Reading the environment

The smoke marks on the ceiling tell you the dragons have been here a while. You do not need a network diagram to start forming hypotheses. The job posting, the scale of the operation, and the language people use when they describe what they do: all of it is signal.

Scale and complexity

380 employees is large enough for dedicated IT staff and application administrators, but it is not enterprise-scale. No dedicated IT architect has existed before this role, which means architectural decisions have been made implicitly, by whoever was available, under time pressure, at the moment a problem needed solving. The organisation has outgrown its IT posture without necessarily noticing.

The 200,000 members, donors, and volunteers are the data risk surface. They are not employees. They are people who gave the organisation their trust and their bank details because they believe in what the Home does. Their data is the reason the security work matters.

What the job posting reveals

A is a compressed view of an organisation’s anxiety. Parse it carefully.

The call to assess whether new tools fit within agreed frameworks is specific language. It implies tools are being acquired outside agreed frameworks, not maliciously, but through convenience, departmental autonomy, and the permanent pressure to get things done with a team that is always slightly too small. This is shadow IT. It is normal. Knowing it is happening before you arrive puts you ahead.

The explicit mention of responsible AI as a responsibility is a signal that someone in the organisation is aware of AI adoption and does not yet have a policy framework for it. That combination, awareness without governance, is usually the result of organic uptake. Someone is using something. Nobody has decided what the rules are yet.

The focus on awareness, foundations, and policy rather than detection, threat hunting, or incident response maturity places the security programme clearly in early-stage territory. The work here is laying groundwork, not maintaining a programme. That is a different job, with a different set of first moves.

What the scale implies about culture

An organisation of this size, without a previous architect, has been running on informal knowledge and individual expertise. People know things that are not written down. The person who configured the firewall may have moved on. The integration between the membership database and the donation platform may be documented in an email thread from three years ago, if it is documented at all. The informal security culture is not a failure. It is what happens when goodwill, resource constraints, and operational urgency share a building long enough.

None of this is unusual. None of it is unfixable. The first step is not fixing anything. It is listening: to the people who have been here, to the systems they have built, and to the gaps they have learned to work around.