colleagues.

Health cash plan

Health assessment

Mental health support

Women’s health support

Study support

Ergonomic workstations

On-site barista – Costa coffee on offer in our Luton, UK office.

Modern office – Brand-new office opening in Autumn 2026 for UK colleagues based in Luton.

On-site shower

Private booths

Secure on-site parking

Additional voluntary pension contribution

Death in service

Legal consults

Open to compressed hours

Women’s health leave

Professional subscriptions

Personal development budgets

Working at TUI Group

Company employees:

66,845 globally

Gender diversity (m:f):

43:57

Hiring in countries

Aruba

Austria

Belgium

Cabo Verde

Caribbean Netherlands

Costa Rica

Croatia

Curaçao

Egypt

Germany

Greece

Ireland

Italy

Awards & Accreditations

1st - Most Flexible Company

Flexa awards 2026

Top 5 - Best Work-Life Balance

Flexa awards 2026

1st - Best Career Progression

Flexa awards 2025

2nd - Most Flexible Company

Flexa awards 2025

WFA

Flexa awards 2025

Most Inclusive Company

Flexa awards 2025

Most flexible companies

Flexa100 2024

Job Description

Application Closing Date: 17 June 2026
Please note that in case of a high number of applications we might need to close the role ealier than the application closing date - so don't delay!

ABOUT OUR OFFER

Personal benefits: Attractive remuneration, exclusive travel perks & discounts, extensive health & wellbeing support, and more.

Flexible working: Work is something you do, not somewhere you go. We encourage a healthy work-life balance and offer hybrid or remote working models.

A career to shape: Opportunities to upskill, reskill and grow your career. Access the TUI Tech Learning Hub to level-up and reach your ambitions.

Expand your horizons: Participate in our tech communities and collaborate on global projects and teams.

Community: Get involved with incredible local charity and sustainability initiatives like the TUI Care Foundation and the Sustainable Tech Community.

ABOUT THE JOB

You'll drive control implementation across all five CISA Zero Trust pillars - dentity, Devices, Networks, Applications and Workloads, and Data - translating pillar OKR commitments into specific, sequenced control deployments with defined owners, timelines, and measurable success criteria.

Owning the measurement framework for Zero Trust maturity progression will be central to your role, using Microsoft Security Exposure Management, Maester security assessments, and Microsoft Secure Score to track control status changes, maintain time-series data, and escalate stalled controls before they impact quarterly OKR targets.

Working directly with pillar owners - Identity, Devices, Network, Applications, and Data leads - you'll convert high-priority workshop outputs into active delivery backlogs, challenging shared ownership arrangements and ensuring each control has a single named owner with budget authority.

You'll provide technical depth across pillar-specific control areas including Conditional Access policy design, Entra ID Governance, PIM, phishing-resistant MFA deployment, trusted device strategy, Intune policy enforcement, network segmentation, secure remote access patterns, application ownership models, Entra SSO integration, API security governance, and data loss prevention aligned to the Secure Future Initiative.

Triaging Microsoft Secure Score recommendations against pillar OKR priorities will be part of your day-to-day, as you assign each recommendation to the correct pillar owner with delivery timelines, track closure rates, and separate high-impact risk-reducing controls from low-value compliance activities.

You'll generate evidence of risk reduction for board reporting and cyber insurance renewal, presenting Zero Trust progress in terms of attack surface change and business impact rather than framework terminology.

ABOUT YOU

You have a demonstrable track record of delivering Zero Trust control implementation - not just designing it - across enterprise environments, with practical understanding of the CISA Zero Trust Maturity Model across all five pillars and the ability to assess current state against Traditional, Initial, Advanced, and Optimal maturity stages.

Evidence of driving security control implementation through delivery teams in large, complex organisations is essential, as you distinguish between controls that have been deployed and verified versus those that have only been documented or recommended, actively rejecting activity-based metrics in favour of outcome-based measurement.

Hands-on experience with Microsoft Security Exposure Management, Microsoft Secure Score, Maester, and the Microsoft Defender suite enables you to extract control status data, interpret attack path exposure metrics, and use tooling output to drive delivery prioritisation and evidence compilation.

Your proficiency with Entra ID, Intune, Defender for Endpoint, and Defender for Office 365 as control implementation platforms means you can provide technical depth across Identity, Devices, Networks, Applications, and Data pillar-specific control areas.

You're able to identify and challenge shared ownership arrangements that prevent control implementation, assigning single accountable owners to controls and holding them to delivery commitments, understanding that a control without a named, funded owner is an unmanaged risk.

Experience working within an OKR framework where key results are tied to measurable security outcomes is important, as you understand that programme maturity is measured by controls implemented and attack surface reduced - not by documents produced or workshops delivered.

Operating within or alongside a formal security architecture governance function comes naturally to you, as you contribute to quarterly reporting cadences and multi-team delivery coordination across complex enterprise environments.

You're highly autonomous and able to identify what needs to happen next without being directed, taking ownership of blockers and working comfortably across organisational boundaries to challenge delivery teams when progress is below expectation.

Being comfortable with ambiguity in an actively evolving programme is essential, as you adjust your approach based on what measurement data shows and stay motivated by reducing actual risk rather than achieving compliance posture.

From a workplace to a place to belong. At TUI we embrace diversity, equity, and inclusion, encouraging everyone to come as you are, because together, our potential is limitless.

We are committed to supporting candidates with disabilities and impairments so if you require any support, please do let us know.